Merge branch 'Robert-Lebedeu-master'

author: Lauri Ojansivu <x@xet7.org> 2019-12-20 16:10:26 +0200
committer: Lauri Ojansivu <x@xet7.org> 2019-12-20 16:10:26 +0200
commit: afe7d4991d09192d416cc1f82c85e5febe22487e (patch)
tree: f5cab56a793f3332581b0c4071ad30912fd8a6b6 /models/cards.js
parent: 2dafde8db9ddbc397e5906aa34cc479c36bf7b3a (diff)
parent: 0649add494d31f51378cf40a0416825accc55a8f (diff)
download: wekan-afe7d4991d09192d416cc1f82c85e5febe22487e.tar.gz
wekan-afe7d4991d09192d416cc1f82c85e5febe22487e.tar.bz2
wekan-afe7d4991d09192d416cc1f82c85e5febe22487e.zip
1 files changed, 8 insertions, 1 deletions
diff --git a/models/cards.js b/models/cards.js
index 816132fe..496c69b3 100644
--- a/models/cards.js
+++ b/models/cards.js
@@ -2003,8 +2003,15 @@ if (Meteor.isServer) {
     req,
     res,
   ) {
-    Authentication.checkUserId(req.userId);
+    // Check user is logged in
+    Authentication.checkLoggedIn(req.userId);
     const paramBoardId = req.params.boardId;
+    // Check user has permission to add card to the board
+    const board = Boards.findOne({
+      _id: paramBoardId
+    });
+    const addPermission = allowIsBoardMemberCommentOnly(req.userId, board);
+    Authentication.checkAdminOrCondition(req.userId, addPermission);
     const paramListId = req.params.listId;
     const paramParentId = req.params.parentId;
     const currentCards = Cards.find(
author	Lauri Ojansivu <x@xet7.org>	2019-12-20 16:10:26 +0200
committer	Lauri Ojansivu <x@xet7.org>	2019-12-20 16:10:26 +0200
commit	afe7d4991d09192d416cc1f82c85e5febe22487e (patch)
tree	f5cab56a793f3332581b0c4071ad30912fd8a6b6 /models/cards.js
parent	2dafde8db9ddbc397e5906aa34cc479c36bf7b3a (diff)
parent	0649add494d31f51378cf40a0416825accc55a8f (diff)
download	wekan-afe7d4991d09192d416cc1f82c85e5febe22487e.tar.gz wekan-afe7d4991d09192d416cc1f82c85e5febe22487e.tar.bz2 wekan-afe7d4991d09192d416cc1f82c85e5febe22487e.zip