Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-02-20 23:14:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Use sync code in allow/deny for 2.x

Browse source
This commit is contained in:
Harry Adel 2026-02-19 00:26:47 +02:00
parent f934aea2a5
commit e77be37450
28 changed files with 594 additions and 410 deletions
Download patch file Download diff file Expand all files Collapse all files

4
models/accessibilitySettings.js
View file

@ -46,8 +46,8 @@ AccessibilitySettings.attachSchema(
);
AccessibilitySettings.allow({
async update(userId) {
const user = await ReactiveCache.getUser(userId);
update(userId) {
const user = Meteor.users.findOne(userId);
return user && user.isAdmin;
},
});

4
models/accountSettings.js
View file

@ -45,8 +45,8 @@ AccountSettings.attachSchema(
);
AccountSettings.allow({
async update(userId) {
const user = await ReactiveCache.getUser(userId);
update(userId) {
const user = Meteor.users.findOne(userId);
return user && user.isAdmin;
},
});

12
models/actions.js
View file

@ -4,14 +4,14 @@ import { Meteor } from 'meteor/meteor';
Actions = new Mongo.Collection('actions');
Actions.allow({
async insert(userId, doc) {
return allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
insert(userId, doc) {
return allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
async update(userId, doc) {
return allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
update(userId, doc) {
return allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
async remove(userId, doc) {
return allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
remove(userId, doc) {
return allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
});

38
models/activities.js
View file

@ -118,7 +118,7 @@ if (Meteor.isServer) {
if (activity.userId) {
// No need send notification to user of activity
// participants = _.union(participants, [activity.userId]);
const user = activity.user();
const user = await activity.user();
if (user) {
if (user.getName()) {
params.user = user.getName();
@ -146,7 +146,7 @@ if (Meteor.isServer) {
params.boardId = activity.boardId;
}
if (activity.oldBoardId) {
const oldBoard = activity.oldBoard();
const oldBoard = await activity.oldBoard();
if (oldBoard) {
watchers = _.union(watchers, oldBoard.watchers || []);
params.oldBoard = oldBoard.title;
@ -155,10 +155,10 @@ if (Meteor.isServer) {
}
if (activity.memberId) {
participants = _.union(participants, [activity.memberId]);
params.member = activity.member().getName();
params.member = (await activity.member()).getName();
}
if (activity.listId) {
const list = activity.list();
const list = await activity.list();
if (list) {
if (list.watchers !== undefined) {
watchers = _.union(watchers, list.watchers || []);
@ -168,7 +168,7 @@ if (Meteor.isServer) {
}
}
if (activity.oldListId) {
const oldList = activity.oldList();
const oldList = await activity.oldList();
if (oldList) {
watchers = _.union(watchers, oldList.watchers || []);
params.oldList = oldList.title;
@ -176,7 +176,7 @@ if (Meteor.isServer) {
}
}
if (activity.oldSwimlaneId) {
const oldSwimlane = activity.oldSwimlane();
const oldSwimlane = await activity.oldSwimlane();
if (oldSwimlane) {
watchers = _.union(watchers, oldSwimlane.watchers || []);
params.oldSwimlane = oldSwimlane.title;
@ -184,7 +184,7 @@ if (Meteor.isServer) {
}
}
if (activity.cardId) {
const card = activity.card();
const card = await activity.card();
participants = _.union(participants, [card.userId], card.members || []);
watchers = _.union(watchers, card.watchers || []);
params.card = card.title;
@ -193,12 +193,12 @@ if (Meteor.isServer) {
params.cardId = activity.cardId;
}
if (activity.swimlaneId) {
const swimlane = activity.swimlane();
const swimlane = await activity.swimlane();
params.swimlane = swimlane.title;
params.swimlaneId = activity.swimlaneId;
}
if (activity.commentId) {
const comment = activity.comment();
const comment = await activity.comment();
params.comment = comment.text;
let hasMentions = false; // Track if comment has @mentions
if (board) {
@ -257,7 +257,7 @@ if (Meteor.isServer) {
hasMentions = true;
} else if (activity.cardId && username === 'card_members') {
// mentions all card members if assigned
const card = activity.card();
const card = await activity.card();
if (card && card.members && card.members.length > 0) {
// Filter to only valid users who are board members
const validMembers = [];
@ -273,7 +273,7 @@ if (Meteor.isServer) {
hasMentions = true;
} else if (activity.cardId && username === 'card_assignees') {
// mentions all assignees of the current card
const card = activity.card();
const card = await activity.card();
if (card && card.assignees && card.assignees.length > 0) {
// Filter to only valid users who are board members
const validAssignees = [];
@ -310,7 +310,7 @@ if (Meteor.isServer) {
params.attachmentId = activity.attachmentId;
}
if (activity.checklistId) {
const checklist = activity.checklist();
const checklist = await activity.checklist();
if (checklist) {
if (checklist.title) {
params.checklist = checklist.title;
@ -318,7 +318,7 @@ if (Meteor.isServer) {
}
}
if (activity.checklistItemId) {
const checklistItem = activity.checklistItem();
const checklistItem = await activity.checklistItem();
if (checklistItem) {
if (checklistItem.title) {
params.checklistItem = checklistItem.title;
@ -326,7 +326,7 @@ if (Meteor.isServer) {
}
}
if (activity.customFieldId) {
const customField = activity.customField();
const customField = await activity.customField();
if (customField) {
if (customField.name) {
params.customField = customField.name;
@ -338,7 +338,7 @@ if (Meteor.isServer) {
}
// Label activity did not work yet, unable to edit labels when tried this.
if (activity.labelId) {
const label = activity.label();
const label = await activity.label();
if (label) {
if (label.name) {
params.label = label.name;
@ -368,10 +368,8 @@ if (Meteor.isServer) {
try {
const atype = activity.activityType;
if (new RegExp(BIGEVENTS).exec(atype)) {
watchers = _.union(
watchers,
board.activeMembers().map((member) => member.userId),
); // notify all active members for important events
const activeMemberIds = _.filter(board.members, m => m.isActive === true).map(m => m.userId);
watchers = _.union(watchers, activeMemberIds); // notify all active members for important events
}
} catch (e) {
// passed env var BIGEVENTS_PATTERN is not a valid regex
@ -396,7 +394,7 @@ if (Meteor.isServer) {
);
}
}
Notifications.getUsers(watchers).forEach((user) => {
(await Notifications.getUsers(watchers)).forEach((user) => {
// Skip if user is undefined or doesn't have an _id (e.g., deleted user or invalid ID)
if (!user || !user._id) return;

4
models/announcements.js
View file

@ -50,8 +50,8 @@ Announcements.attachSchema(
);
Announcements.allow({
async update(userId) {
const user = await ReactiveCache.getUser(userId);
update(userId) {
const user = Meteor.users.findOne(userId);
return user && user.isAdmin;
},
});

12
models/attachments.js
View file

@ -196,11 +196,11 @@ Attachments = new FilesCollection({
if (Meteor.isServer) {
Attachments.allow({
async insert(userId, fileObj) {
insert(userId, fileObj) {
// ReadOnly users cannot upload attachments
return allowIsBoardMemberWithWriteAccess(userId, await ReactiveCache.getBoard(fileObj.boardId));
return allowIsBoardMemberWithWriteAccess(userId, Boards.findOne(fileObj.boardId));
},
async update(userId, fileObj, fields) {
update(userId, fileObj, fields) {
// SECURITY: The 'name' field is sanitized in onBeforeUpload and server-side methods,
// but we block direct client-side $set operations on 'versions.*.path' to prevent
// path traversal attacks via storage migration exploits.
@ -230,9 +230,9 @@ if (Meteor.isServer) {
}
// ReadOnly users cannot update attachments
return allowIsBoardMemberWithWriteAccess(userId, await ReactiveCache.getBoard(fileObj.boardId));
return allowIsBoardMemberWithWriteAccess(userId, Boards.findOne(fileObj.boardId));
},
async remove(userId, fileObj) {
remove(userId, fileObj) {
// Additional security check: ensure the file belongs to the board the user has access to
if (!fileObj || !fileObj.boardId) {
if (process.env.DEBUG === 'true') {
@ -241,7 +241,7 @@ if (Meteor.isServer) {
return false;
}
const board = await ReactiveCache.getBoard(fileObj.boardId);
const board = Boards.findOne(fileObj.boardId);
if (!board) {
if (process.env.DEBUG === 'true') {
console.warn('Blocked attachment removal: board not found');

10
models/boards.js
View file

@ -1828,7 +1828,7 @@ Boards.labelColors = () => {
if (Meteor.isServer) {
Boards.allow({
async insert(userId, doc) {
insert(userId, doc) {
// Check if user is logged in
if (!userId) return false;
@ -1847,7 +1847,7 @@ if (Meteor.isServer) {
// All logged in users are allowed to reorder boards by dragging at All Boards page and Public Boards page.
Boards.allow({
async update(userId, board, fieldNames) {
update(userId, board, fieldNames) {
return canUpdateBoardSort(userId, board, fieldNames);
},
// Need members to verify membership in policy
@ -1857,7 +1857,7 @@ if (Meteor.isServer) {
// The number of users that have starred this board is managed by trusted code
// and the user is not allowed to update it
Boards.deny({
async update(userId, board, fieldNames) {
update(userId, board, fieldNames) {
return _.contains(fieldNames, 'stars');
},
fetch: [],
@ -1865,7 +1865,7 @@ if (Meteor.isServer) {
// We can't remove a member if it is the last administrator
Boards.deny({
async update(userId, doc, fieldNames, modifier) {
update(userId, doc, fieldNames, modifier) {
if (!_.contains(fieldNames, 'members')) return false;
// We only care in case of a $pull operation, ie remove a member
@ -1891,7 +1891,7 @@ if (Meteor.isServer) {
// Deny changing permission to public if allowPrivateOnly is enabled
Boards.deny({
async update(userId, doc, fieldNames, modifier) {
update(userId, doc, fieldNames, modifier) {
if (!_.contains(fieldNames, 'permission')) return false;
const allowPrivateOnly = TableVisibilityModeSettings.findOne('tableVisibilityMode-allowPrivateOnly')?.booleanValue;

12
models/cardCommentReactions.js
View file

@ -50,14 +50,14 @@ CardCommentReactions.attachSchema(
);
CardCommentReactions.allow({
async insert(userId, doc) {
return allowIsBoardMember(userId, await ReactiveCache.getBoard(doc.boardId));
insert(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
async update(userId, doc) {
return allowIsBoardMember(userId, await ReactiveCache.getBoard(doc.boardId));
update(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
async remove(userId, doc) {
return allowIsBoardMember(userId, await ReactiveCache.getBoard(doc.boardId));
remove(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
fetch: ['boardId'],
});

12
models/cardComments.js
View file

@ -81,15 +81,15 @@ CardComments.attachSchema(
);
CardComments.allow({
async insert(userId, doc) {
insert(userId, doc) {
// ReadOnly users cannot add comments. Only members who can comment are allowed.
return allowIsBoardMemberCommentOnly(userId, await ReactiveCache.getBoard(doc.boardId));
return allowIsBoardMemberCommentOnly(userId, Boards.findOne(doc.boardId));
},
async update(userId, doc) {
return userId === doc.userId || allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
update(userId, doc) {
return userId === doc.userId || allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
async remove(userId, doc) {
return userId === doc.userId || allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
remove(userId, doc) {
return userId === doc.userId || allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
fetch: ['userId', 'boardId'],
});

523
models/cards.js
View file

File diff suppressed because it is too large Load diff

12
models/checklistItems.js
View file

@ -69,17 +69,17 @@ ChecklistItems.attachSchema(
);
ChecklistItems.allow({
async insert(userId, doc) {
insert(userId, doc) {
// ReadOnly users cannot create checklist items
return allowIsBoardMemberWithWriteAccessByCard(userId, await ReactiveCache.getCard(doc.cardId));
return allowIsBoardMemberWithWriteAccessByCard(userId, Cards.findOne(doc.cardId));
},
async update(userId, doc) {
update(userId, doc) {
// ReadOnly users cannot edit checklist items
return allowIsBoardMemberWithWriteAccessByCard(userId, await ReactiveCache.getCard(doc.cardId));
return allowIsBoardMemberWithWriteAccessByCard(userId, Cards.findOne(doc.cardId));
},
async remove(userId, doc) {
remove(userId, doc) {
// ReadOnly users cannot delete checklist items
return allowIsBoardMemberWithWriteAccessByCard(userId, await ReactiveCache.getCard(doc.cardId));
return allowIsBoardMemberWithWriteAccessByCard(userId, Cards.findOne(doc.cardId));
},
fetch: ['userId', 'cardId'],
});

12
models/checklists.js
View file

@ -195,17 +195,17 @@ Checklists.helpers({
});
Checklists.allow({
async insert(userId, doc) {
insert(userId, doc) {
// ReadOnly users cannot create checklists
return allowIsBoardMemberWithWriteAccessByCard(userId, await ReactiveCache.getCard(doc.cardId));
return allowIsBoardMemberWithWriteAccessByCard(userId, Cards.findOne(doc.cardId));
},
async update(userId, doc) {
update(userId, doc) {
// ReadOnly users cannot edit checklists
return allowIsBoardMemberWithWriteAccessByCard(userId, await ReactiveCache.getCard(doc.cardId));
return allowIsBoardMemberWithWriteAccessByCard(userId, Cards.findOne(doc.cardId));
},
async remove(userId, doc) {
remove(userId, doc) {
// ReadOnly users cannot delete checklists
return allowIsBoardMemberWithWriteAccessByCard(userId, await ReactiveCache.getCard(doc.cardId));
return allowIsBoardMemberWithWriteAccessByCard(userId, Cards.findOne(doc.cardId));
},
fetch: ['userId', 'cardId'],
});

18
models/customFields.js
View file

@ -164,28 +164,28 @@ CustomFields.helpers({
});
CustomFields.allow({
async insert(userId, doc) {
insert(userId, doc) {
return allowIsAnyBoardMember(
userId,
await ReactiveCache.getBoards({
Boards.find({
_id: { $in: doc.boardIds },
}),
}).fetch(),
);
},
async update(userId, doc) {
update(userId, doc) {
return allowIsAnyBoardMember(
userId,
await ReactiveCache.getBoards({
Boards.find({
_id: { $in: doc.boardIds },
}),
}).fetch(),
);
},
async remove(userId, doc) {
remove(userId, doc) {
return allowIsAnyBoardMember(
userId,
await ReactiveCache.getBoards({
Boards.find({
_id: { $in: doc.boardIds },
}),
}).fetch(),
);
},
fetch: ['userId', 'boardIds'],

20
models/integrations.js
View file

@ -101,21 +101,21 @@ Integrations.Const = {
},
};
const permissionHelper = {
async allow(userId, doc) {
const user = await ReactiveCache.getUser(userId);
const isAdmin = user && (await ReactiveCache.getCurrentUser()).isAdmin;
return isAdmin || allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
allow(userId, doc) {
const user = Meteor.users.findOne(userId);
const isAdmin = user && user.isAdmin;
return isAdmin || allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
};
Integrations.allow({
async insert(userId, doc) {
return await permissionHelper.allow(userId, doc);
insert(userId, doc) {
return permissionHelper.allow(userId, doc);
},
async update(userId, doc) {
return await permissionHelper.allow(userId, doc);
update(userId, doc) {
return permissionHelper.allow(userId, doc);
},
async remove(userId, doc) {
return await permissionHelper.allow(userId, doc);
remove(userId, doc) {
return permissionHelper.allow(userId, doc);
},
fetch: ['boardId'],
});

14
models/lists.js
View file

@ -180,17 +180,17 @@ Lists.attachSchema(
);
Lists.allow({
async insert(userId, doc) {
insert(userId, doc) {
// ReadOnly and CommentOnly users cannot create lists
return allowIsBoardMemberWithWriteAccess(userId, await ReactiveCache.getBoard(doc.boardId));
return allowIsBoardMemberWithWriteAccess(userId, Boards.findOne(doc.boardId));
},
async update(userId, doc) {
update(userId, doc) {
// ReadOnly and CommentOnly users cannot edit lists
return allowIsBoardMemberWithWriteAccess(userId, await ReactiveCache.getBoard(doc.boardId));
return allowIsBoardMemberWithWriteAccess(userId, Boards.findOne(doc.boardId));
},
async remove(userId, doc) {
remove(userId, doc) {
// ReadOnly and CommentOnly users cannot delete lists
return allowIsBoardMemberWithWriteAccess(userId, await ReactiveCache.getBoard(doc.boardId));
return allowIsBoardMemberWithWriteAccess(userId, Boards.findOne(doc.boardId));
},
fetch: ['boardId'],
});
@ -540,7 +540,7 @@ Meteor.methods({
}
await Lists.updateAsync(
{ _id: listId, boardId },
listId,
{
$set: {
...updateData,

4
models/lockoutSettings.js
View file

@ -48,8 +48,8 @@ LockoutSettings.attachSchema(
);
LockoutSettings.allow({
async update(userId) {
const user = await ReactiveCache.getUser(userId);
update(userId) {
const user = Meteor.users.findOne(userId);
return user && user.isAdmin;
},
});

12
models/org.js
View file

@ -87,8 +87,8 @@ Org.attachSchema(
if (Meteor.isServer) {
Org.allow({
async insert(userId, doc) {
const user = await ReactiveCache.getUser(userId) || await ReactiveCache.getCurrentUser();
insert(userId, doc) {
const user = Meteor.users.findOne(userId);
if (user?.isAdmin)
return true;
if (!user) {
@ -96,8 +96,8 @@ if (Meteor.isServer) {
}
return doc._id === userId;
},
async update(userId, doc) {
const user = await ReactiveCache.getUser(userId) || await ReactiveCache.getCurrentUser();
update(userId, doc) {
const user = Meteor.users.findOne(userId);
if (user?.isAdmin)
return true;
if (!user) {
@ -105,8 +105,8 @@ if (Meteor.isServer) {
}
return doc._id === userId;
},
async remove(userId, doc) {
const user = await ReactiveCache.getUser(userId) || await ReactiveCache.getCurrentUser();
remove(userId, doc) {
const user = Meteor.users.findOne(userId);
if (user?.isAdmin)
return true;
if (!user) {

12
models/rules.js
View file

@ -72,14 +72,14 @@ Rules.helpers({
});
Rules.allow({
async insert(userId, doc) {
return allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
insert(userId, doc) {
return allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
async update(userId, doc) {
return allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
update(userId, doc) {
return allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
async remove(userId, doc) {
return allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
remove(userId, doc) {
return allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
});

4
models/settings.js
View file

@ -223,8 +223,8 @@ Settings.helpers({
},
});
Settings.allow({
async update(userId) {
const user = await ReactiveCache.getUser(userId);
update(userId) {
const user = Meteor.users.findOne(userId);
return user && user.isAdmin;
},
});

12
models/swimlanes.js
View file

@ -131,17 +131,17 @@ Swimlanes.attachSchema(
);
Swimlanes.allow({
async insert(userId, doc) {
insert(userId, doc) {
// ReadOnly and CommentOnly users cannot create swimlanes
return allowIsBoardMemberWithWriteAccess(userId, await ReactiveCache.getBoard(doc.boardId));
return allowIsBoardMemberWithWriteAccess(userId, Boards.findOne(doc.boardId));
},
async update(userId, doc) {
update(userId, doc) {
// ReadOnly and CommentOnly users cannot edit swimlanes
return allowIsBoardMemberWithWriteAccess(userId, await ReactiveCache.getBoard(doc.boardId));
return allowIsBoardMemberWithWriteAccess(userId, Boards.findOne(doc.boardId));
},
async remove(userId, doc) {
remove(userId, doc) {
// ReadOnly and CommentOnly users cannot delete swimlanes
return allowIsBoardMemberWithWriteAccess(userId, await ReactiveCache.getBoard(doc.boardId));
return allowIsBoardMemberWithWriteAccess(userId, Boards.findOne(doc.boardId));
},
fetch: ['boardId'],
});

4
models/tableVisibilityModeSettings.js
View file

@ -45,8 +45,8 @@ TableVisibilityModeSettings.attachSchema(
);
TableVisibilityModeSettings.allow({
async update(userId) {
const user = await ReactiveCache.getUser(userId);
update(userId) {
const user = Meteor.users.findOne(userId);
return user && user.isAdmin;
},
});

12
models/team.js
View file

@ -78,8 +78,8 @@ Team.attachSchema(
if (Meteor.isServer) {
Team.allow({
async insert(userId, doc) {
const user = await ReactiveCache.getUser(userId) || await ReactiveCache.getCurrentUser();
insert(userId, doc) {
const user = Meteor.users.findOne(userId);
if (user?.isAdmin)
return true;
if (!user) {
@ -87,8 +87,8 @@ if (Meteor.isServer) {
}
return doc._id === userId;
},
async update(userId, doc) {
const user = await ReactiveCache.getUser(userId) || await ReactiveCache.getCurrentUser();
update(userId, doc) {
const user = Meteor.users.findOne(userId);
if (user?.isAdmin)
return true;
if (!user) {
@ -96,8 +96,8 @@ if (Meteor.isServer) {
}
return doc._id === userId;
},
async remove(userId, doc) {
const user = await ReactiveCache.getUser(userId) || await ReactiveCache.getCurrentUser();
remove(userId, doc) {
const user = Meteor.users.findOne(userId);
if (user?.isAdmin)
return true;
if (!user) {

12
models/translation.js
View file

@ -58,8 +58,8 @@ Translation.attachSchema(
if (Meteor.isServer) {
Translation.allow({
async insert(userId, doc) {
const user = await ReactiveCache.getUser(userId) || await ReactiveCache.getCurrentUser();
insert(userId, doc) {
const user = Meteor.users.findOne(userId);
if (user?.isAdmin)
return true;
if (!user) {
@ -67,8 +67,8 @@ if (Meteor.isServer) {
}
return doc._id === userId;
},
async update(userId, doc) {
const user = await ReactiveCache.getUser(userId) || await ReactiveCache.getCurrentUser();
update(userId, doc) {
const user = Meteor.users.findOne(userId);
if (user?.isAdmin)
return true;
if (!user) {
@ -76,8 +76,8 @@ if (Meteor.isServer) {
}
return doc._id === userId;
},
async remove(userId, doc) {
const user = await ReactiveCache.getUser(userId) || await ReactiveCache.getCurrentUser();
remove(userId, doc) {
const user = Meteor.users.findOne(userId);
if (user?.isAdmin)
return true;
if (!user) {

12
models/triggers.js
View file

@ -14,14 +14,14 @@ Triggers.before.update((userId, doc, fieldNames, modifier) => {
});
Triggers.allow({
async insert(userId, doc) {
return allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
insert(userId, doc) {
return allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
async update(userId, doc) {
return allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
update(userId, doc) {
return allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
async remove(userId, doc) {
return allowIsBoardAdmin(userId, await ReactiveCache.getBoard(doc.boardId));
remove(userId, doc) {
return allowIsBoardAdmin(userId, Boards.findOne(doc.boardId));
},
});