Merge branch 'master' of https://github.com/wekan/wekan into lib-change

1 files changed, 9 insertions, 2 deletions

diff --git a/models/checklists.js b/models/checklists.js
index 3b50cda6..cf73e500 100644
--- a/models/checklists.js
+++ b/models/checklists.js
@@ -283,8 +283,15 @@ if (Meteor.isServer) {
     'POST',
     '/api/boards/:boardId/cards/:cardId/checklists',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
-
+      // Check user is logged in
+      Authentication.checkLoggedIn(req.userId);
+      const paramBoardId = req.params.boardId;
+      // Check user has permission to add checklist to the card
+      const board = Boards.findOne({
+        _id: paramBoardId,
+      });
+      const addPermission = allowIsBoardMemberCommentOnly(req.userId, board);
+      Authentication.checkAdminOrCondition(req.userId, addPermission);
       const paramCardId = req.params.cardId;
       const id = Checklists.insert({
         title: req.body.title,