* Ensure we delete boards owned by a circle when the circle gets deleted

following the same behavior for users
* make sure findAllByOwner is explicit about the type of ownership
* Move 'PERMISSION_OWNER' to a sane spot
* Fix the annotateAclRetainedAccess missing the owning circle's ACL entry

Signed-off-by: Jos Poortvliet <jospoortvliet@gmail.com>

Author: jospoortvliet

lib/Command/TransferOwnership.php

@@ -70,6 +70,12 @@ protected function configure() {
 				InputOption::VALUE_NONE,
 				'Treat <newOwner> as a team ID (internally stored as a circle ID) instead of a user UID'
 			)
+			->addOption(
+				'from-team',
+				null,
+				InputOption::VALUE_NONE,
+				'Treat <owner> as a team ID (internally stored as a circle ID) instead of a user UID'
+			)
 		;
 	}
 
@@ -79,8 +85,32 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 		$boardId = $input->getArgument('boardId');
 		$remapAssignment = $input->getOption('remap');
 		$toTeam = $input->getOption('to-team');
+		$fromTeam = $input->getOption('from-team');
+		$ownerType = Acl::PERMISSION_TYPE_USER;
 		$newOwnerType = Acl::PERMISSION_TYPE_USER;
 		$teamDisplayName = null;
+		if ($fromTeam) {
+			$ownerType = Acl::PERMISSION_TYPE_CIRCLE;
+		} else {
+			$ownerUserExists = $this->userManager->userExists($owner);
+			$ownerCircleExists = false;
+			if ($this->circlesService->isCirclesEnabled()) {
+				try {
+					$ownerCircleExists = $this->circlesService->getCircle($owner) !== null;
+				} catch (\Throwable $e) {
+					$ownerCircleExists = false;
+				}
+			}
+
+			if ($ownerUserExists && $ownerCircleExists) {
+				$output->writeln('<error>Ambiguous source owner: ' . $owner . ' matches both a user and a team (circle ID). Use --from-team if you mean the team.</error>');
+				return 1;
+			}
+
+			if ($ownerCircleExists && !$ownerUserExists) {
+				$ownerType = Acl::PERMISSION_TYPE_CIRCLE;
+			}
+		}
 		if ($toTeam) {
 			$newOwnerType = Acl::PERMISSION_TYPE_CIRCLE;
 			if ($this->circlesService->isCirclesEnabled()) {
@@ -154,7 +184,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 				return 0;
 			}
 
-			foreach ($this->boardService->transferOwnership($owner, $newOwner, $remapAssignment, $newOwnerType) as $board) {
+			foreach ($this->boardService->transferOwnership($owner, $newOwner, $remapAssignment, $newOwnerType, $ownerType) as $board) {
 				$output->writeln(' - ' . $board->getTitle() . ' transferred');
 			}
 			$output->writeln("<info>All boards from $owner transferred to $newOwnerLabel</info>");

lib/Db/Acl.php

@@ -30,7 +30,6 @@ class Acl extends RelationalEntity {
 	public const PERMISSION_EDIT = 1;
 	public const PERMISSION_SHARE = 2;
 	public const PERMISSION_MANAGE = 3;
-	public const PERMISSION_OWNER = 4;
 
 	public const PERMISSION_TYPE_USER = 0;
 	public const PERMISSION_TYPE_GROUP = 1;

lib/Db/Board.php

@@ -32,6 +32,8 @@
  * @method int | null getExternalId()
  */
 class Board extends RelationalEntity {
+	public const PERMISSION_OWNER = 4;
+
 	protected $title;
 	protected $owner;
 	protected $ownerType = 0;

lib/Db/BoardMapper.php

@@ -295,11 +295,12 @@ public function findAllByUser(string $userId, ?int $limit = null, ?int $offset =
 		return $entries;
 	}
 
-	public function findAllByOwner(string $userId, ?int $limit = null, ?int $offset = null) {
+	public function findAllByOwner(string $ownerId, int $ownerType = Acl::PERMISSION_TYPE_USER, ?int $limit = null, ?int $offset = null): array {
 		$qb = $this->db->getQueryBuilder();
 		$qb->select('*')
 			->from('deck_boards')
-			->where($qb->expr()->eq('owner', $qb->createNamedParameter($userId, IQueryBuilder::PARAM_STR)))
+			->where($qb->expr()->eq('owner', $qb->createNamedParameter($ownerId, IQueryBuilder::PARAM_STR)))
+			->andWhere($qb->expr()->eq('owner_type', $qb->createNamedParameter($ownerType, IQueryBuilder::PARAM_INT)))
 			->orderBy('id');
 		if ($limit !== null) {
 			$qb->setMaxResults($limit);

lib/Listeners/ParticipantCleanupListener.php

@@ -30,7 +30,7 @@ public function __construct(AclMapper $aclMapper, AssignmentMapper $assignmentMa
 
 	public function handle(Event $event): void {
 		if ($event instanceof UserDeletedEvent) {
-			$boards = $this->boardMapper->findAllByOwner($event->getUser()->getUID());
+			$boards = $this->boardMapper->findAllByOwner($event->getUser()->getUID(), Acl::PERMISSION_TYPE_USER);
 			foreach ($boards as $board) {
 				$this->boardMapper->delete($board);
 			}
@@ -44,6 +44,11 @@ public function handle(Event $event): void {
 
 		if ($event instanceof CircleDestroyedEvent) {
 			$circleId = $event->getCircle()->getSingleId();
+			$boards = $this->boardMapper->findAllByOwner($circleId, Acl::PERMISSION_TYPE_CIRCLE);
+			foreach ($boards as $board) {
+				$this->boardMapper->delete($board);
+			}
+
 			$this->cleanupByParticipant(Acl::PERMISSION_TYPE_CIRCLE, $circleId);
 		}
 	}

lib/Service/BoardService.php

@@ -223,7 +223,7 @@ public function create(string $title, string $userId, string $color): Board {
 			'PERMISSION_EDIT' => $permissions[Acl::PERMISSION_EDIT] ?? false,
 			'PERMISSION_MANAGE' => $permissions[Acl::PERMISSION_MANAGE] ?? false,
 			'PERMISSION_SHARE' => $permissions[Acl::PERMISSION_SHARE] ?? false,
-			'PERMISSION_OWNER' => $permissions[Acl::PERMISSION_OWNER] ?? false,
+			'PERMISSION_OWNER' => $permissions[Board::PERMISSION_OWNER] ?? false,
 		]);
 		$this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_BOARD, $board, ActivityManager::SUBJECT_BOARD_CREATE, [], $userId);
 		$this->changeHelper->boardChanged($board->getId());
@@ -575,7 +575,7 @@ public function clone(
 			'PERMISSION_EDIT' => $permissions[Acl::PERMISSION_EDIT] ?? false,
 			'PERMISSION_MANAGE' => $permissions[Acl::PERMISSION_MANAGE] ?? false,
 			'PERMISSION_SHARE' => $permissions[Acl::PERMISSION_SHARE] ?? false,
-			'PERMISSION_OWNER' => $permissions[Acl::PERMISSION_OWNER] ?? false,		
+			'PERMISSION_OWNER' => $permissions[Board::PERMISSION_OWNER] ?? false,		
 			]);
 		$this->boardMapper->insert($newBoard);
 
@@ -673,10 +673,10 @@ public function transferBoardOwnership(int $boardId, string $newOwner, bool $cha
 		}
 	}
 
-	public function transferOwnership(string $owner, string $newOwner, bool $changeContent = false, int $newOwnerType = Acl::PERMISSION_TYPE_USER): \Generator {
+	public function transferOwnership(string $owner, string $newOwner, bool $changeContent = false, int $newOwnerType = Acl::PERMISSION_TYPE_USER, int $ownerType = Acl::PERMISSION_TYPE_USER): \Generator {
 		// Validate once up front so invalid targets fail even if no boards match.
 		$this->validateTransferTarget($newOwner, $newOwnerType);
-		$boards = $this->boardMapper->findAllByOwner($owner);
+		$boards = $this->boardMapper->findAllByOwner($owner, $ownerType);
 		foreach ($boards as $board) {
 			yield $this->transferBoardOwnership($board->getId(), $newOwner, $changeContent, $newOwnerType);
 		}
@@ -735,7 +735,7 @@ private function enrichBoards(array $boards, bool $fullDetails = true): array {
 				'PERMISSION_EDIT' => $permissions[Acl::PERMISSION_EDIT] ?? false,
 				'PERMISSION_MANAGE' => $permissions[Acl::PERMISSION_MANAGE] ?? false,
 				'PERMISSION_SHARE' => $permissions[Acl::PERMISSION_SHARE] ?? false,
-				'PERMISSION_OWNER' => $permissions[Acl::PERMISSION_OWNER] ?? false,
+				'PERMISSION_OWNER' => $permissions[Board::PERMISSION_OWNER] ?? false,
 			]);
 
 			if ($fullDetails) {
@@ -760,6 +760,22 @@ private function enrichBoards(array $boards, bool $fullDetails = true): array {
 	private function annotateAclRetainedAccess(Board $board): void {
 		$acls = $board->getAcl() ?? [];
 		foreach ($acls as $acl) {
+			if ($acl->getType() === Acl::PERMISSION_TYPE_GROUP) {
+				$acl->setRetainsAccessViaMembership(true);
+				continue;
+			}
+
+			if ($acl->getType() === Acl::PERMISSION_TYPE_CIRCLE) {
+				if ($board->getOwnerType() === Acl::PERMISSION_TYPE_CIRCLE
+					&& (string)$acl->getParticipant() === $board->getOwner()) {
+					$acl->setRetainsAccessViaMembership(true);
+					continue;
+				}
+
+				$acl->setRetainsAccessViaMembership(true);
+				continue;
+			}
+
 			if ($acl->getType() !== Acl::PERMISSION_TYPE_USER) {
 				$acl->setRetainsAccessViaMembership(false);
 				continue;

lib/Service/PermissionService.php

@@ -116,7 +116,7 @@ public function getPermissions(int $boardId, ?string $userId = null, bool $allow
 	 * Get current user permissions for a board
 	 *
 	 * @param Board $board
-	 * @return array|bool
+	 * @return array<int, bool>
 	 * @internal param $boardId
 	 */
 	public function matchPermissions(Board $board) {
@@ -136,7 +136,7 @@ public function matchPermissions(Board $board) {
 			Acl::PERMISSION_MANAGE => $owner || $this->userCan($acls, Acl::PERMISSION_MANAGE),
 			Acl::PERMISSION_SHARE => ($owner || $this->userCan($acls, Acl::PERMISSION_SHARE))
 				&& (!$this->shareManager->sharingDisabledForUser($this->userId)),
-			Acl::PERMISSION_OWNER => $owner,
+			Board::PERMISSION_OWNER => $owner,
 		];
 	}
 

src/components/board/SharingTabSidebar.vue

@@ -25,7 +25,7 @@
 				</span>
 				<NcActions v-if="board.ownerType === PERMISSION_TYPE_CIRCLE && isBoardOwner" :force-menu="true">
 					<NcActionButton
-						icon="icon-transfer-ownership"
+						icon="icon-user-admin"
 						data-cy="action:permission-owner-self"
 						@click="clickTransferOwner(currentUserUid, PERMISSION_TYPE_USER)">
 						{{ t('deck', 'Transfer ownership to myself') }}
@@ -64,19 +64,19 @@
 						{{ t('deck', 'Can manage') }}
 					</NcActionCheckbox>
 					<NcActionButton v-if="canTransferTo(acl)"
-						icon="icon-transfer-ownership"
+						icon="icon-user-admin"
 						data-cy="action:permission-owner"
 						@click="clickTransferOwner(acl.participant.uid || acl.participant.id, acl.type, acl.participant.displayname || acl.participant.id || acl.participant.uid)">
 						{{ t('deck', 'Transfer ownership') }}
 					</NcActionButton>
 					<NcActionButton v-if="canManage"
 						icon="icon-delete"
 						data-cy="action:acl-delete"
-						:title="acl.type === PERMISSION_TYPE_USER && acl.retainsAccessViaMembership
+						:title="acl.retainsAccessViaMembership
 							? t('deck', 'Board access through group or team membership is retained.')
 							: undefined"
 						@click="clickDeleteAcl(acl)">
-						{{ acl.type === PERMISSION_TYPE_USER && acl.retainsAccessViaMembership
+						{{ acl.retainsAccessViaMembership
 							? t('deck', 'Remove extra permissions')
 							: t('deck', 'Delete') }}
 					</NcActionButton>

tests/integration/import/ImportExportTest.php

@@ -279,7 +279,7 @@ public function assertDatabase(string $owner = 'admin') {
 		$stackMapper = self::getFreshService(StackMapper::class);
 		$cardMapper = self::getFreshService(CardMapper::class);
 
-		$boards = $boardMapper->findAllByOwner($owner);
+		$boards = $boardMapper->findAllByOwner($owner, Acl::PERMISSION_TYPE_USER);
 		$boardNames = array_map(fn ($board) => $board->getTitle(), $boards);
 		self::assertEquals(2, count($boards));
 

tests/unit/Listeners/ParticipantCleanupListenerTest.php

@@ -0,0 +1,78 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Deck\Listeners;
+
+use OCA\Circles\Events\CircleDestroyedEvent;
+use OCA\Circles\Model\Circle;
+use OCA\Deck\Db\Acl;
+use OCA\Deck\Db\AclMapper;
+use OCA\Deck\Db\Assignment;
+use OCA\Deck\Db\AssignmentMapper;
+use OCA\Deck\Db\Board;
+use OCA\Deck\Db\BoardMapper;
+use PHPUnit\Framework\TestCase;
+
+class ParticipantCleanupListenerTest extends TestCase {
+	private AclMapper $aclMapper;
+	private AssignmentMapper $assignmentMapper;
+	private BoardMapper $boardMapper;
+	private ParticipantCleanupListener $listener;
+
+	protected function setUp(): void {
+		parent::setUp();
+		$this->aclMapper = $this->createMock(AclMapper::class);
+		$this->assignmentMapper = $this->createMock(AssignmentMapper::class);
+		$this->boardMapper = $this->createMock(BoardMapper::class);
+		$this->listener = new ParticipantCleanupListener($this->aclMapper, $this->assignmentMapper, $this->boardMapper);
+	}
+
+	public function testCircleDestroyedDeletesCircleOwnedBoardsAndCleansParticipantData(): void {
+		$circleId = 'circle-123';
+
+		$circle = $this->createMock(Circle::class);
+		$circle->expects($this->once())
+			->method('getSingleId')
+			->willReturn($circleId);
+
+		$event = $this->createMock(CircleDestroyedEvent::class);
+		$event->expects($this->once())
+			->method('getCircle')
+			->willReturn($circle);
+
+		$boardOne = new Board();
+		$boardTwo = new Board();
+		$this->boardMapper->expects($this->once())
+			->method('findAllByOwner')
+			->with($circleId, Acl::PERMISSION_TYPE_CIRCLE)
+			->willReturn([$boardOne, $boardTwo]);
+		$this->boardMapper->expects($this->exactly(2))
+			->method('delete');
+
+		$acl = new Acl();
+		$this->aclMapper->expects($this->once())
+			->method('findByParticipant')
+			->with(Acl::PERMISSION_TYPE_CIRCLE, $circleId)
+			->willReturn([$acl]);
+		$this->aclMapper->expects($this->once())
+			->method('delete')
+			->with($acl);
+
+		$assignment = new Assignment();
+		$this->assignmentMapper->expects($this->once())
+			->method('findByParticipant')
+			->with($circleId, Acl::PERMISSION_TYPE_CIRCLE)
+			->willReturn([$assignment]);
+		$this->assignmentMapper->expects($this->once())
+			->method('delete')
+			->with($assignment);
+
+		$this->listener->handle($event);
+	}
+}