From e85d3c4f3690a08966b1f3a2fe8f141b79fcfc41 Mon Sep 17 00:00:00 2001
From: kolaente <konrad@kola-entertainments.de>
Date: Wed, 12 Sep 2018 19:56:07 +0200
Subject: [PATCH] Fixed a bug where a user didn't had access to lists which are
 not his own, but part of a namespace he owns

---
 models/list_rights.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/models/list_rights.go b/models/list_rights.go
index 94cf5a1d55a..480d4adf82e 100644
--- a/models/list_rights.go
+++ b/models/list_rights.go
@@ -74,7 +74,7 @@ func (l *List) checkListTeamRight(user *User, r TeamRight) bool {
 		Join("LEFT", []string{"team_members", "tm2"}, "tm2.team_id = tl.team_id").
 		Where("((tm.user_id = ? AND tn.right = ?) OR (tm2.user_id = ? AND tl.rights = ?)) AND l.id = ?",
 			user.ID, r, user.ID, r, l.ID).
-		Get(&List{})
+		Exist(&List{})
 	if err != nil {
 		return false
 	}
@@ -88,9 +88,13 @@ func (l *List) checkListUserRight(user *User, r UserRight) bool {
 		Alias("l").
 		Join("LEFT", []string{"users_namespace", "un"}, "un.namespace_id = l.namespace_id").
 		Join("LEFT", []string{"users_list", "ul"}, "ul.list_id = l.id").
-		Where("(ul.user_id = ? AND ul.right = ?) AND l.id = ?",
-			user.ID, r, l.ID).
-		Get(&List{})
+		Join("LEFT", []string{"namespaces", "n"}, "n.id = l.namespace_id").
+		Where("((ul.user_id = ? AND ul.right = ?) " +
+			"OR (un.user_id = ? AND un.right = ?) " +
+			"OR n.owner_id = ?)" +
+			"AND l.id = ?",
+			user.ID, r, user.ID, r, user.ID, l.ID).
+		Exist(&List{})
 	if err != nil {
 		return false
 	}