Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 15:30:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
wekan/server/lib/tests/cards.security.tests.js
Lauri Ojansivu 0a1a075f31 Fix SECURITY ISSUE 4: Members can forge others’ votes (Low). Bonus: Similar fixes to planning poker too done by xet7. 
Thanks to Siam Thanat Hack (STH) and xet7 !
2025-11-02 11:12:41 +02:00

56 lines
2 KiB
JavaScript
Raw Blame History

/* eslint-env mocha */
import { expect } from 'chai';
import '../utils';
import '/models/cards';
// Unit tests for canUpdateCard policy (deny direct vote updates)
describe('cards security', function() {
describe(canUpdateCard.name, function() {
const userId = 'user1';
const board = {
hasMember: (id) => id === userId,
};
const doc = { boardId: 'board1' };
// Patch ReactiveCache.getBoard for this unit test scope if not defined
const origGetBoard = ReactiveCache && ReactiveCache.getBoard;
before(function() {
if (typeof ReactiveCache === 'object') {
ReactiveCache.getBoard = () => board;
}
});
after(function() {
if (typeof ReactiveCache === 'object') {
ReactiveCache.getBoard = origGetBoard;
}
});
it('denies anonymous users', function() {
expect(canUpdateCard(null, doc, ['title'])).to.equal(false);
});
it('denies direct vote updates', function() {
expect(canUpdateCard(userId, doc, ['vote'])).to.equal(false);
expect(canUpdateCard(userId, doc, ['vote', 'modifiedAt', 'dateLastActivity'])).to.equal(false);
expect(canUpdateCard(userId, doc, ['vote.positive'])).to.equal(false);
expect(canUpdateCard(userId, doc, ['vote.negative'])).to.equal(false);
});
it('denies direct poker updates', function() {
expect(canUpdateCard(userId, doc, ['poker'])).to.equal(false);
expect(canUpdateCard(userId, doc, ['poker.one'])).to.equal(false);
expect(canUpdateCard(userId, doc, ['poker.allowNonBoardMembers'])).to.equal(false);
expect(canUpdateCard(userId, doc, ['poker.end'])).to.equal(false);
});
it('allows member updates when not touching vote', function() {
expect(canUpdateCard(userId, doc, ['title'])).to.equal(true);
expect(canUpdateCard(userId, doc, ['description', 'modifiedAt'])).to.equal(true);
});
it('denies non-members even when not touching vote', function() {
const nonMemberId = 'user2';
expect(canUpdateCard(nonMemberId, doc, ['title'])).to.equal(false);
});
});
});
Reference in a new issue View git blame Copy permalink