Fixed REST API, it shoud work now by Admin user.

Reverted Allow board members to use more of API of Wekan v5.35
a719e8fda1

Thanks to tomhughes.

Fixes #4009,
fixes #2793,
fixes #2790

models/checklists.js

@@ -204,8 +204,8 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/cards/:cardId/checklists',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramCardId = req.params.cardId;
       const checklists = Checklists.find({ cardId: paramCardId }).map(function(
         doc,
@@ -248,8 +248,8 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramChecklistId = req.params.checklistId;
       const paramCardId = req.params.cardId;
       const checklist = Checklists.findOne({
@@ -292,8 +292,9 @@ if (Meteor.isServer) {
     'POST',
     '/api/boards/:boardId/cards/:cardId/checklists',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       // Check user is logged in
-      Authentication.checkLoggedIn(req.userId);
+      //Authentication.checkLoggedIn(req.userId);
       const paramBoardId = req.params.boardId;
       // Check user has permission to add checklist to the card
       const board = Boards.findOne({
@@ -353,8 +354,8 @@ if (Meteor.isServer) {
     'DELETE',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramChecklistId = req.params.checklistId;
       Checklists.remove({ _id: paramChecklistId });
       JsonRoutes.sendResult(res, {