Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-17 07:50:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fix files access bug

Browse source
This commit is contained in:
Ghassen Rjab 2017-07-30 04:27:38 +01:00
parent f9f529e53f
commit f521b7949a
1 changed files with 6 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

18
models/attachments.js
View file

@ -21,19 +21,13 @@ if (Meteor.isServer) {
// We authorize the attachment download either: // We authorize the attachment download either:
// - if the board is public, everyone (even unconnected) can download it // - if the board is public, everyone (even unconnected) can download it
// - if the board is private, only board members can download it // - if the board is private, only board members can download it
//
// XXX We have a bug with the `userId` verification:
//
// https://github.com/CollectionFS/Meteor-CollectionFS/issues/449
//
download(userId, doc) { download(userId, doc) {
const query = { const board = Boards.findOne(doc.boardId);
$or: [ if (board.isPublic()) {
{ 'members.userId': userId }, return true;
{ permission: 'public' }, } else {
], return board.hasMember(userId);
}; }
return Boolean(Boards.findOne(doc.boardId, query));
}, },
fetch: ['boardId'], fetch: ['boardId'],