Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-01-29 12:46:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fix New Board Permissions: NormalAssignedOnly, CommentAssignedOnly, ReadOnly, ReadAssignedOnly. Part 1.

Browse source 
Thanks to nazim-oss and xet7 !

Related #6060
This commit is contained in:
Lauri Ojansivu 2026-01-14 23:43:11 +02:00
parent 2f59e42024
commit eabb6a239d
25 changed files with 562 additions and 291 deletions
Download patch file Download diff file Expand all files Collapse all files

9
models/attachments.js
View file

@ -176,7 +176,8 @@ Attachments = new FilesCollection({
if (Meteor.isServer) {
Attachments.allow({
insert(userId, fileObj) {
return allowIsBoardMember(userId, ReactiveCache.getBoard(fileObj.boardId));
// ReadOnly users cannot upload attachments
return allowIsBoardMemberWithWriteAccess(userId, ReactiveCache.getBoard(fileObj.boardId));
},
update(userId, fileObj, fields) {
// Only allow updates to specific fields that don't affect security
@ -190,7 +191,8 @@ if (Meteor.isServer) {
return false;
}
return allowIsBoardMember(userId, ReactiveCache.getBoard(fileObj.boardId));
// ReadOnly users cannot update attachments
return allowIsBoardMemberWithWriteAccess(userId, ReactiveCache.getBoard(fileObj.boardId));
},
remove(userId, fileObj) {
// Additional security check: ensure the file belongs to the board the user has access to
@ -209,7 +211,8 @@ if (Meteor.isServer) {
return false;
}
return allowIsBoardMember(userId, board);
// ReadOnly users cannot delete attachments
return allowIsBoardMemberWithWriteAccess(userId, board);
},
fetch: ['meta', 'boardId'],
});