Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-01-25 10:46:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix SECURITY ISSUE 2: Access to boards of any Orgs/Teams, and avatar permissions.

Browse source 
Thanks to Siam Thanat Hack (STH) !
This commit is contained in:
Lauri Ojansivu 2025-11-02 09:11:50 +02:00
parent e9a727301d
commit f26d582018
9 changed files with 347 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

15
client/components/users/userAvatar.js
View file

@ -15,6 +15,21 @@ Template.userAvatar.helpers({
});
},
avatarUrl() {
const user = ReactiveCache.getUser(this.userId, { fields: { profile: 1 } });
const base = (user && user.profile && user.profile.avatarUrl) || '';
if (!base) return '';
// Append current boardId when available so public viewers can access avatars on public boards
try {
const boardId = Utils.getCurrentBoardId && Utils.getCurrentBoardId();
if (boardId) {
const sep = base.includes('?') ? '&' : '?';
return `${base}${sep}boardId=${encodeURIComponent(boardId)}`;
}
} catch (_) {}
return base;
},
memberType() {
const user = ReactiveCache.getUser(this.userId);
return user && user.isBoardAdmin() ? 'admin' : 'normal';