diff options
author | Lauri Ojansivu <x@xet7.org> | 2019-12-20 16:10:26 +0200 |
---|---|---|
committer | Lauri Ojansivu <x@xet7.org> | 2019-12-20 16:10:26 +0200 |
commit | afe7d4991d09192d416cc1f82c85e5febe22487e (patch) | |
tree | f5cab56a793f3332581b0c4071ad30912fd8a6b6 | |
parent | 2dafde8db9ddbc397e5906aa34cc479c36bf7b3a (diff) | |
parent | 0649add494d31f51378cf40a0416825accc55a8f (diff) | |
download | wekan-afe7d4991d09192d416cc1f82c85e5febe22487e.tar.gz wekan-afe7d4991d09192d416cc1f82c85e5febe22487e.tar.bz2 wekan-afe7d4991d09192d416cc1f82c85e5febe22487e.zip |
Merge branch 'Robert-Lebedeu-master'
-rw-r--r-- | models/cards.js | 9 | ||||
-rw-r--r-- | models/checklists.js | 11 | ||||
-rw-r--r-- | server/authentication.js | 2 |
3 files changed, 18 insertions, 4 deletions
diff --git a/models/cards.js b/models/cards.js index 816132fe..496c69b3 100644 --- a/models/cards.js +++ b/models/cards.js @@ -2003,8 +2003,15 @@ if (Meteor.isServer) { req, res, ) { - Authentication.checkUserId(req.userId); + // Check user is logged in + Authentication.checkLoggedIn(req.userId); const paramBoardId = req.params.boardId; + // Check user has permission to add card to the board + const board = Boards.findOne({ + _id: paramBoardId + }); + const addPermission = allowIsBoardMemberCommentOnly(req.userId, board); + Authentication.checkAdminOrCondition(req.userId, addPermission); const paramListId = req.params.listId; const paramParentId = req.params.parentId; const currentCards = Cards.find( diff --git a/models/checklists.js b/models/checklists.js index 3b50cda6..11aba71b 100644 --- a/models/checklists.js +++ b/models/checklists.js @@ -283,8 +283,15 @@ if (Meteor.isServer) { 'POST', '/api/boards/:boardId/cards/:cardId/checklists', function(req, res) { - Authentication.checkUserId(req.userId); - + // Check user is logged in + Authentication.checkLoggedIn(req.userId); + const paramBoardId = req.params.boardId; + // Check user has permission to add checklist to the card + const board = Boards.findOne({ + _id: paramBoardId + }); + const addPermission = allowIsBoardMemberCommentOnly(req.userId, board); + Authentication.checkAdminOrCondition(req.userId, addPermission); const paramCardId = req.params.cardId; const id = Checklists.insert({ title: req.body.title, diff --git a/server/authentication.js b/server/authentication.js index 9e519fe1..20327280 100644 --- a/server/authentication.js +++ b/server/authentication.js @@ -58,7 +58,7 @@ Meteor.startup(() => { const board = Boards.findOne({ _id: boardId }); const normalAccess = board.permission === 'public' || - board.members.some(e => e.userId === userId).isActive; + board.members.some(e => e.userId === userId && e.isActive); Authentication.checkAdminOrCondition(userId, normalAccess); }; |