From 053bf1dfb76ef230db162c64a6ed50ebedf67eee Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Sun, 18 Jan 2026 19:39:50 +0200
Subject: [PATCH] Security Fix 7: AttachmentMigrationBleed.

Thanks to [Joshua Rogers](https://joshua.hu) of [Aisle Research](https://aisle.com) and xet7.
---
 server/attachmentMigration.js | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/server/attachmentMigration.js b/server/attachmentMigration.js
index d769dde92..318893067 100644
--- a/server/attachmentMigration.js
+++ b/server/attachmentMigration.js
@@ -207,6 +207,19 @@ Meteor.methods({
     if (!this.userId) {
       throw new Meteor.Error('not-authorized');
     }
+    
+    const board = ReactiveCache.getBoard(boardId);
+    if (!board) {
+      throw new Meteor.Error('board-not-found');
+    }
+    
+    const user = ReactiveCache.getUser(this.userId);
+    const isBoardAdmin = board.hasAdmin(this.userId);
+    const isInstanceAdmin = user && user.isAdmin;
+    
+    if (!isBoardAdmin && !isInstanceAdmin) {
+      throw new Meteor.Error('not-authorized', 'You must be a board admin or instance admin to perform this action.');
+    }
 
     return await attachmentMigrationService.migrateBoardAttachments(boardId);
   },
@@ -217,6 +230,11 @@ Meteor.methods({
     if (!this.userId) {
       throw new Meteor.Error('not-authorized');
     }
+    
+    const board = ReactiveCache.getBoard(boardId);
+    if (!board || !board.isVisibleBy({ _id: this.userId })) {
+      throw new Meteor.Error('not-authorized', 'You do not have access to this board.');
+    }
 
     return attachmentMigrationService.getMigrationProgress(boardId);
   },
@@ -227,6 +245,11 @@ Meteor.methods({
     if (!this.userId) {
       throw new Meteor.Error('not-authorized');
     }
+    
+    const board = ReactiveCache.getBoard(boardId);
+    if (!board || !board.isVisibleBy({ _id: this.userId })) {
+      throw new Meteor.Error('not-authorized', 'You do not have access to this board.');
+    }
 
     return attachmentMigrationService.getUnconvertedAttachments(boardId);
   },
@@ -237,6 +260,11 @@ Meteor.methods({
     if (!this.userId) {
       throw new Meteor.Error('not-authorized');
     }
+    
+    const board = ReactiveCache.getBoard(boardId);
+    if (!board || !board.isVisibleBy({ _id: this.userId })) {
+      throw new Meteor.Error('not-authorized', 'You do not have access to this board.');
+    }
 
     return attachmentMigrationService.isBoardMigrated(boardId);
   }