From 40c70c439d3d6ac5a9affe52d386201e7da865b9 Mon Sep 17 00:00:00 2001
From: Robert Lebedeu <robert.lebedeu@mynet.it>
Date: Tue, 17 Dec 2019 12:15:06 +0100
Subject: Allow card creation for board members - Only for members with card
 add permission

---
 models/cards.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'models/cards.js')

diff --git a/models/cards.js b/models/cards.js
index 816132fe..496c69b3 100644
--- a/models/cards.js
+++ b/models/cards.js
@@ -2003,8 +2003,15 @@ if (Meteor.isServer) {
     req,
     res,
   ) {
-    Authentication.checkUserId(req.userId);
+    // Check user is logged in
+    Authentication.checkLoggedIn(req.userId);
     const paramBoardId = req.params.boardId;
+    // Check user has permission to add card to the board
+    const board = Boards.findOne({
+      _id: paramBoardId
+    });
+    const addPermission = allowIsBoardMemberCommentOnly(req.userId, board);
+    Authentication.checkAdminOrCondition(req.userId, addPermission);
     const paramListId = req.params.listId;
     const paramParentId = req.params.parentId;
     const currentCards = Cards.find(
-- 
cgit v1.2.3-1-g7c22