From 4ce181d17249778094f73d21515f7f863f554743 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Sun, 18 Jan 2026 20:07:12 +0200
Subject: [PATCH] Security Fix 12: FixDuplicateBleed.

Thanks to [Joshua Rogers](https://joshua.hu) of [Aisle Research](https://aisle.com) and xet7.
---
 server/methods/fixDuplicateLists.js | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/server/methods/fixDuplicateLists.js b/server/methods/fixDuplicateLists.js
index b673021ec..63d44eedd 100644
--- a/server/methods/fixDuplicateLists.js
+++ b/server/methods/fixDuplicateLists.js
@@ -4,6 +4,7 @@ import Boards from '/models/boards';
 import Lists from '/models/lists';
 import Swimlanes from '/models/swimlanes';
 import Cards from '/models/cards';
+import ReactiveCache from '/imports/reactiveCache';
 
 /**
  * Fix duplicate lists and swimlanes created by WeKan 8.10
@@ -15,6 +16,10 @@ Meteor.methods({
       throw new Meteor.Error('not-authorized');
     }
 
+    if (!ReactiveCache.getUser(this.userId).isAdmin) {
+      throw new Meteor.Error('not-authorized', 'Admin required');
+    }
+
     if (process.env.DEBUG === 'true') {
       console.log('Starting duplicate lists fix for all boards...');
     }
@@ -55,6 +60,11 @@ Meteor.methods({
       throw new Meteor.Error('not-authorized');
     }
 
+    const board = ReactiveCache.getBoard(boardId);
+    if (!board || !board.hasAdmin(this.userId)) {
+      throw new Meteor.Error('not-authorized');
+    }
+
     return fixDuplicateListsForBoard(boardId);
   }
 });
@@ -203,6 +213,10 @@ Meteor.methods({
       throw new Meteor.Error('not-authorized');
     }
 
+    if (!ReactiveCache.getUser(this.userId).isAdmin) {
+      throw new Meteor.Error('not-authorized', 'Admin required');
+    }
+
     const allBoards = Boards.find({}).fetch();
     const report = [];