Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-01-23 17:56:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Security Fix 11: CardPubSubBleed.

Browse source 
Thanks to [Joshua Rogers](https://joshua.hu) of [Aisle Research](https://aisle.com) and xet7.
This commit is contained in:
Lauri Ojansivu 2026-01-18 20:00:37 +02:00
parent 545566f566
commit 0f5a9c3877
1 changed files with 30 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

48
server/publications/cards.js
View file

@ -79,16 +79,22 @@ Meteor.publish('card', cardId => {
const userId = Meteor.userId();
const card = ReactiveCache.getCard({ _id: cardId });
if (!card || !card.boardId) {
return [];
}
const board = ReactiveCache.getBoard({ _id: card.boardId });
if (!board || !board.isVisibleBy(userId)) {
return [];
}
// If user has assigned-only permissions, check if they're assigned to this card
if (userId && card && card.boardId) {
const board = ReactiveCache.getBoard({ _id: card.boardId });
if (board && board.members) {
const member = _.findWhere(board.members, { userId: userId, isActive: true });
if (member && (member.isNormalAssignedOnly || member.isCommentAssignedOnly || member.isReadAssignedOnly)) {
// User with assigned-only permissions can only view cards assigned to them
if (!card.assignees || !card.assignees.includes(userId)) {
return []; // Don't publish if user is not assigned
}
if (userId && board.members) {
const member = _.findWhere(board.members, { userId: userId, isActive: true });
if (member && (member.isNormalAssignedOnly || member.isCommentAssignedOnly || member.isReadAssignedOnly)) {
// User with assigned-only permissions can only view cards assigned to them
if (!card.assignees || !card.assignees.includes(userId)) {
return []; // Don't publish if user is not assigned
}
}
}
@ -110,16 +116,22 @@ Meteor.publishRelations('popupCardData', function(cardId) {
const userId = this.userId;
const card = ReactiveCache.getCard({ _id: cardId });
if (!card || !card.boardId) {
return this.ready();
}
const board = ReactiveCache.getBoard({ _id: card.boardId });
if (!board || !board.isVisibleBy(userId)) {
return this.ready();
}
// If user has assigned-only permissions, check if they're assigned to this card
if (userId && card && card.boardId) {
const board = ReactiveCache.getBoard({ _id: card.boardId });
if (board && board.members) {
const member = _.findWhere(board.members, { userId: userId, isActive: true });
if (member && (member.isNormalAssignedOnly || member.isCommentAssignedOnly || member.isReadAssignedOnly)) {
// User with assigned-only permissions can only view cards assigned to them
if (!card.assignees || !card.assignees.includes(userId)) {
return this.ready(); // Don't publish if user is not assigned
}
if (userId && board.members) {
const member = _.findWhere(board.members, { userId: userId, isActive: true });
if (member && (member.isNormalAssignedOnly || member.isCommentAssignedOnly || member.isReadAssignedOnly)) {
// User with assigned-only permissions can only view cards assigned to them
if (!card.assignees || !card.assignees.includes(userId)) {
return this.ready(); // Don't publish if user is not assigned
}
}
}