Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-03-04 04:40:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix New Board Permissions: NormalAssignedOnly, CommentAssignedOnly, ReadOnly, ReadAssignedOnly. Part 1.

Browse source 
Thanks to nazim-oss and xet7 !

Related #6060
This commit is contained in:
Lauri Ojansivu 2026-01-14 23:43:11 +02:00
parent 2f59e42024
commit eabb6a239d
25 changed files with 562 additions and 291 deletions
Download patch file Download diff file Expand all files Collapse all files

11
models/cards.js
View file

@ -518,7 +518,7 @@ Cards.attachSchema(
);
// Centralized update policy for Cards
// Security: deny any direct client updates to 'vote' fields; require membership otherwise
// Security: deny any direct client updates to 'vote' fields; require write access otherwise
canUpdateCard = function(userId, doc, fields) {
if (!userId) return false;
const fieldNames = fields || [];
@ -530,19 +530,22 @@ canUpdateCard = function(userId, doc, fields) {
if (_.some(fieldNames, f => typeof f === 'string' && (f === 'poker' || f.indexOf('poker.') === 0))) {
return false;
}
return allowIsBoardMember(userId, ReactiveCache.getBoard(doc.boardId));
// ReadOnly users cannot edit cards
return allowIsBoardMemberWithWriteAccess(userId, ReactiveCache.getBoard(doc.boardId));
};
Cards.allow({
insert(userId, doc) {
return allowIsBoardMember(userId, ReactiveCache.getBoard(doc.boardId));
// ReadOnly users cannot create cards
return allowIsBoardMemberWithWriteAccess(userId, ReactiveCache.getBoard(doc.boardId));
},
update(userId, doc, fields) {
return canUpdateCard(userId, doc, fields);
},
remove(userId, doc) {
return allowIsBoardMember(userId, ReactiveCache.getBoard(doc.boardId));
// ReadOnly users cannot delete cards
return allowIsBoardMemberWithWriteAccess(userId, ReactiveCache.getBoard(doc.boardId));
},
fetch: ['boardId'],
});