From aac7c380c8c389b0683b2bd64e2cc856993f0e30 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Sun, 1 Mar 2020 20:59:53 +0200
Subject: - Fix critical and moderate security vulnerabilities reported at
 2020-02-26 with   responsible disclosure by [Dejan
 Zelic](https://twitter.com/dejandayoff),   Justin Benjamin and others at
 [Offensive Security](https://twitter.com/offsectraining),   that follow
 standard 90 days before public disclosure.   Thanks to xet7. - Fix webhook
 error that prevented some card etc deleting from web UI of board.   Thanks to
 xet7. - Add some more Font Awesome icons.   Thanks to xet7. - Remove
 autofocus from many form input boxes so that they would not cause warnings.  
 Thanks to xet7.

---
 models/activities.js |   9 ++-
 models/users.js      | 169 +++++++++++++++++++++++++++------------------------
 2 files changed, 95 insertions(+), 83 deletions(-)

(limited to 'models')

diff --git a/models/activities.js b/models/activities.js
index 19e3fb7d..568859a9 100644
--- a/models/activities.js
+++ b/models/activities.js
@@ -108,7 +108,7 @@ if (Meteor.isServer) {
     let participants = [];
     let watchers = [];
     let title = 'act-activity-notify';
-    let board = null;
+    const board = Boards.findOne(activity.boardId);
     const description = `act-${activity.activityType}`;
     const params = {
       activityId: activity._id,
@@ -122,8 +122,11 @@ if (Meteor.isServer) {
       params.userId = activity.userId;
     }
     if (activity.boardId) {
-      board = activity.board();
-      params.board = board.title;
+      if (board.title.length > 0) {
+        params.board = board.title;
+      } else {
+        params.board = '';
+      }
       title = 'act-withBoardTitle';
       params.url = board.absoluteUrl();
       params.boardId = activity.boardId;
diff --git a/models/users.js b/models/users.js
index 00076253..d56f14ff 100644
--- a/models/users.js
+++ b/models/users.js
@@ -620,44 +620,6 @@ Users.mutations({
 });
 
 Meteor.methods({
-  setCreateUser(fullname, username, password, isAdmin, isActive, email) {
-    if (Meteor.user().isAdmin) {
-      check(fullname, String);
-      check(username, String);
-      check(password, String);
-      check(isAdmin, String);
-      check(isActive, String);
-      check(email, String);
-
-      const nUsersWithUsername = Users.find({ username }).count();
-      const nUsersWithEmail = Users.find({ email }).count();
-      if (nUsersWithUsername > 0) {
-        throw new Meteor.Error('username-already-taken');
-      } else if (nUsersWithEmail > 0) {
-        throw new Meteor.Error('email-already-taken');
-      } else {
-        Accounts.createUser({
-          fullname,
-          username,
-          password,
-          isAdmin,
-          isActive,
-          email: email.toLowerCase(),
-          from: 'admin',
-        });
-      }
-    }
-  },
-  setUsername(username, userId) {
-    check(username, String);
-    check(userId, String);
-    const nUsersWithUsername = Users.find({ username }).count();
-    if (nUsersWithUsername > 0) {
-      throw new Meteor.Error('username-already-taken');
-    } else {
-      Users.update(userId, { $set: { username } });
-    }
-  },
   setListSortBy(value) {
     check(value, String);
     Meteor.user().setListSortBy(value);
@@ -678,51 +640,97 @@ Meteor.methods({
     check(limit, Number);
     Meteor.user().setShowCardsCountAt(limit);
   },
-  setEmail(email, userId) {
-    if (Array.isArray(email)) {
-      email = email.shift();
-    }
-    check(email, String);
-    const existingUser = Users.findOne(
-      { 'emails.address': email },
-      { fields: { _id: 1 } },
-    );
-    if (existingUser) {
-      throw new Meteor.Error('email-already-taken');
-    } else {
-      Users.update(userId, {
-        $set: {
-          emails: [
-            {
-              address: email,
-              verified: false,
-            },
-          ],
-        },
-      });
-    }
-  },
-  setUsernameAndEmail(username, email, userId) {
-    check(username, String);
-    if (Array.isArray(email)) {
-      email = email.shift();
-    }
-    check(email, String);
-    check(userId, String);
-    Meteor.call('setUsername', username, userId);
-    Meteor.call('setEmail', email, userId);
-  },
-  setPassword(newPassword, userId) {
-    check(userId, String);
-    check(newPassword, String);
-    if (Meteor.user().isAdmin) {
-      Accounts.setPassword(userId, newPassword);
-    }
-  },
 });
 
 if (Meteor.isServer) {
   Meteor.methods({
+    setCreateUser(fullname, username, password, isAdmin, isActive, email) {
+      if (Meteor.user() && Meteor.user().isAdmin) {
+        check(fullname, String);
+        check(username, String);
+        check(password, String);
+        check(isAdmin, String);
+        check(isActive, String);
+        check(email, String);
+
+        const nUsersWithUsername = Users.find({ username }).count();
+        const nUsersWithEmail = Users.find({ email }).count();
+        if (nUsersWithUsername > 0) {
+          throw new Meteor.Error('username-already-taken');
+        } else if (nUsersWithEmail > 0) {
+          throw new Meteor.Error('email-already-taken');
+        } else {
+          Accounts.createUser({
+            fullname,
+            username,
+            password,
+            isAdmin,
+            isActive,
+            email: email.toLowerCase(),
+            from: 'admin',
+          });
+        }
+      }
+    },
+    setUsername(username, userId) {
+      if (Meteor.user() && Meteor.user().isAdmin) {
+        check(username, String);
+        check(userId, String);
+        const nUsersWithUsername = Users.find({ username }).count();
+        if (nUsersWithUsername > 0) {
+          throw new Meteor.Error('username-already-taken');
+        } else {
+          Users.update(userId, { $set: { username } });
+        }
+      }
+    },
+    setEmail(email, userId) {
+      if (Meteor.user() && Meteor.user().isAdmin) {
+        if (Array.isArray(email)) {
+          email = email.shift();
+        }
+        check(email, String);
+        const existingUser = Users.findOne(
+          { 'emails.address': email },
+          { fields: { _id: 1 } },
+        );
+        if (existingUser) {
+          throw new Meteor.Error('email-already-taken');
+        } else {
+          Users.update(userId, {
+            $set: {
+              emails: [
+                {
+                  address: email,
+                  verified: false,
+                },
+              ],
+            },
+          });
+        }
+      }
+    },
+    setUsernameAndEmail(username, email, userId) {
+      if (Meteor.user() && Meteor.user().isAdmin) {
+        check(username, String);
+        if (Array.isArray(email)) {
+          email = email.shift();
+        }
+        check(email, String);
+        check(userId, String);
+        Meteor.call('setUsername', username, userId);
+        Meteor.call('setEmail', email, userId);
+      }
+    },
+    setPassword(newPassword, userId) {
+      if (Meteor.user() && Meteor.user().isAdmin) {
+        check(userId, String);
+        check(newPassword, String);
+        if (Meteor.user().isAdmin) {
+          Accounts.setPassword(userId, newPassword);
+        }
+      }
+    },
     // we accept userId, username, email
     inviteUserToBoard(username, boardId) {
       check(username, String);
@@ -754,8 +762,9 @@ if (Meteor.isServer) {
           throw new Meteor.Error('error-user-notAllowSelf');
       } else {
         if (posAt <= 0) throw new Meteor.Error('error-user-doesNotExist');
-        if (Settings.findOne().disableRegistration)
+        if (Settings.findOne({ disableRegistration: true })) {
           throw new Meteor.Error('error-user-notCreated');
+        }
         // Set in lowercase email before creating account
         const email = username.toLowerCase();
         username = email.substring(0, posAt);
-- 
cgit v1.2.3-1-g7c22