Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 23:40:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fix SECURITY ISSUE 3: Unauthenticated (or any) user can update board sort.

Browse source 
Thanks to Siam Thanat Hack (STH) !
This commit is contained in:
Lauri Ojansivu 2025-11-02 10:13:45 +02:00
parent 0a2e6a0c38
commit ea310d7508
6 changed files with 119 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

9
server/lib/utils.js
View file

@ -24,3 +24,12 @@ allowIsBoardMemberByCard = function(userId, card) {
const board = card.board();
return board && board.hasMember(userId);
};
// Policy: can a user update a board's 'sort' field?
// Requirements:
// - user must be authenticated
// - update must include 'sort' field
// - user must be a member of the board
canUpdateBoardSort = function(userId, board, fieldNames) {
return !!userId && _.contains(fieldNames || [], 'sort') && allowIsBoardMember(userId, board);
};