summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLauri Ojansivu <x@xet7.org>2019-12-20 16:10:26 +0200
committerLauri Ojansivu <x@xet7.org>2019-12-20 16:10:26 +0200
commitafe7d4991d09192d416cc1f82c85e5febe22487e (patch)
treef5cab56a793f3332581b0c4071ad30912fd8a6b6
parent2dafde8db9ddbc397e5906aa34cc479c36bf7b3a (diff)
parent0649add494d31f51378cf40a0416825accc55a8f (diff)
downloadwekan-afe7d4991d09192d416cc1f82c85e5febe22487e.tar.gz
wekan-afe7d4991d09192d416cc1f82c85e5febe22487e.tar.bz2
wekan-afe7d4991d09192d416cc1f82c85e5febe22487e.zip
Merge branch 'Robert-Lebedeu-master'
-rw-r--r--models/cards.js9
-rw-r--r--models/checklists.js11
-rw-r--r--server/authentication.js2
3 files changed, 18 insertions, 4 deletions
diff --git a/models/cards.js b/models/cards.js
index 816132fe..496c69b3 100644
--- a/models/cards.js
+++ b/models/cards.js
@@ -2003,8 +2003,15 @@ if (Meteor.isServer) {
req,
res,
) {
- Authentication.checkUserId(req.userId);
+ // Check user is logged in
+ Authentication.checkLoggedIn(req.userId);
const paramBoardId = req.params.boardId;
+ // Check user has permission to add card to the board
+ const board = Boards.findOne({
+ _id: paramBoardId
+ });
+ const addPermission = allowIsBoardMemberCommentOnly(req.userId, board);
+ Authentication.checkAdminOrCondition(req.userId, addPermission);
const paramListId = req.params.listId;
const paramParentId = req.params.parentId;
const currentCards = Cards.find(
diff --git a/models/checklists.js b/models/checklists.js
index 3b50cda6..11aba71b 100644
--- a/models/checklists.js
+++ b/models/checklists.js
@@ -283,8 +283,15 @@ if (Meteor.isServer) {
'POST',
'/api/boards/:boardId/cards/:cardId/checklists',
function(req, res) {
- Authentication.checkUserId(req.userId);
-
+ // Check user is logged in
+ Authentication.checkLoggedIn(req.userId);
+ const paramBoardId = req.params.boardId;
+ // Check user has permission to add checklist to the card
+ const board = Boards.findOne({
+ _id: paramBoardId
+ });
+ const addPermission = allowIsBoardMemberCommentOnly(req.userId, board);
+ Authentication.checkAdminOrCondition(req.userId, addPermission);
const paramCardId = req.params.cardId;
const id = Checklists.insert({
title: req.body.title,
diff --git a/server/authentication.js b/server/authentication.js
index 9e519fe1..20327280 100644
--- a/server/authentication.js
+++ b/server/authentication.js
@@ -58,7 +58,7 @@ Meteor.startup(() => {
const board = Boards.findOne({ _id: boardId });
const normalAccess =
board.permission === 'public' ||
- board.members.some(e => e.userId === userId).isActive;
+ board.members.some(e => e.userId === userId && e.isActive);
Authentication.checkAdminOrCondition(userId, normalAccess);
};