fix(ban): Ensure the ban is from the current room

Signed-off-by: Joas Schilling <coding@schilljs.com>

lib/Controller/BanController.php

@@ -104,7 +104,7 @@ class BanController extends AEnvironmentAwareController {
 	#[PublicPage]
 	#[RequireModeratorParticipant]
 	public function unbanActor(int $banId): DataResponse {
-		$this->banService->findAndDeleteBanById($banId);
+		$this->banService->findAndDeleteBanByIdForRoom($banId, $this->room->getId());
 		return new DataResponse([], Http::STATUS_OK);
 	}
 

lib/Model/BanMapper.php

@@ -52,11 +52,12 @@ class BanMapper extends QBMapper {
 	/**
 	 * @throws DoesNotExistException
 	 */
-	public function findByBanId(int $banId): Ban {
+	public function findByBanIdAndRoom(int $banId, int $roomId): Ban {
 		$query = $this->db->getQueryBuilder();
 		$query->select('*')
 			->from($this->getTableName())
-			->where($query->expr()->eq('id', $query->createNamedParameter($banId, IQueryBuilder::PARAM_INT)));
+			->where($query->expr()->eq('id', $query->createNamedParameter($banId, IQueryBuilder::PARAM_INT)))
+			->andWhere($query->expr()->eq('room_id', $query->createNamedParameter($roomId, IQueryBuilder::PARAM_INT)));
 
 		return $this->findEntity($query);
 	}

lib/Service/BanService.php

@@ -37,7 +37,7 @@ class BanService {
 		if (empty($internalNote)) {
 			throw new \InvalidArgumentException("invalid_internalNote.");
 		}
-		
+
 		if ($bannedTime !== null && !$bannedTime instanceof DateTime) {
 			throw new \InvalidArgumentException("invalid_bannedTime.");
 		}
@@ -97,9 +97,9 @@ class BanService {
 	/**
 	 * Retrieve a ban by its ID and delete it.
 	 */
-	public function findAndDeleteBanById(int $banId): void {
+	public function findAndDeleteBanByIdForRoom(int $banId, int $roomId): void {
 		try {
-			$ban = $this->banMapper->findByBanId($banId);
+			$ban = $this->banMapper->findByBanIdAndRoom($banId, $roomId);
 			$this->banMapper->delete($ban);
 		} catch (DoesNotExistException $e) {
 			// Ban does not exist