- Fix critical and moderate security vulnerabilities reported at 2020-02-26 with

responsible disclosure by [Dejan Zelic](https://twitter.com/dejandayoff), Justin Benjamin and others at [Offensive Security](https://twitter.com/offsectraining), that follow standard 90 days before public disclosure. Thanks to xet7. - Fix webhook error that prevented some card etc deleting from web UI of board. Thanks to xet7. - Add some more Font Awesome icons. Thanks to xet7. - Remove autofocus from many form input boxes so that they would not cause warnings. Thanks to xet7.
2025-12-16 23:40:13 +01:00 · 2020-03-01 20:59:53 +02:00 · 2020-03-01 20:59:53 +02:00 · aac7c380c8
commit aac7c380c8
parent fc35c234a7
6 changed files with 368 additions and 338 deletions
--- a/server/statistics.js
+++ b/server/statistics.js
@ -1,68 +1,76 @@
 import { MongoInternals } from 'meteor/mongo';

-Meteor.methods({
-  getStatistics() {
-    const os = require('os');
-    const pjson = require('/package.json');
-    const statistics = {};
-    let wekanVersion = pjson.version;
-    wekanVersion = wekanVersion.replace('v', '');
-    statistics.version = wekanVersion;
-    statistics.os = {
-      type: os.type(),
-      platform: os.platform(),
-      arch: os.arch(),
-      release: os.release(),
-      uptime: os.uptime(),
-      loadavg: os.loadavg(),
-      totalmem: os.totalmem(),
-      freemem: os.freemem(),
-      cpus: os.cpus(),
-    };
-    let nodeVersion = process.version;
-    nodeVersion = nodeVersion.replace('v', '');
-    statistics.process = {
-      nodeVersion,
-      pid: process.pid,
-      uptime: process.uptime(),
-    };
-    // Remove beginning of Meteor release text METEOR@
-    let meteorVersion = Meteor.release;
-    meteorVersion = meteorVersion.replace('METEOR@', '');
-    statistics.meteor = {
-      meteorVersion,
-    };
-    // Thanks to RocketChat for MongoDB version detection !
-    // https://github.com/RocketChat/Rocket.Chat/blob/develop/app/utils/server/functions/getMongoInfo.js
-    let mongoVersion;
-    let mongoStorageEngine;
-    let mongoOplogEnabled;
-    try {
-      const { mongo } = MongoInternals.defaultRemoteCollectionDriver();
-      oplogEnabled = Boolean(
-        mongo._oplogHandle && mongo._oplogHandle.onOplogEntry,
-      );
-      const { version, storageEngine } = Promise.await(
-        mongo.db.command({ serverStatus: 1 }),
-      );
-      mongoVersion = version;
-      mongoStorageEngine = storageEngine.name;
-      mongoOplogEnabled = oplogEnabled;
-    } catch (e) {
-      try {
-        const { version } = Promise.await(mongo.db.command({ buildinfo: 1 }));
-        mongoVersion = version;
-        mongoStorageEngine = 'unknown';
-      } catch (e) {
-        mongoVersion = 'unknown';
-        mongoStorageEngine = 'unknown';
+if (Meteor.isServer) {
+  Meteor.methods({
+    getStatistics() {
+      if (Meteor.user() && Meteor.user().isAdmin) {
+        const os = require('os');
+        const pjson = require('/package.json');
+        const statistics = {};
+        let wekanVersion = pjson.version;
+        wekanVersion = wekanVersion.replace('v', '');
+        statistics.version = wekanVersion;
+        statistics.os = {
+          type: os.type(),
+          platform: os.platform(),
+          arch: os.arch(),
+          release: os.release(),
+          uptime: os.uptime(),
+          loadavg: os.loadavg(),
+          totalmem: os.totalmem(),
+          freemem: os.freemem(),
+          cpus: os.cpus(),
+        };
+        let nodeVersion = process.version;
+        nodeVersion = nodeVersion.replace('v', '');
+        statistics.process = {
+          nodeVersion,
+          pid: process.pid,
+          uptime: process.uptime(),
+        };
+        // Remove beginning of Meteor release text METEOR@
+        let meteorVersion = Meteor.release;
+        meteorVersion = meteorVersion.replace('METEOR@', '');
+        statistics.meteor = {
+          meteorVersion,
+        };
+        // Thanks to RocketChat for MongoDB version detection !
+        // https://github.com/RocketChat/Rocket.Chat/blob/develop/app/utils/server/functions/getMongoInfo.js
+        let mongoVersion;
+        let mongoStorageEngine;
+        let mongoOplogEnabled;
+        try {
+          const { mongo } = MongoInternals.defaultRemoteCollectionDriver();
+          oplogEnabled = Boolean(
+            mongo._oplogHandle && mongo._oplogHandle.onOplogEntry,
+          );
+          const { version, storageEngine } = Promise.await(
+            mongo.db.command({ serverStatus: 1 }),
+          );
+          mongoVersion = version;
+          mongoStorageEngine = storageEngine.name;
+          mongoOplogEnabled = oplogEnabled;
+        } catch (e) {
+          try {
+            const { version } = Promise.await(
+              mongo.db.command({ buildinfo: 1 }),
+            );
+            mongoVersion = version;
+            mongoStorageEngine = 'unknown';
+          } catch (e) {
+            mongoVersion = 'unknown';
+            mongoStorageEngine = 'unknown';
+          }
+        }
+        statistics.mongo = {
+          mongoVersion,
+          mongoStorageEngine,
+          mongoOplogEnabled,
+        };
+        return statistics;
+      } else {
+        return false;
      }
-    }
-    statistics.mongo = {
-      mongoVersion,
-      mongoStorageEngine,
-      mongoOplogEnabled,
-    };
-    return statistics;
-  },
-});
+    },
+  });
+}