From aac7c380c8c389b0683b2bd64e2cc856993f0e30 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Sun, 1 Mar 2020 20:59:53 +0200
Subject: - Fix critical and moderate security vulnerabilities reported at
 2020-02-26 with   responsible disclosure by [Dejan
 Zelic](https://twitter.com/dejandayoff),   Justin Benjamin and others at
 [Offensive Security](https://twitter.com/offsectraining),   that follow
 standard 90 days before public disclosure.   Thanks to xet7. - Fix webhook
 error that prevented some card etc deleting from web UI of board.   Thanks to
 xet7. - Add some more Font Awesome icons.   Thanks to xet7. - Remove
 autofocus from many form input boxes so that they would not cause warnings.  
 Thanks to xet7.

---
 models/activities.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'models/activities.js')

diff --git a/models/activities.js b/models/activities.js
index 19e3fb7d..568859a9 100644
--- a/models/activities.js
+++ b/models/activities.js
@@ -108,7 +108,7 @@ if (Meteor.isServer) {
     let participants = [];
     let watchers = [];
     let title = 'act-activity-notify';
-    let board = null;
+    const board = Boards.findOne(activity.boardId);
     const description = `act-${activity.activityType}`;
     const params = {
       activityId: activity._id,
@@ -122,8 +122,11 @@ if (Meteor.isServer) {
       params.userId = activity.userId;
     }
     if (activity.boardId) {
-      board = activity.board();
-      params.board = board.title;
+      if (board.title.length > 0) {
+        params.board = board.title;
+      } else {
+        params.board = '';
+      }
       title = 'act-withBoardTitle';
       params.url = board.absoluteUrl();
       params.boardId = activity.boardId;
-- 
cgit v1.2.3-1-g7c22


From 4d066b1f3095326c6ef085ccc405bb1e19f0dd03 Mon Sep 17 00:00:00 2001
From: Jonathan Baird <jonathan@smithbox.com>
Date: Wed, 8 Apr 2020 11:54:00 -0600
Subject: stop notifying users about their own behavior

---
 models/activities.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'models/activities.js')

diff --git a/models/activities.js b/models/activities.js
index 568859a9..b5fcb7d8 100644
--- a/models/activities.js
+++ b/models/activities.js
@@ -282,7 +282,10 @@ if (Meteor.isServer) {
       );
     }
     Notifications.getUsers(watchers).forEach(user => {
-      Notifications.notify(user, title, description, params);
+      // don't notify a user of their own behavior
+      if (user._id !== userId) {
+        Notifications.notify(user, title, description, params);
+      }
     });
 
     const integrations = Integrations.find({
-- 
cgit v1.2.3-1-g7c22