summaryrefslogtreecommitdiffstats
path: root/models/cards.js
diff options
context:
space:
mode:
Diffstat (limited to 'models/cards.js')
-rw-r--r--models/cards.js16
1 files changed, 12 insertions, 4 deletions
diff --git a/models/cards.js b/models/cards.js
index 86d22c53..fac8922c 100644
--- a/models/cards.js
+++ b/models/cards.js
@@ -205,7 +205,8 @@ Cards.attachSchema(
},
assignees: {
/**
- * who assignees of the card (user IDs)
+ * who is assignee of the card (user ID),
+ * maximum one ID of assignee in array.
*/
type: [String],
optional: true,
@@ -1996,15 +1997,22 @@ if (Meteor.isServer) {
* @param {string} description the description of the new card
* @param {string} swimlaneId the swimlane ID of the new card
* @param {string} [members] the member IDs list of the new card
- * @param {string} [assignees] the assignee IDs list of the new card
+ * @param {string} [assignees] the array of maximum one ID of assignee of the new card
* @return_type {_id: string}
*/
JsonRoutes.add('POST', '/api/boards/:boardId/lists/:listId/cards', function(
req,
res,
) {
- Authentication.checkUserId(req.userId);
+ // Check user is logged in
+ Authentication.checkLoggedIn(req.userId);
const paramBoardId = req.params.boardId;
+ // Check user has permission to add card to the board
+ const board = Boards.findOne({
+ _id: paramBoardId,
+ });
+ const addPermission = allowIsBoardMemberCommentOnly(req.userId, board);
+ Authentication.checkAdminOrCondition(req.userId, addPermission);
const paramListId = req.params.listId;
const paramParentId = req.params.parentId;
const currentCards = Cards.find(
@@ -2082,7 +2090,7 @@ if (Meteor.isServer) {
* @param {string} [labelIds] the new list of label IDs attached to the card
* @param {string} [swimlaneId] the new swimlane ID of the card
* @param {string} [members] the new list of member IDs attached to the card
- * @param {string} [assignees] the new list of assignee IDs attached to the card
+ * @param {string} [assignees] the array of maximum one ID of assignee attached to the card
* @param {string} [requestedBy] the new requestedBy field of the card
* @param {string} [assignedBy] the new assignedBy field of the card
* @param {string} [receivedAt] the new receivedAt field of the card