Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-01-23 17:56:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Security Fix 7: AttachmentMigrationBleed.

Browse source 
Thanks to [Joshua Rogers](https://joshua.hu) of [Aisle Research](https://aisle.com) and xet7.
This commit is contained in:
Lauri Ojansivu 2026-01-18 19:39:50 +02:00
parent 146905a459
commit 053bf1dfb7
1 changed files with 28 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

28
server/attachmentMigration.js
View file

@ -207,6 +207,19 @@ Meteor.methods({
if (!this.userId) {
throw new Meteor.Error('not-authorized');
}
const board = ReactiveCache.getBoard(boardId);
if (!board) {
throw new Meteor.Error('board-not-found');
}
const user = ReactiveCache.getUser(this.userId);
const isBoardAdmin = board.hasAdmin(this.userId);
const isInstanceAdmin = user && user.isAdmin;
if (!isBoardAdmin && !isInstanceAdmin) {
throw new Meteor.Error('not-authorized', 'You must be a board admin or instance admin to perform this action.');
}
return await attachmentMigrationService.migrateBoardAttachments(boardId);
},
@ -217,6 +230,11 @@ Meteor.methods({
if (!this.userId) {
throw new Meteor.Error('not-authorized');
}
const board = ReactiveCache.getBoard(boardId);
if (!board || !board.isVisibleBy({ _id: this.userId })) {
throw new Meteor.Error('not-authorized', 'You do not have access to this board.');
}
return attachmentMigrationService.getMigrationProgress(boardId);
},
@ -227,6 +245,11 @@ Meteor.methods({
if (!this.userId) {
throw new Meteor.Error('not-authorized');
}
const board = ReactiveCache.getBoard(boardId);
if (!board || !board.isVisibleBy({ _id: this.userId })) {
throw new Meteor.Error('not-authorized', 'You do not have access to this board.');
}
return attachmentMigrationService.getUnconvertedAttachments(boardId);
},
@ -237,6 +260,11 @@ Meteor.methods({
if (!this.userId) {
throw new Meteor.Error('not-authorized');
}
const board = ReactiveCache.getBoard(boardId);
if (!board || !board.isVisibleBy({ _id: this.userId })) {
throw new Meteor.Error('not-authorized', 'You do not have access to this board.');
}
return attachmentMigrationService.isBoardMigrated(boardId);
}