Permissiong denied while trying to move tasks, seems strange kind of race condition javascript execution/overriding ....

[aweisshh]

Hi, thanks for your work and your great plugin (that i would like to use in my base workflow). The issue that i'm facing is very hard to track for me, because it occures sometimes and randomly.

When moving a task by drag&drop via bord or bigboard this sometimes failes. As visible result the BoardAjaxController.php throws a 'Permission denied' which is caused by missing attributes:

    if ($values['dst_project_id'] != $values['src_project_id']) {
        list($valid) = $this->taskValidator->validateProjectModification([
            'id' => intval($values['task_id']),
            'project_id' => intval($values['dst_project_id']),
            'swimlane_id' => intval($values['dst_swimlane_id']),
            'column_id' => intval($values['dst_column_id']),
            'category_id' => intval($values['category_id']),
            'owner_id' => intval($values['owner_id']),
        ]);

        if (!$valid) {
            throw new AccessForbiddenException(e('Malformed Request'));

and there is nothing wrong here, because 'src_project_id' and others are really missing.

Why: Normally when visiting the url http://MYSERVERNAME.lan/kanboard/?controller=BoardViewController&action=show&project_id=1 or when visiting the url http://MYSERVERNAME.lan/kanboard/?controller=Bigboard&action=index&plugin=Bigboard and moving a task per drag&dop the

Kanboard.BoardDragAndDrop.prototype.dragAndDrop = function () { ...} 
from your file plugins/Bigboard/assets/BoardDragAndDrop.js  

gets called providing 'src_project_id' and others and everything is and will be FINE :-) which i could verify by adding some debug code to it:

tempAlert('  Bigboard js dragndrop()  ', 5000, '**red**', '20%');

Red div, everything is OK, tasks can be moved

BUT strange enough sometimes (and randomly) the original (drag&drop) code

  'Kanboard.BoardDragAndDrop.prototype.dragAndDrop = function () {..}.'

gets called, which i could verify by adding some debug code to it:

tempAlertkan('  Kanboard.BoardDragAndDrop js dragndrop() called  ', 5000, 'yellow', '22%')

Yellow div, moving the task will FAIL

When this happens the BoardAjaxController.php will get called from the original

'Kanboard.BoardDragAndDrop.prototype.dragAndDrop = function ()  

which (expectably) doesn't have the extended parameters and the Bigboard-BoardAjaxController.php will throw a 'Permission denied' caused by missing attributes.

Cause: ? I'm a little bit lost tracking the overrides furher down, but what i can see is that the Bigboard javascript assets for overriding the original javascript code are really getting loaded and overriding the prototypes of the core-code. See the green div on the left (Kanboard-app-js) and the blue div on top of that (from the bigboard javascript assets).

When the problem occures mostly when cklicking on a link/icon to the board or the bigboard and most times it goes (temporarely) away, if the page gets reloaded(reload by browser)

So i could guess it might be related to and 'old' eventhandler which (maybe?) holds a reference to the original code.... just guessing ... but why is it called anyway..

Bigboard version 1.4.1 is the only plugin installed in this test installation

Application version: 1.2.20
PHP version: 7.4.21
PHP SAPI: apache2handler
HTTP Client: cURL
OS version: Linux 5.10.0-9-amd64
Database driver: mysql
Database version: 10.3.31-MariaDB-1:10.3.31+maria~stretch-log
Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0

I would love to give more substanical information on that really strage issue or track it down further, but there isn't at the moment :-(

[TimoStahl]

Unfortunately I dont use Kanboard anymore, therefore I wont improve/change my plugins. But I am open for pull requests.