diff options
-rw-r--r-- | models/cards.js | 9 | ||||
-rw-r--r-- | models/checklists.js | 11 | ||||
-rw-r--r-- | server/authentication.js | 2 |
3 files changed, 18 insertions, 4 deletions
diff --git a/models/cards.js b/models/cards.js index 816132fe..496c69b3 100644 --- a/models/cards.js +++ b/models/cards.js @@ -2003,8 +2003,15 @@ if (Meteor.isServer) { req, res, ) { - Authentication.checkUserId(req.userId); + // Check user is logged in + Authentication.checkLoggedIn(req.userId); const paramBoardId = req.params.boardId; + // Check user has permission to add card to the board + const board = Boards.findOne({ + _id: paramBoardId + }); + const addPermission = allowIsBoardMemberCommentOnly(req.userId, board); + Authentication.checkAdminOrCondition(req.userId, addPermission); const paramListId = req.params.listId; const paramParentId = req.params.parentId; const currentCards = Cards.find( diff --git a/models/checklists.js b/models/checklists.js index 3b50cda6..11aba71b 100644 --- a/models/checklists.js +++ b/models/checklists.js @@ -283,8 +283,15 @@ if (Meteor.isServer) { 'POST', '/api/boards/:boardId/cards/:cardId/checklists', function(req, res) { - Authentication.checkUserId(req.userId); - + // Check user is logged in + Authentication.checkLoggedIn(req.userId); + const paramBoardId = req.params.boardId; + // Check user has permission to add checklist to the card + const board = Boards.findOne({ + _id: paramBoardId + }); + const addPermission = allowIsBoardMemberCommentOnly(req.userId, board); + Authentication.checkAdminOrCondition(req.userId, addPermission); const paramCardId = req.params.cardId; const id = Checklists.insert({ title: req.body.title, diff --git a/server/authentication.js b/server/authentication.js index 9e519fe1..20327280 100644 --- a/server/authentication.js +++ b/server/authentication.js @@ -58,7 +58,7 @@ Meteor.startup(() => { const board = Boards.findOne({ _id: boardId }); const normalAccess = board.permission === 'public' || - board.members.some(e => e.userId === userId).isActive; + board.members.some(e => e.userId === userId && e.isActive); Authentication.checkAdminOrCondition(userId, normalAccess); }; |