Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-02-18 14:08:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Security Fix 5: Read-only roles can still update cards.

Browse source 
Thanks to Joshua Rogers of joshua.hu, Twitter MegaManSec !
This commit is contained in:
Lauri Ojansivu 2025-12-29 16:47:11 +02:00
parent 198509e760
commit 181f837d8c
6 changed files with 23 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

2
models/boards.js
View file

@ -2408,7 +2408,7 @@ if (Meteor.isServer) {
*/
JsonRoutes.add('PUT', '/api/boards/:boardId/labels', function(req, res) {
const id = req.params.boardId;
Authentication.checkBoardAccess(req.userId, id);
Authentication.checkBoardWriteAccess(req.userId, id);
try {
if (req.body.hasOwnProperty('label')) {
const board = ReactiveCache.getBoard(id);