mirror of
https://github.com/wekan/wekan.git
synced 2026-01-23 17:56:09 +01:00
Security Fix 14: RulesBleed.
Thanks to [Joshua Rogers](https://joshua.hu) of [Aisle Research](https://aisle.com) and xet7.
This commit is contained in:
Lauri Ojansivu
parent
91a936e07d
commit
a787bcddf3
1 changed files with 37 additions and 5 deletions
|
|
@ -2,9 +2,25 @@ import Boards from '/models/boards';
|
|||
import Actions from '/models/actions';
|
||||
import Triggers from '/models/triggers';
|
||||
import Rules from '/models/rules';
|
||||
import ReactiveCache from '/imports/reactiveCache';
|
||||
|
||||
Meteor.publish('rules', ruleId => {
|
||||
Meteor.publish('rules', function(ruleId) {
|
||||
check(ruleId, String);
|
||||
|
||||
if (!this.userId) {
|
||||
return this.ready();
|
||||
}
|
||||
|
||||
const rule = ReactiveCache.getRule(ruleId);
|
||||
if (!rule) {
|
||||
return this.ready();
|
||||
}
|
||||
|
||||
const board = ReactiveCache.getBoard(rule.boardId);
|
||||
if (!board || !board.isVisibleBy(this.userId)) {
|
||||
return this.ready();
|
||||
}
|
||||
|
||||
const ret = ReactiveCache.getRules(
|
||||
{
|
||||
_id: ruleId,
|
||||
|
|
@ -15,22 +31,38 @@ Meteor.publish('rules', ruleId => {
|
|||
return ret;
|
||||
});
|
||||
|
||||
Meteor.publish('allRules', () => {
|
||||
Meteor.publish('allRules', function() {
|
||||
if (!this.userId || !ReactiveCache.getUser(this.userId).isAdmin) {
|
||||
return this.ready();
|
||||
}
|
||||
|
||||
const ret = ReactiveCache.getRules({}, {}, true);
|
||||
return ret;
|
||||
});
|
||||
|
||||
Meteor.publish('allTriggers', () => {
|
||||
Meteor.publish('allTriggers', function() {
|
||||
if (!this.userId || !ReactiveCache.getUser(this.userId).isAdmin) {
|
||||
return this.ready();
|
||||
}
|
||||
|
||||
const ret = ReactiveCache.getTriggers({}, {}, true);
|
||||
return ret;
|
||||
});
|
||||
|
||||
Meteor.publish('allActions', () => {
|
||||
Meteor.publish('allActions', function() {
|
||||
if (!this.userId || !ReactiveCache.getUser(this.userId).isAdmin) {
|
||||
return this.ready();
|
||||
}
|
||||
|
||||
const ret = ReactiveCache.getActions({}, {}, true);
|
||||
return ret;
|
||||
});
|
||||
|
||||
Meteor.publish('rulesReport', () => {
|
||||
Meteor.publish('rulesReport', function() {
|
||||
if (!this.userId || !ReactiveCache.getUser(this.userId).isAdmin) {
|
||||
return this.ready();
|
||||
}
|
||||
|
||||
const rules = ReactiveCache.getRules({}, {}, true);
|
||||
const actionIds = [];
|
||||
const triggerIds = [];
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue