Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-01-07 10:08:49 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Security Fix 5: Read-only roles can still update cards.

Browse source 
Thanks to Joshua Rogers of joshua.hu, Twitter MegaManSec !
This commit is contained in:
Lauri Ojansivu 2025-12-29 16:47:11 +02:00
parent 198509e760
commit 181f837d8c
6 changed files with 23 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

8
server/authentication.js
View file

@ -60,6 +60,14 @@ Meteor.startup(() => {
Authentication.checkAdminOrCondition(userId, normalAccess);
};
// Helper function. Will throw an error if the user does not have write access to the board (excludes read-only users).
Authentication.checkBoardWriteAccess = function(userId, boardId) {
Authentication.checkLoggedIn(userId);
const board = ReactiveCache.getBoard(boardId);
const writeAccess = board.members.some(e => e.userId === userId && e.isActive && !e.isNoComments && !e.isCommentOnly && !e.isWorker && !e.isReadOnly && !e.isReadAssignedOnly);
Authentication.checkAdminOrCondition(userId, writeAccess);
};
if (Meteor.isServer) {
if (
process.env.ORACLE_OIM_ENABLED === 'true' ||

2
server/lib/utils.js
View file

@ -13,7 +13,7 @@ allowIsAnyBoardMember = function(userId, boards) {
};
allowIsBoardMemberCommentOnly = function(userId, board) {
return board && board.hasMember(userId) && !board.hasCommentOnly(userId);
return board && board.hasMember(userId) && !board.hasReadOnly(userId) && !board.hasReadAssignedOnly(userId) && !board.hasNoComments(userId);
};
allowIsBoardMemberNoComments = function(userId, board) {