diff --git a/server/attachmentMigration.js b/server/attachmentMigration.js index d769dde92..318893067 100644 --- a/server/attachmentMigration.js +++ b/server/attachmentMigration.js @@ -207,6 +207,19 @@ Meteor.methods({ if (!this.userId) { throw new Meteor.Error('not-authorized'); } + + const board = ReactiveCache.getBoard(boardId); + if (!board) { + throw new Meteor.Error('board-not-found'); + } + + const user = ReactiveCache.getUser(this.userId); + const isBoardAdmin = board.hasAdmin(this.userId); + const isInstanceAdmin = user && user.isAdmin; + + if (!isBoardAdmin && !isInstanceAdmin) { + throw new Meteor.Error('not-authorized', 'You must be a board admin or instance admin to perform this action.'); + } return await attachmentMigrationService.migrateBoardAttachments(boardId); }, @@ -217,6 +230,11 @@ Meteor.methods({ if (!this.userId) { throw new Meteor.Error('not-authorized'); } + + const board = ReactiveCache.getBoard(boardId); + if (!board || !board.isVisibleBy({ _id: this.userId })) { + throw new Meteor.Error('not-authorized', 'You do not have access to this board.'); + } return attachmentMigrationService.getMigrationProgress(boardId); }, @@ -227,6 +245,11 @@ Meteor.methods({ if (!this.userId) { throw new Meteor.Error('not-authorized'); } + + const board = ReactiveCache.getBoard(boardId); + if (!board || !board.isVisibleBy({ _id: this.userId })) { + throw new Meteor.Error('not-authorized', 'You do not have access to this board.'); + } return attachmentMigrationService.getUnconvertedAttachments(boardId); }, @@ -237,6 +260,11 @@ Meteor.methods({ if (!this.userId) { throw new Meteor.Error('not-authorized'); } + + const board = ReactiveCache.getBoard(boardId); + if (!board || !board.isVisibleBy({ _id: this.userId })) { + throw new Meteor.Error('not-authorized', 'You do not have access to this board.'); + } return attachmentMigrationService.isBoardMigrated(boardId); }