Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-02-11 18:54:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Try to fix User API.

Browse source 
Thanks to xet7 !

Fixes #4039
This commit is contained in:
Lauri Ojansivu 2023-01-13 21:50:39 +02:00
parent c817deef9e
commit 8092f8be28
9 changed files with 82 additions and 85 deletions
Download patch file Download diff file Expand all files Collapse all files

10
models/boards.js
View file

@ -2002,12 +2002,12 @@ if (Meteor.isServer) {
*/
JsonRoutes.add('GET', '/api/boards/:boardId', function(req, res) {
try {
Authentication.checkUserId(req.userId);
const id = req.params.boardId;
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: Boards.findOne({ _id: id }),
data: Boards.findOne({ _id: paramBoardId }),
});
} catch (error) {
JsonRoutes.sendResult(res, {
@ -2120,8 +2120,8 @@ if (Meteor.isServer) {
* @return_type string
*/
JsonRoutes.add('PUT', '/api/boards/:boardId/labels', function(req, res) {
Authentication.checkUserId(req.userId);
const id = req.params.boardId;
Authentication.checkBoardAccess(req.userId, id);
try {
if (req.body.hasOwnProperty('label')) {
const board = Boards.findOne({ _id: id });
@ -2214,8 +2214,8 @@ if (Meteor.isServer) {
* swimlaneId: string}]
*/
JsonRoutes.add('GET', '/api/boards/:boardId/attachments', function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: Attachments.files

8
models/cardComments.js
View file

@ -235,9 +235,9 @@ if (Meteor.isServer) {
res,
) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramCardId = req.params.cardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: CardComments.find({
@ -273,10 +273,10 @@ if (Meteor.isServer) {
'/api/boards/:boardId/cards/:cardId/comments/:commentId',
function (req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramCommentId = req.params.commentId;
const paramCardId = req.params.cardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: CardComments.findOne({
@ -309,9 +309,9 @@ if (Meteor.isServer) {
'/api/boards/:boardId/cards/:cardId/comments',
function (req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramCardId = req.params.cardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const id = CardComments.direct.insert({
userId: req.body.authorId,
text: req.body.comment,
@ -355,10 +355,10 @@ if (Meteor.isServer) {
'/api/boards/:boardId/cards/:cardId/comments/:commentId',
function (req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramCommentId = req.params.commentId;
const paramCardId = req.params.cardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
CardComments.remove({
_id: paramCommentId,
cardId: paramCardId,

12
models/cards.js
View file

@ -3202,9 +3202,9 @@ if (Meteor.isServer) {
'GET',
'/api/boards/:boardId/swimlanes/:swimlaneId/cards',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramSwimlaneId = req.params.swimlaneId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: Cards.find({
@ -3244,9 +3244,9 @@ if (Meteor.isServer) {
req,
res,
) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramListId = req.params.listId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: Cards.find({
@ -3281,10 +3281,10 @@ if (Meteor.isServer) {
'GET',
'/api/boards/:boardId/lists/:listId/cards/:cardId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramListId = req.params.listId;
const paramCardId = req.params.cardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: Cards.findOne({
@ -3497,10 +3497,10 @@ JsonRoutes.add('GET', '/api/boards/:boardId/cards_count', function(
'PUT',
'/api/boards/:boardId/lists/:listId/cards/:cardId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramCardId = req.params.cardId;
const paramListId = req.params.listId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
if (req.body.hasOwnProperty('title')) {
const newTitle = req.body.title;
@ -3855,10 +3855,10 @@ JsonRoutes.add('GET', '/api/boards/:boardId/cards_count', function(
'DELETE',
'/api/boards/:boardId/lists/:listId/cards/:cardId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramListId = req.params.listId;
const paramCardId = req.params.cardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const card = Cards.findOne({
_id: paramCardId,
@ -3895,10 +3895,10 @@ JsonRoutes.add('GET', '/api/boards/:boardId/cards_count', function(
'GET',
'/api/boards/:boardId/cardsByCustomField/:customFieldId/:customFieldValue',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramCustomFieldId = req.params.customFieldId;
const paramCustomFieldValue = req.params.customFieldValue;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: Cards.find({

6
models/checklistItems.js
View file

@ -265,9 +265,9 @@ if (Meteor.isServer) {
'GET',
'/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramItemId = req.params.itemId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const checklistItem = ChecklistItems.findOne({ _id: paramItemId });
if (checklistItem) {
JsonRoutes.sendResult(res, {
@ -299,9 +299,9 @@ if (Meteor.isServer) {
'PUT',
'/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramItemId = req.params.itemId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
function isTrue(data) {
try {
@ -350,9 +350,9 @@ if (Meteor.isServer) {
'DELETE',
'/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramItemId = req.params.itemId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
ChecklistItems.direct.remove({ _id: paramItemId });
JsonRoutes.sendResult(res, {
code: 200,

8
models/checklists.js
View file

@ -248,9 +248,9 @@ if (Meteor.isServer) {
'GET',
'/api/boards/:boardId/cards/:cardId/checklists',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramCardId = req.params.cardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const checklists = Checklists.find({ cardId: paramCardId }).map(function(
doc,
) {
@ -292,10 +292,10 @@ if (Meteor.isServer) {
'GET',
'/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramChecklistId = req.params.checklistId;
const paramCardId = req.params.cardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const checklist = Checklists.findOne({
_id: paramChecklistId,
cardId: paramCardId,
@ -336,10 +336,10 @@ if (Meteor.isServer) {
'POST',
'/api/boards/:boardId/cards/:cardId/checklists',
function(req, res) {
Authentication.checkUserId(req.userId);
// Check user is logged in
//Authentication.checkLoggedIn(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
// Check user has permission to add checklist to the card
const board = Boards.findOne({
_id: paramBoardId,
@ -398,9 +398,9 @@ if (Meteor.isServer) {
'DELETE',
'/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramChecklistId = req.params.checklistId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
Checklists.remove({ _id: paramChecklistId });
JsonRoutes.sendResult(res, {
code: 200,

16
models/customFields.js
View file

@ -301,8 +301,8 @@ if (Meteor.isServer) {
req,
res,
) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: CustomFields.find({ boardIds: { $in: [paramBoardId] } }).map(
@ -330,9 +330,9 @@ if (Meteor.isServer) {
'GET',
'/api/boards/:boardId/custom-fields/:customFieldId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramCustomFieldId = req.params.customFieldId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: CustomFields.findOne({
@ -361,8 +361,8 @@ if (Meteor.isServer) {
req,
res,
) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const board = Boards.findOne({ _id: paramBoardId });
const id = CustomFields.direct.insert({
name: req.body.name,
@ -406,9 +406,9 @@ if (Meteor.isServer) {
'PUT',
'/api/boards/:boardId/custom-fields/:customFieldId',
(req, res) => {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramFieldId = req.params.customFieldId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
if (req.body.hasOwnProperty('name')) {
CustomFields.direct.update(
@ -479,9 +479,9 @@ if (Meteor.isServer) {
'POST',
'/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items',
(req, res) => {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramCustomFieldId = req.params.customFieldId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramItems = req.body.items;
if (req.body.hasOwnProperty('items')) {
@ -522,10 +522,10 @@ if (Meteor.isServer) {
'PUT',
'/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId',
(req, res) => {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramDropdownItemId = req.params.dropdownItemId;
const paramCustomFieldId = req.params.customFieldId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramName = req.body.name;
if (req.body.hasOwnProperty('name')) {
@ -563,10 +563,10 @@ if (Meteor.isServer) {
'DELETE',
'/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId',
(req, res) => {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
paramCustomFieldId = req.params.customFieldId;
paramDropdownItemId = req.params.dropdownItemId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
CustomFields.direct.update(
{ _id: paramCustomFieldId },
@ -598,8 +598,8 @@ if (Meteor.isServer) {
'DELETE',
'/api/boards/:boardId/custom-fields/:customFieldId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const id = req.params.customFieldId;
CustomFields.remove({ _id: id, boardIds: { $in: [paramBoardId] } });
JsonRoutes.sendResult(res, {

8
models/lists.js
View file

@ -493,8 +493,8 @@ if (Meteor.isServer) {
*/
JsonRoutes.add('GET', '/api/boards/:boardId/lists', function(req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
@ -528,9 +528,9 @@ if (Meteor.isServer) {
res,
) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramListId = req.params.listId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: Lists.findOne({
@ -557,8 +557,8 @@ if (Meteor.isServer) {
*/
JsonRoutes.add('POST', '/api/boards/:boardId/lists', function(req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const board = Boards.findOne(paramBoardId);
const id = Lists.insert({
title: req.body.title,
@ -595,9 +595,9 @@ if (Meteor.isServer) {
res,
) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramListId = req.params.listId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
Lists.remove({ _id: paramListId, boardId: paramBoardId });
JsonRoutes.sendResult(res, {
code: 200,

10
models/swimlanes.js
View file

@ -399,8 +399,8 @@ if (Meteor.isServer) {
*/
JsonRoutes.add('GET', '/api/boards/:boardId/swimlanes', function(req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
@ -435,9 +435,10 @@ if (Meteor.isServer) {
res,
) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramSwimlaneId = req.params.swimlaneId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: Swimlanes.findOne({
@ -465,8 +466,9 @@ if (Meteor.isServer) {
*/
JsonRoutes.add('POST', '/api/boards/:boardId/swimlanes', function(req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const board = Boards.findOne(paramBoardId);
const id = Swimlanes.insert({
title: req.body.title,
@ -503,9 +505,9 @@ if (Meteor.isServer) {
'/api/boards/:boardId/swimlanes/:swimlaneId',
function(req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
const paramSwimlaneId = req.params.swimlaneId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
Swimlanes.remove({ _id: paramSwimlaneId, boardId: paramBoardId });
JsonRoutes.sendResult(res, {
code: 200,