search

humhub / tasks

Intuitive task management tool with many basic and advanced features.
23 stars 34 forks source link

Cannot create a task on profile of another user #256

Open link-transport-mickoz opened 4 months ago

link-transport-mickoz commented 4 months ago

Hello,

I'm trying to create a task on user profile (content container, belonging to user\models\User object), but I'm receiving 403 Forbidden:

{
    "code": 403,
    "message": "You are not allowed to create task!"
}

I'm authenticating with bearer token of a user that belongs to Administrator group. Creating task on my own profile works through the API. I can also create a task for another user using the UI, but not the API.

Do I have to change some specific permission? If it's not possible, can you suggest a workaround?

ArchBlood commented 3 months ago

Seems to me the following needs updated, note that I have not tested the modifications;

https://github.com/humhub/tasks/blob/25c18da9ee5e061569067925f21b1ab3ffad1317/controllers/rest/TasksController.php#L50-L91

Modification

    public function actionCreate($containerId)
    {
        $containerRecord = ContentContainer::findOne(['id' => $containerId]);
        if ($containerRecord === null) {
            return $this->returnError(404, 'Content container not found!');
        }
        /** @var ContentContainerActiveRecord $container */
        $container = $containerRecord->getPolymorphicRelation();

        // Check if the user is an admin
        $isAdmin = Yii::$app->user->isAdmin();
        $hasPermission = $container->permissionManager->can([CreateTask::class, ManageTasks::class]);

        if (!in_array(get_class($container), Yii::$app->getModule('tasks')->getContentContainerTypes()) ||
            (!$isAdmin && !$hasPermission)) {
            return $this->returnError(403, 'You are not allowed to create task!');
        }

        $taskParams = Yii::$app->request->post('Task', []);

        $taskForm = new TaskForm([
            'cal' => isset($taskParams['cal_mode']) ? $taskParams['cal_mode'] : null,
            'taskListId' => isset($taskParams['task_list_id']) ? $taskParams['task_list_id'] : null,
            'dateFormat' => 'php:Y-m-d',
            'timeFormat' => 'php:H:i',
        ]);
        $taskForm->createNew($container);

        // Bypass the content edit check if the user is an admin
        if (!$isAdmin && !$taskForm->task->content->canEdit()) {
            return $this->returnError(403, 'You are not allowed to edit this task!');
        }

        if ($this->saveTask($taskForm)) {
            return $this->returnContentDefinition(Task::findOne(['id' => $taskForm->task->id]));
        }

        if ($taskForm->hasErrors() || $taskForm->task->hasErrors()) {
            return $this->returnError(422, 'Validation failed', [
                'taskForm' => $taskForm->getErrors(),
                'task' => $taskForm->task->getErrors(),
            ]);
        } else {
            Yii::error('Could not create validated task.', 'api');
            return $this->returnError(500, 'Internal error while save task!');
        }
    }

If actionCreate() has this issue then actionUpdate() may also have the same issue so the following may need done here as well; https://github.com/humhub/tasks/blob/25c18da9ee5e061569067925f21b1ab3ffad1317/controllers/rest/TasksController.php#L93-L123

Modification

public function actionUpdate($id)
{
    $task = Task::findOne(['id' => $id]);
    if (! $task) {
        return $this->returnError(404, 'Task not found!');
    }

    $taskForm = new TaskForm([
        'task' => $task,
        'dateFormat' => 'php:Y-m-d',
        'timeFormat' => 'php:H:i',
    ]);

    // Check if the user is an admin
    $isAdmin = Yii::$app->user->isAdmin();

    // Bypass the content edit check if the user is an admin
    if (!$isAdmin && !$taskForm->task->content->canEdit()) {
        return $this->returnError(403, 'You are not allowed to update this task!');
    }

    if ($this->saveTask($taskForm)) {
        return $this->returnContentDefinition(Task::findOne(['id' => $taskForm->task->id]));
    }

    if ($taskForm->hasErrors() || $taskForm->task->hasErrors()) {
        return $this->returnError(422, 'Validation failed', [
            'taskForm' => $taskForm->getErrors(),
            'task' => $taskForm->task->getErrors(),
        ]);
    } else {
        Yii::error('Could not update validated task.', 'api');
        return $this->returnError(500, 'Internal error while save task!');
    }
}
link-transport-mickoz commented 2 months ago

Thanks for the reply. Right now, I got it to work by adding group to default allowed groups in https://github.com/humhub/tasks/blob/25c18da9ee5e061569067925f21b1ab3ffad1317/permissions/CreateTask.php#L29-L35

public $defaultAllowedGroups = [
    Space::USERGROUP_OWNER,
    Space::USERGROUP_ADMIN,
    Space::USERGROUP_MODERATOR,
    Space::USERGROUP_MEMBER,
    User::USERGROUP_SELF,
    User::USERGROUP_USER // <--
];

Although from what I understand, now every user can create a task.

I'll try your changes and get back to you.

link-transport-mickoz commented 2 months ago

I changed methods, and tested out creating a task. Worked without issues.

Thanks for the help! Do you want to keep this issue open or should I close it?

ArchBlood commented 2 months ago

I believe we should keep it open till a P/R is merged to fix the issue.