diff options
| author | Lauri Ojansivu <x@xet7.org> | 2017-07-30 18:02:12 +0300 |
|---|---|---|
| committer | Lauri Ojansivu <x@xet7.org> | 2017-07-30 18:02:12 +0300 |
| commit | a9d4538d53b717fef2c37bf88bbfef9ffe5188f1 (patch) | |
| tree | b203335a0e33e66eb3e03a45235039dffb4a9343 | |
| parent | bda15daa78556223117a5846941aafd1212f14d3 (diff) | |
| parent | f521b7949a82a23697f441c523ce69a7591d735c (diff) | |
| download | wekan-a9d4538d53b717fef2c37bf88bbfef9ffe5188f1.tar.gz wekan-a9d4538d53b717fef2c37bf88bbfef9ffe5188f1.tar.bz2 wekan-a9d4538d53b717fef2c37bf88bbfef9ffe5188f1.zip | |
Merge branch 'fix-files-access' of https://github.com/GhassenRjab/wekan into GhassenRjab-fix-files-access
| -rw-r--r-- | models/attachments.js | 18 |
1 files changed, 6 insertions, 12 deletions
diff --git a/models/attachments.js b/models/attachments.js index d8398816..1c9878c7 100644 --- a/models/attachments.js +++ b/models/attachments.js @@ -21,19 +21,13 @@ if (Meteor.isServer) { // We authorize the attachment download either: // - if the board is public, everyone (even unconnected) can download it // - if the board is private, only board members can download it - // - // XXX We have a bug with the `userId` verification: - // - // https://github.com/CollectionFS/Meteor-CollectionFS/issues/449 - // download(userId, doc) { - const query = { - $or: [ - { 'members.userId': userId }, - { permission: 'public' }, - ], - }; - return Boolean(Boards.findOne(doc.boardId, query)); + const board = Boards.findOne(doc.boardId); + if (board.isPublic()) { + return true; + } else { + return board.hasMember(userId); + } }, fetch: ['boardId'], |