github-mirrors/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-04-22 21:17:18 -04:00
Code Issues Projects Releases Packages Wiki Activity

Allow board members to use more of API. Please add issue (or pull request) if this allows too much.

Browse source 
Thanks to JayVii and xet7 !

Fixes #3862
This commit is contained in:
Lauri Ojansivu 2021-06-14 15:01:37 +03:00
parent 50fa8a0743
commit a719e8fda1
8 changed files with 40 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

6
models/boards.js
View file

@ -1678,7 +1678,8 @@ if (Meteor.isServer) {
*/
JsonRoutes.add('GET', '/api/boards', function(req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: Boards.find(
@ -1852,7 +1853,8 @@ if (Meteor.isServer) {
* @return_type string
*/
JsonRoutes.add('PUT', '/api/boards/:boardId/labels', function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const id = req.params.boardId;
try {
if (req.body.hasOwnProperty('label')) {

8
models/cardComments.js
View file

@ -192,8 +192,8 @@ if (Meteor.isServer) {
res,
) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramCardId = req.params.cardId;
JsonRoutes.sendResult(res, {
code: 200,
@ -230,8 +230,8 @@ if (Meteor.isServer) {
'/api/boards/:boardId/cards/:cardId/comments/:commentId',
function(req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramCommentId = req.params.commentId;
const paramCardId = req.params.cardId;
JsonRoutes.sendResult(res, {
@ -266,8 +266,8 @@ if (Meteor.isServer) {
'/api/boards/:boardId/cards/:cardId/comments',
function(req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramCardId = req.params.cardId;
const id = CardComments.direct.insert({
userId: req.body.authorId,
@ -312,8 +312,8 @@ if (Meteor.isServer) {
'/api/boards/:boardId/cards/:cardId/comments/:commentId',
function(req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramCommentId = req.params.commentId;
const paramCardId = req.params.cardId;
CardComments.remove({

4
models/cards.js
View file

@ -3308,8 +3308,8 @@ if (Meteor.isServer) {
'PUT',
'/api/boards/:boardId/lists/:listId/cards/:cardId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramCardId = req.params.cardId;
const paramListId = req.params.listId;
@ -3666,8 +3666,8 @@ if (Meteor.isServer) {
'DELETE',
'/api/boards/:boardId/lists/:listId/cards/:cardId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramListId = req.params.listId;
const paramCardId = req.params.cardId;

9
models/checklistItems.js
View file

@ -265,7 +265,8 @@ if (Meteor.isServer) {
'GET',
'/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramItemId = req.params.itemId;
const checklistItem = ChecklistItems.findOne({ _id: paramItemId });
if (checklistItem) {
@ -298,7 +299,8 @@ if (Meteor.isServer) {
'PUT',
'/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramItemId = req.params.itemId;
@ -349,7 +351,8 @@ if (Meteor.isServer) {
'DELETE',
'/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramItemId = req.params.itemId;
ChecklistItems.direct.remove({ _id: paramItemId });
JsonRoutes.sendResult(res, {

9
models/checklists.js
View file

@ -204,7 +204,8 @@ if (Meteor.isServer) {
'GET',
'/api/boards/:boardId/cards/:cardId/checklists',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramCardId = req.params.cardId;
const checklists = Checklists.find({ cardId: paramCardId }).map(function(
doc,
@ -247,7 +248,8 @@ if (Meteor.isServer) {
'GET',
'/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramChecklistId = req.params.checklistId;
const paramCardId = req.params.cardId;
const checklist = Checklists.findOne({
@ -351,7 +353,8 @@ if (Meteor.isServer) {
'DELETE',
'/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramChecklistId = req.params.checklistId;
Checklists.remove({ _id: paramChecklistId });
JsonRoutes.sendResult(res, {

21
models/customFields.js
View file

@ -294,8 +294,8 @@ if (Meteor.isServer) {
req,
res,
) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
JsonRoutes.sendResult(res, {
code: 200,
data: CustomFields.find({ boardIds: { $in: [paramBoardId] } }).map(
@ -323,8 +323,8 @@ if (Meteor.isServer) {
'GET',
'/api/boards/:boardId/custom-fields/:customFieldId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramCustomFieldId = req.params.customFieldId;
JsonRoutes.sendResult(res, {
code: 200,
@ -353,8 +353,8 @@ if (Meteor.isServer) {
req,
res,
) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const board = Boards.findOne({ _id: paramBoardId });
const id = CustomFields.direct.insert({
name: req.body.name,
@ -396,7 +396,8 @@ if (Meteor.isServer) {
'PUT',
'/api/boards/:boardId/custom-fields/:customFieldId',
(req, res) => {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramFieldId = req.params.customFieldId;
@ -461,7 +462,8 @@ if (Meteor.isServer) {
'POST',
'/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items',
(req, res) => {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramCustomFieldId = req.params.customFieldId;
const paramItems = req.body.items;
@ -504,7 +506,8 @@ if (Meteor.isServer) {
'PUT',
'/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId',
(req, res) => {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramDropdownItemId = req.params.dropdownItemId;
const paramCustomFieldId = req.params.customFieldId;
@ -545,7 +548,8 @@ if (Meteor.isServer) {
'DELETE',
'/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId',
(req, res) => {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
paramCustomFieldId = req.params.customFieldId;
paramDropdownItemId = req.params.dropdownItemId;
@ -580,7 +584,8 @@ if (Meteor.isServer) {
'DELETE',
'/api/boards/:boardId/custom-fields/:customFieldId',
function(req, res) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramBoardId = req.params.boardId;
const id = req.params.customFieldId;
CustomFields.remove({ _id: id, boardIds: { $in: [paramBoardId] } });

6
models/lists.js
View file

@ -531,7 +531,8 @@ if (Meteor.isServer) {
*/
JsonRoutes.add('POST', '/api/boards/:boardId/lists', function(req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramBoardId = req.params.boardId;
const board = Boards.findOne(paramBoardId);
const id = Lists.insert({
@ -569,7 +570,8 @@ if (Meteor.isServer) {
res,
) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const paramBoardId = req.params.boardId;
const paramListId = req.params.listId;
Lists.remove({ _id: paramListId, boardId: paramBoardId });

2
models/swimlanes.js
View file

@ -454,8 +454,8 @@ if (Meteor.isServer) {
*/
JsonRoutes.add('POST', '/api/boards/:boardId/swimlanes', function(req, res) {
try {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
Authentication.checkBoardAccess(req.userId, paramBoardId);
const board = Boards.findOne(paramBoardId);
const id = Swimlanes.insert({
title: req.body.title,