From 2c4d3fa317db1d271e0e3467b0c1092a3e492631 Mon Sep 17 00:00:00 2001
From: Robert Lebedeu <robert.lebedeu@mynet.it>
Date: Mon, 16 Dec 2019 18:10:48 +0100
Subject: [PATCH 1/3] Fix checkBoardAccess authentication check

---
 server/authentication.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/authentication.js b/server/authentication.js
index 9e519fe15..203272804 100644
--- a/server/authentication.js
+++ b/server/authentication.js
@@ -58,7 +58,7 @@ Meteor.startup(() => {
     const board = Boards.findOne({ _id: boardId });
     const normalAccess =
       board.permission === 'public' ||
-      board.members.some(e => e.userId === userId).isActive;
+      board.members.some(e => e.userId === userId && e.isActive);
     Authentication.checkAdminOrCondition(userId, normalAccess);
   };
 

From 40c70c439d3d6ac5a9affe52d386201e7da865b9 Mon Sep 17 00:00:00 2001
From: Robert Lebedeu <robert.lebedeu@mynet.it>
Date: Tue, 17 Dec 2019 12:15:06 +0100
Subject: [PATCH 2/3] Allow card creation for board members - Only for members
 with card add permission

---
 models/cards.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/models/cards.js b/models/cards.js
index 816132fee..496c69b39 100644
--- a/models/cards.js
+++ b/models/cards.js
@@ -2003,8 +2003,15 @@ if (Meteor.isServer) {
     req,
     res,
   ) {
-    Authentication.checkUserId(req.userId);
+    // Check user is logged in
+    Authentication.checkLoggedIn(req.userId);
     const paramBoardId = req.params.boardId;
+    // Check user has permission to add card to the board
+    const board = Boards.findOne({
+      _id: paramBoardId
+    });
+    const addPermission = allowIsBoardMemberCommentOnly(req.userId, board);
+    Authentication.checkAdminOrCondition(req.userId, addPermission);
     const paramListId = req.params.listId;
     const paramParentId = req.params.parentId;
     const currentCards = Cards.find(

From a35df88805410f2028cc9a0235f502d56ee8b87b Mon Sep 17 00:00:00 2001
From: Robert Lebedeu <robert.lebedeu@mynet.it>
Date: Tue, 17 Dec 2019 12:15:41 +0100
Subject: [PATCH 3/3] Allow checklist creation for board members - Only for
 members with checklist add permission

---
 models/checklists.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/models/checklists.js b/models/checklists.js
index 3b50cda66..11aba71bb 100644
--- a/models/checklists.js
+++ b/models/checklists.js
@@ -283,8 +283,15 @@ if (Meteor.isServer) {
     'POST',
     '/api/boards/:boardId/cards/:cardId/checklists',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
-
+      // Check user is logged in
+      Authentication.checkLoggedIn(req.userId);
+      const paramBoardId = req.params.boardId;
+      // Check user has permission to add checklist to the card
+      const board = Boards.findOne({
+        _id: paramBoardId
+      });
+      const addPermission = allowIsBoardMemberCommentOnly(req.userId, board);
+      Authentication.checkAdminOrCondition(req.userId, addPermission);
       const paramCardId = req.params.cardId;
       const id = Checklists.insert({
         title: req.body.title,