diff options
-rw-r--r-- | CHANGELOG.md | 14 | ||||
-rw-r--r-- | client/components/cards/cardDate.js | 9 | ||||
-rw-r--r-- | client/components/cards/minicard.jade | 12 | ||||
-rw-r--r-- | server/publications/people.js | 28 |
4 files changed, 52 insertions, 11 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 1957b852..cfe3e672 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,19 @@ This release adds the following new features: -* [Add Khmer language](https://github.com/wekan/wekan/commit/2156e458690d0dc34a761a48fd7fa3b54af79031). +* [Add Khmer language](https://github.com/wekan/wekan/commit/2156e458690d0dc34a761a48fd7fa3b54af79031); +* [Modify card covers/mini-cards so that: 1) received date is shown unless there is a start date + 2) due date is shown, unless there is an end date](https://github.com/wekan/wekan/pull/1685). -Thanks to GitHub user xet7 for contributions. +and fixes the following bugs: + +* [SECURITY FIX: Do not publish all of people collection. This bug has probably been present + since addition of Admin Panel](https://github.com/wekan/wekan/commit/dda49d2f07f9c50d5d57acfd5c7eee6492f93b33); +* [Modify card covers/mini-cards so that: 1) received date is shown unless there is a start date + 2) due date is shown, unless there is an end date](https://github.com/wekan/wekan/pull/1685). + +Thanks to GitHub users rjevnikar and xet7 for their contributions. +Thanks to Adrian Genaid for security fix. Thanks to translators. # v1.03 2018-06-08 Wekan release diff --git a/client/components/cards/cardDate.js b/client/components/cards/cardDate.js index 52a48f47..e95c3a23 100644 --- a/client/components/cards/cardDate.js +++ b/client/components/cards/cardDate.js @@ -279,11 +279,14 @@ class CardDueDate extends CardDate { classes() { let classes = 'due-date' + ' '; - if (this.now.get().diff(this.date.get(), 'days') >= 2) + if ((this.now.get().diff(this.date.get(), 'days') >= 2) && + (this.date.get().isBefore(this.data().endAt))) classes += 'long-overdue'; - else if (this.now.get().diff(this.date.get(), 'minute') >= 0) + else if ((this.now.get().diff(this.date.get(), 'minute') >= 0) && + (this.date.get().isBefore(this.data().endAt))) classes += 'due'; - else if (this.now.get().diff(this.date.get(), 'days') >= -1) + else if ((this.now.get().diff(this.date.get(), 'days') >= -1) && + (this.date.get().isBefore(this.data().endAt))) classes += 'almost-due'; return classes; } diff --git a/client/components/cards/minicard.jade b/client/components/cards/minicard.jade index aa0708dd..b44021a6 100644 --- a/client/components/cards/minicard.jade +++ b/client/components/cards/minicard.jade @@ -10,12 +10,22 @@ template(name="minicard") +viewer = title .dates + if receivedAt + unless startAt + unless dueAt + unless endAt + .date + +miniCardReceivedDate if startAt .date +minicardStartDate if dueAt + unless endAt + .date + +minicardDueDate + if endAt .date - +minicardDueDate + +minicardEndDate if spentTime .date +cardSpentTime diff --git a/server/publications/people.js b/server/publications/people.js index f3c2bdfe..7c13bdcc 100644 --- a/server/publications/people.js +++ b/server/publications/people.js @@ -1,7 +1,25 @@ -Meteor.publish('people', (limit) => { +Meteor.publish('people', function(limit) { check(limit, Number); - return Users.find({}, { - limit, - sort: {createdAt: -1}, - }); + + if (!Match.test(this.userId, String)) { + return []; + } + + const user = Users.findOne(this.userId); + if (user && user.isAdmin) { + return Users.find({}, { + limit, + sort: {createdAt: -1}, + fields: { + 'username': 1, + 'profile.fullname': 1, + 'isAdmin': 1, + 'emails': 1, + 'createdAt': 1, + 'loginDisabled': 1, + }, + }); + } else { + return []; + } }); |