Skip to content

feat: allow read-only users to assign labels to cards (#590)#7940

Open
guangningsun wants to merge 1 commit into
nextcloud:mainfrom
guangningsun:feat/assign-labels-to-readonly-users
Open

feat: allow read-only users to assign labels to cards (#590)#7940
guangningsun wants to merge 1 commit into
nextcloud:mainfrom
guangningsun:feat/assign-labels-to-readonly-users

Conversation

@guangningsun
Copy link
Copy Markdown

@guangningsun guangningsun commented May 13, 2026

Summary

Fixes #590 — Allow users with read-only board access to assign labels to cards.

Problem

Users with only PERMISSION_READ on a board could not assign labels to cards, even though the board owner intended them to self-manage card labels. The assignLabel() method required PERMISSION_EDIT, which is too restrictive for collaborative workflows.

Solution

Lower the permission check in CardService::assignLabel() from PERMISSION_EDIT to PERMISSION_READ:

- $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT);
+ $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);

removeLabel() still requires PERMISSION_EDIT, so read-only users can add labels but cannot remove them.

Additional Changes

  • Added 4 unit tests covering permission scenarios:
    • testAssignLabelWithReadPermission — READ-permission user CAN add labels
    • testAssignLabelWithoutReadPermission — no-permission user CANNOT add labels
    • testRemoveLabelRequiresEditPermission — EDIT-permission user CAN remove labels
    • testRemoveLabelWithoutEditPermission — no-permission user CANNOT remove labels

BC Note

This is a backwards-compatible bug fix. Read-only users who previously could not add labels now can, but they still cannot remove labels or modify card content.

Closes #590

@guangningsun
feat: allow read-only users to assign labels to cards
83ed6e4 
Lower the permission check in assignLabel() from PERMISSION_EDIT to
PERMISSION_READ, allowing users with read-only access to add labels
to cards. This is useful when a board owner wants to share cards
with external contributors who should be able to self-assign labels
but not modify card content.

RemoveLabel() still requires PERMISSION_EDIT to prevent read-only
users from removing labels.

Fixes nextcloud#590
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@luka-nextcloud luka-nextcloud Awaiting requested review from luka-nextcloud luka-nextcloud is a code owner

@grnd-alt grnd-alt Awaiting requested review from grnd-alt grnd-alt is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Adding tags for users without editing permission [$15]

1 participant

@guangningsun