Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-26 12:18:49 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix SECURITY ISSUE 3: Unauthenticated (or any) user can update board sort.

Browse source 
Thanks to Siam Thanat Hack (STH) !
This commit is contained in:
Lauri Ojansivu 2025-11-02 10:13:45 +02:00
parent 0a2e6a0c38
commit ea310d7508
6 changed files with 119 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

5
models/boards.js
View file

@ -1711,9 +1711,10 @@ if (Meteor.isServer) {
// All logged in users are allowed to reorder boards by dragging at All Boards page and Public Boards page.
Boards.allow({
update(userId, board, fieldNames) {
return _.contains(fieldNames, 'sort');
return canUpdateBoardSort(userId, board, fieldNames);
},
fetch: [],
// Need members to verify membership in policy
fetch: ['members'],
});
// The number of users that have starred this board is managed by trusted code