Security Fix 8: Attachments publication leaks metadata without auth.

Thanks to Joshua Rogers of joshua.hu, Twitter MegaManSec !

server/publications/attachments.js

@@ -2,8 +2,35 @@ import Attachments from '/models/attachments';
 import { ObjectID } from 'bson';
 
 Meteor.publish('attachmentsList', function(limit) {
+  const userId = this.userId;
+
+  // Get boards the user has access to
+  const userBoards = ReactiveCache.getBoards({
+    $or: [
+      { permission: 'public' },
+      { members: { $elemMatch: { userId, isActive: true } } }
+    ]
+  }).map(board => board._id);
+
+  if (userBoards.length === 0) {
+    // User has no access to any boards, return empty cursor
+    return this.ready();
+  }
+
+  // Get cards from those boards
+  const userCards = ReactiveCache.getCards({
+    boardId: { $in: userBoards },
+    archived: false
+  }).map(card => card._id);
+
+  if (userCards.length === 0) {
+    // No cards found, return empty cursor
+    return this.ready();
+  }
+
+  // Only return attachments for cards the user has access to
   const ret = ReactiveCache.getAttachments(
-    {},
+    { 'meta.cardId': { $in: userCards } },
     {
       fields: {
         _id: 1,