Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 23:40:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Security Fix: Fix AdminBleed in WeKan, so that non-admin can not change to Admin.

Browse source 
Thanks to Christian Pöschl of usd AG Responsible Disclosure Team for reporting and xet7 for fixing !
This commit is contained in:
Lauri Ojansivu 2023-04-25 01:54:53 +03:00
parent 11b61b8fe2
commit cbad4cf594
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
models/users.js
View file

@ -539,6 +539,15 @@ Users.allow({
fetch: [], fetch: [],
}); });
// Non-Admin users can not change to Admin
Users.deny({
update(userId, board, fieldNames) {
return _.contains(fieldNames, 'isAdmin') && !Meteor.user().isAdmin;
},
fetch: [],
});
// Search a user in the complete server database by its name, username or emails adress. This // Search a user in the complete server database by its name, username or emails adress. This
// is used for instance to add a new user to a board. // is used for instance to add a new user to a board.
UserSearchIndex = new Index({ UserSearchIndex = new Index({