From 8c0b4f79d8582932528ec2fdf2a4487c86770fb9 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Sun, 18 Jan 2026 19:50:29 +0200
Subject: [PATCH] Security Fix 9: ListWIPBleed.

Thanks to [Joshua Rogers](https://joshua.hu) of [Aisle Research](https://aisle.com) and xet7.
---
 models/lists.js | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/models/lists.js b/models/lists.js
index 7564f7dbb..4eb4574f1 100644
--- a/models/lists.js
+++ b/models/lists.js
@@ -425,15 +425,44 @@ Meteor.methods({
   applyWipLimit(listId, limit) {
     check(listId, String);
     check(limit, Number);
+    
+    if (!this.userId) {
+      throw new Meteor.Error('not-authorized', 'You must be logged in.');
+    }
+    
+    const list = ReactiveCache.getList(listId);
+    if (!list) {
+      throw new Meteor.Error('list-not-found', 'List not found');
+    }
+    
+    const board = ReactiveCache.getBoard(list.boardId);
+    if (!board || !board.hasAdmin(this.userId)) {
+      throw new Meteor.Error('not-authorized', 'You must be a board admin to modify WIP limits.');
+    }
+    
     if (limit === 0) {
       limit = 1;
     }
-    ReactiveCache.getList(listId).setWipLimit(limit);
+    list.setWipLimit(limit);
   },
 
   enableWipLimit(listId) {
     check(listId, String);
+    
+    if (!this.userId) {
+      throw new Meteor.Error('not-authorized', 'You must be logged in.');
+    }
+    
     const list = ReactiveCache.getList(listId);
+    if (!list) {
+      throw new Meteor.Error('list-not-found', 'List not found');
+    }
+    
+    const board = ReactiveCache.getBoard(list.boardId);
+    if (!board || !board.hasAdmin(this.userId)) {
+      throw new Meteor.Error('not-authorized', 'You must be a board admin to modify WIP limits.');
+    }
+    
     if (list.getWipLimit('value') === 0) {
       list.setWipLimit(1);
     }
@@ -442,7 +471,21 @@ Meteor.methods({
 
   enableSoftLimit(listId) {
     check(listId, String);
+    
+    if (!this.userId) {
+      throw new Meteor.Error('not-authorized', 'You must be logged in.');
+    }
+    
     const list = ReactiveCache.getList(listId);
+    if (!list) {
+      throw new Meteor.Error('list-not-found', 'List not found');
+    }
+    
+    const board = ReactiveCache.getBoard(list.boardId);
+    if (!board || !board.hasAdmin(this.userId)) {
+      throw new Meteor.Error('not-authorized', 'You must be a board admin to modify WIP limits.');
+    }
+    
     list.toggleSoftLimit(!list.getWipLimit('soft'));
   },