github-mirrors/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-04-24 05:57:13 -04:00
Code Issues Projects Releases Packages Wiki Activity

More enhancements to Admin Reports and security fixes

Browse source 
* update Boards Report
* use Boards.userBoards() instead of Boards.find() to make sure user has access permission
This commit is contained in:
John Supplee 2021-12-21 02:39:16 +02:00
parent d9c290deda
commit 42610d9642
5 changed files with 107 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

7
client/components/settings/adminReports.jade
View file

@ -154,12 +154,19 @@ template(name="boardsReport")
tr
th Title
th Id
th Permission
th Archived?
th Members
th Organizations
th Teams
each board in results
tr
td {{abbreviate board.title }}
td {{abbreviate board._id }}
td {{ board.permission }}
td
= yesOrNo(board.archived)
td {{userNames board.members }}
else
div {{_ 'no-results' }}

8
client/components/settings/adminReports.js
View file

@ -108,6 +108,14 @@ class AdminReport extends BlazeComponent {
return this.collection.find();
}
yesOrNo(value) {
if (value) {
return TAPi18n.__('yes');
} else {
return TAPi18n.__('no');
}
}
resultsCount() {
return this.collection.find().count();
}

22
models/boards.js
View file

@ -5,6 +5,7 @@ import {
TYPE_TEMPLATE_BOARD,
TYPE_TEMPLATE_CONTAINER,
} from '/config/const';
import Users from "./users";
const escapeForRegex = require('escape-string-regexp');
Boards = new Mongo.Collection('boards');
@ -1485,6 +1486,11 @@ Boards.userBoards = (
selector = {},
projection = {},
) => {
const user = Users.findOne(userId);
if (!user) {
return [];
}
if (typeof archived === 'boolean') {
selector.archived = archived;
}
@ -1492,14 +1498,14 @@ Boards.userBoards = (
selector.type = 'board';
}
selector.$or = [{ permission: 'public' }];
if (userId) {
selector.$or.push(
{ members: { $elemMatch: { userId, isActive: true } } },
projection,
);
}
return Boards.find(selector);
selector.$or = [
{ permission: 'public' },
{ members: { $elemMatch: { userId, isActive: true } } },
{ 'orgs.orgId': { $in: user.orgIds() } },
{ 'teams.teamId': { $in : user.teamIds() } },
];
return Boards.find(selector, projection);
};
Boards.userBoardIds = (userId, archived = false, selector = {}) => {

57
models/users.js
View file

@ -519,6 +519,18 @@ Users.helpers({
}
return '';
},
teamIds() {
if (this.teams) {
return this.teams.map(team => { return team.teamId });
}
return [];
},
orgIds() {
if (this.orgs) {
return this.orgs.map(org => { return org.orgId });
}
return [];
},
orgsUserBelongs() {
if (this.orgs) {
return this.orgs.map(function(org){return org.orgDisplayName}).sort().join(',');
@ -544,32 +556,16 @@ Users.helpers({
return '';
},
boards() {
return Boards.find(
{
'members.userId': this._id,
},
{
sort: {
sort: 1 /* boards default sorting */,
},
},
);
return Boards.userBoards(this._id, null, {}, { sort: { sort: 1 } })
},
starredBoards() {
const { starredBoards = [] } = this.profile || {};
return Boards.find(
{
archived: false,
_id: {
$in: starredBoards,
},
},
{
sort: {
sort: 1 /* boards default sorting */,
},
},
return Boards.userBoards(
this._id,
false,
{ _id: { $in: starredBoards } },
{ sort: { sort: 1 } }
);
},
@ -580,18 +576,11 @@ Users.helpers({
invitedBoards() {
const { invitedBoards = [] } = this.profile || {};
return Boards.find(
{
archived: false,
_id: {
$in: invitedBoards,
},
},
{
sort: {
sort: 1 /* boards default sorting */,
},
},
return Boards.userBoards(
this._id,
false,
{ _id: { $in: invitedBoards } },
{ sort: { sort: 1 } }
);
},

97
server/publications/boards.js
View file

@ -3,41 +3,46 @@
// 1. that the user is a member of
// 2. the user has starred
import Users from "../../models/users";
import Org from "../../models/org";
import Team from "../../models/team";
Meteor.publish('boards', function() {
const userId = this.userId;
// Ensure that the user is connected. If it is not, we need to return an empty
// array to tell the client to remove the previously published docs.
if (!Match.test(userId, String) || !userId) return [];
if (!Match.test(userId, String) || !userId) {
return [];
}
// Defensive programming to verify that starredBoards has the expected
// format -- since the field is in the `profile` a user can modify it.
const { starredBoards = [] } = (Users.findOne(userId) || {}).profile || {};
check(starredBoards, [String]);
// const { starredBoards = [] } = (Users.findOne(userId) || {}).profile || {};
// check(starredBoards, [String]);
let currUser = Users.findOne(userId);
let orgIdsUserBelongs = currUser!== 'undefined' && currUser.teams !== 'undefined' ? currUser.orgIdsUserBelongs() : '';
let teamIdsUserBelongs = currUser!== 'undefined' && currUser.teams !== 'undefined' ? currUser.teamIdsUserBelongs() : '';
let orgsIds = [];
let teamsIds = [];
if(orgIdsUserBelongs && orgIdsUserBelongs != ''){
orgsIds = orgIdsUserBelongs.split(',');
}
if(teamIdsUserBelongs && teamIdsUserBelongs != ''){
teamsIds = teamIdsUserBelongs.split(',');
}
// let currUser = Users.findOne(userId);
// let orgIdsUserBelongs = currUser!== 'undefined' && currUser.teams !== 'undefined' ? currUser.orgIdsUserBelongs() : '';
// let teamIdsUserBelongs = currUser!== 'undefined' && currUser.teams !== 'undefined' ? currUser.teamIdsUserBelongs() : '';
// let orgsIds = [];
// let teamsIds = [];
// if(orgIdsUserBelongs && orgIdsUserBelongs != ''){
// orgsIds = orgIdsUserBelongs.split(',');
// }
// if(teamIdsUserBelongs && teamIdsUserBelongs != ''){
// teamsIds = teamIdsUserBelongs.split(',');
// }
return Boards.find(
{
archived: false,
$or: [
{
// _id: { $in: starredBoards }, // Commented out, to get a list of all public boards
permission: 'public',
},
{ members: { $elemMatch: { userId, isActive: true } } },
{'orgs.orgId': {$in : orgsIds}},
{'teams.teamId': {$in : teamsIds}},
],
_id: { $in: Boards.userBoardIds(userId, false) },
// $or: [
// {
// // _id: { $in: starredBoards }, // Commented out, to get a list of all public boards
// permission: 'public',
// },
// { members: { $elemMatch: { userId, isActive: true } } },
// {'orgs.orgId': {$in : orgsIds}},
// {'teams.teamId': {$in : teamsIds}},
// ],
},
{
fields: {
@ -66,16 +71,9 @@ Meteor.publish('boardsReport', function() {
// array to tell the client to remove the previously published docs.
if (!Match.test(userId, String) || !userId) return [];
boards = Boards.find(
const boards = Boards.find(
{
archived: false,
$or: [
{
// _id: { $in: starredBoards }, // Commented out, to get a list of all public boards
permission: 'public',
},
{ members: { $elemMatch: { userId, isActive: true } } },
],
_id: { $in: Boards.userBoardIds(userId, null) },
},
{
fields: {
@ -97,18 +95,32 @@ Meteor.publish('boardsReport', function() {
},
);
const users = [];
const userIds = [];
const orgIds = [];
const teamIds = [];
boards.forEach(board => {
if (board.members) {
board.members.forEach(member => {
users.push(member.userId);
userIds.push(member.userId);
});
}
if (board.orgs) {
board.orgs.forEach(org => {
orgIds.push(org.orgId);
});
}
if (board.teams) {
board.teams.forEach(team => {
teamIds.push(team.teamId);
});
}
})
return [
boards,
Users.find({ _id: { $in: users } }, { fields: Users.safeFields }),
Users.find({ _id: { $in: userIds } }, { fields: Users.safeFields }),
Team.find({ _id: { $in: teamIds } }),
Org.find({ _id: { $in: orgIds } }),
]
});
@ -118,13 +130,14 @@ Meteor.publish('archivedBoards', function() {
return Boards.find(
{
archived: true,
members: {
$elemMatch: {
userId,
isAdmin: true,
},
},
_id: { $in: Boards.userBoardIds(userId, true)},
// archived: true,
// members: {
// $elemMatch: {
// userId,
// isAdmin: true,
// },
// },
},
{
fields: {