added permission check to StockModule.getChildLocations

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
2026-02-12 08:41:12 +01:00
5 changed files with 50 additions and 46 deletions
--- a/bus/src/main/java/de/srsoftware/umbrella/messagebus/events/ItemEvent.java
+++ b/bus/src/main/java/de/srsoftware/umbrella/messagebus/events/ItemEvent.java
@@ -1,16 +1,15 @@
+/* © SRSoftware 2025 */
 package de.srsoftware.umbrella.messagebus.events;

-import de.srsoftware.umbrella.core.ModuleRegistry;
-import de.srsoftware.umbrella.core.api.Owner;
-import de.srsoftware.umbrella.core.constants.Field;
-import de.srsoftware.umbrella.core.model.*;
-
-import java.util.Collection;
-import java.util.List;
-
 import static de.srsoftware.umbrella.core.constants.Field.*;
 import static de.srsoftware.umbrella.core.model.Translatable.t;

+import de.srsoftware.umbrella.core.ModuleRegistry;
+import de.srsoftware.umbrella.core.api.Owner;
+import de.srsoftware.umbrella.core.model.*;
+import java.util.Collection;
+import java.util.List;
+
 public class ItemEvent extends Event<Item>{
 	public ItemEvent(UmbrellaUser initiator, String module, Item item, EventType type) {
 		super(initiator, module, item, type);
--- a/core/src/main/java/de/srsoftware/umbrella/core/model/Task.java
+++ b/core/src/main/java/de/srsoftware/umbrella/core/model/Task.java
@@ -228,7 +228,8 @@ public class Task implements Mappable {
 		return tags;
 	}

-	public Map<String,Object> toMap(boolean renderMarkdown){
+	@Override
+	public Map<String, Object> toMap() {
 		var map = new HashMap<String,Object>();
 		var memberMap = new HashMap<Long,Map<String,Object>>();
 		if (members != null) for (var entry : members.entrySet()){
@@ -239,7 +240,7 @@ public class Task implements Mappable {
        map.put(PARENT_TASK_ID, parentTaskId);
        map.put(PRIORITY,priority);
        map.put(NAME, name);
-		map.put(DESCRIPTION, renderMarkdown ? mapMarkdown(description) : Map.of(SOURCE,description));
+        map.put(DESCRIPTION, mapMarkdown(description));
        map.put(STATUS, status);
 		map.put(EST_TIME, estimatedTime);
 		map.put(START_DATE,start);
@@ -253,11 +254,6 @@ public class Task implements Mappable {
 		return map;
 	}

-	@Override
-	public Map<String, Object> toMap() {
-		return toMap(true);
-	}
-
 	private int totalPrio() {
 		if (status >= Status.COMPLETE.code()) return 0; // task is done, do no longer highlight
 		int total = priority;
--- a/frontend/src/routes/project/Kanban.svelte
+++ b/frontend/src/routes/project/Kanban.svelte
@@ -2,7 +2,7 @@
    import { onDestroy, onMount } from 'svelte';
    import { useTinyRouter } from 'svelte-tiny-router';

-    import { api, patch, post, eventStream, target } from '../../urls.svelte.js';
+    import { api, eventStream, target } from '../../urls.svelte.js';
    import { error, messages, yikes }  from '../../warn.svelte';
    import { t }             from '../../translations.svelte.js';
    import { user }          from '../../user.svelte.js';
@@ -46,7 +46,11 @@
        }
        task.members[user_id] = { permission: { name : 'ASSIGNEE' }};
        task.members[user.id] = { permission: { name : 'OWNER' }};
-        const resp            = await post(url,task);
+        const resp            = await fetch(url,{
+            credentials : 'include',
+            method      : 'POST',
+            body        : JSON.stringify(task)
+        });
        if (resp.ok) {
            task          = await resp.json();
            task.assignee = user_id;
@@ -65,7 +69,11 @@
        ex.preventDefault();
        var task   = dragged;
        const url  = api(`task/${task.id}`);
-        const resp = await patch(url,{no_index:true});
+        const resp = await fetch(url,{
+            credentials : 'include',
+            method      : 'PATCH',
+            body        : JSON.stringify({no_index:true})
+        });
        delete highlight.archive;
        if (resp.ok){
            yikes();
@@ -81,10 +89,14 @@
        highlight = {};

        if (task.assignee == user_id && task.status == state) return; // no change
-        let data              = {members:{},status:+state}
-        data.members[user_id] = 'ASSIGNEE';
+        let patch              = {members:{},status:+state}
+        patch.members[user_id] = 'ASSIGNEE';
        const url = api(`task/${task.id}`);
-        const resp = await patch(url,data);
+        const resp = await fetch(url,{
+            credentials : 'include',
+            method      : 'PATCH',
+            body        : JSON.stringify(patch)
+        });
        if (resp.ok){
            yikes();
        } else {
@@ -178,8 +190,11 @@
        const url            = api('task/list');
        selector.show_closed = true;
        selector.no_index    = true;
-        selector.rendered    = false;
-        var resp = await post(url,selector);
+        var resp = await fetch(url,{
+            credentials :'include',
+            method      : 'POST',
+            body        : JSON.stringify(selector)
+        });
        if (resp.ok){
            var json = await resp.json();
            for (var task_id of Object.keys(json)) {
@@ -224,7 +239,11 @@
            share   : user_ids
        }
        const url  = api('bookmark');
-        const resp = await post(url,data);
+        const resp = await fetch(url,{
+            credentials : 'include',
+            method      : 'POST',
+            body        : JSON.stringify(data)
+        });
        if (resp.ok) {
            yikes();
            router.navigate('/bookmark');
--- a/stock/src/main/java/de/srsoftware/umbrella/stock/StockModule.java
+++ b/stock/src/main/java/de/srsoftware/umbrella/stock/StockModule.java
@@ -33,12 +33,10 @@ import de.srsoftware.umbrella.core.constants.Text;
 import de.srsoftware.umbrella.core.exceptions.UmbrellaException;
 import de.srsoftware.umbrella.core.model.*;
 import de.srsoftware.umbrella.core.model.Location;
-
-import java.io.IOException;
-import java.util.*;
-
 import de.srsoftware.umbrella.messagebus.events.Event;
 import de.srsoftware.umbrella.messagebus.events.ItemEvent;
+import java.io.IOException;
+import java.util.*;
 import org.json.JSONObject;

 public class StockModule extends BaseHandler implements StockService {
@@ -228,7 +226,8 @@ public class StockModule extends BaseHandler implements StockService {
 	}

 	private boolean getChildLocations(UmbrellaUser user, long parentId, HttpExchange ex) throws IOException {
-		LOG.log(WARNING,"No security check implemented for {0}.getChildLocations(user, parentId, ex)!",getClass().getSimpleName()); // TODO check, that user is allowed to request that location
+		var owner = stockDb.loadLocation(parentId).owner();
+		if (!assigned(owner,user)) throw forbidden("You are not allowed to access items of {owner}", OWNER,owner);
 		return sendContent(ex, stockDb.listChildLocations(parentId).stream().sorted(comparing(l -> l.name().toLowerCase())).map(DbLocation::toMap));
 	}

--- a/task/src/main/java/de/srsoftware/umbrella/task/TaskModule.java
+++ b/task/src/main/java/de/srsoftware/umbrella/task/TaskModule.java
@@ -32,7 +32,6 @@ import de.srsoftware.tools.SessionToken;
 import de.srsoftware.umbrella.core.BaseHandler;
 import de.srsoftware.umbrella.core.ModuleRegistry;
 import de.srsoftware.umbrella.core.api.*;
-import de.srsoftware.umbrella.core.constants.Field;
 import de.srsoftware.umbrella.core.constants.Text;
 import de.srsoftware.umbrella.core.exceptions.UmbrellaException;
 import de.srsoftware.umbrella.core.model.*;
@@ -272,12 +271,6 @@ public class TaskModule extends BaseHandler implements TaskService {
 		return taskList;
 	}

-	private Map<Long,Map<String,Object>> mapTasks(Map<Long,Task> tasks, boolean render){
-		if (render) return mapValues(tasks);
-		return tasks.entrySet().stream()
-				.collect(Collectors.toMap(Map.Entry::getKey,e -> e.getValue().toMap(false)));
-	}
-
 	private boolean newParentIsSubtask(Task task, long newParent) {
 		var parent = taskDb.load(newParent);
 		while (parent != null) {
@@ -429,23 +422,21 @@ public class TaskModule extends BaseHandler implements TaskService {
 		var noIndex      = json.has(NO_INDEX)       && json.get(NO_INDEX)       instanceof Boolean bool  ? bool : false;
 		var projectId    = json.has(PROJECT_ID)     && json.get(PROJECT_ID)     instanceof Number number ? number.longValue() : null;
 		var parentTaskId = json.has(PARENT_TASK_ID) && json.get(PARENT_TASK_ID) instanceof Number number ? number.longValue() : null;
-		var markdown     = !json.has(RENDERED)    || !(json.get(RENDERED)       instanceof Boolean render) || render;
 		if (isSet(projectId)) {
 			if (parentTaskId == null) {
 				var list = taskDb.listRootTasks(projectId, user, showClosed);
-				return sendContent(ex, mapTasks(list,markdown));
+				return sendContent(ex, mapValues(list));
 			}
 			var projectTasks = taskDb.listProjectTasks(projectId, parentTaskId, noIndex);
 			loadMembers(projectTasks.values());
 			var tags = tagService().getTags(TASK,projectTasks.keySet(),user);

 			projectTasks = addTags(projectTasks, tags);
-			return sendContent(ex, mapTasks(projectTasks, markdown));
+			return sendContent(ex, mapValues(projectTasks));
 		}
 		if (isSet(parentTaskId)) return sendContent(ex, mapValues(taskDb.listChildrenOf(parentTaskId, user, showClosed)));
 		var taskIds = json.has(IDS) && json.get(IDS) instanceof JSONArray ids ? ids.toList().stream().map(Object::toString).map(Long::parseLong).toList() : null;
-		var tasks = taskDb.load(taskIds);
-		if (isSet(taskIds)) return sendContent(ex, mapTasks(tasks,markdown));
+		if (isSet(taskIds)) return sendContent(ex, mapValues(taskDb.load(taskIds)));
 		return sendEmptyResponse(HTTP_NOT_IMPLEMENTED, ex);
 	}