From c062bd63bbfceb3a96f23ea3e8696534694db54e Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Sun, 8 Dec 2024 02:56:37 +0200
Subject: [PATCH] Fix in API user role is not considered.

Thanks to mohammadZahedian and xet7 !

Fixes #5422
---
 server/authentication.js | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/server/authentication.js b/server/authentication.js
index f74ffa60f..474de6e25 100644
--- a/server/authentication.js
+++ b/server/authentication.js
@@ -52,14 +52,11 @@ Meteor.startup(() => {
     }
   };
 
-  // Helper function. Will throw an error if the user does not have read only access to the given board
+  // Helper function. Will throw an error if the user is not active BoardAdmin or active Normal user of the board.
   Authentication.checkBoardAccess = function(userId, boardId) {
     Authentication.checkLoggedIn(userId);
-
     const board = ReactiveCache.getBoard(boardId);
-    const normalAccess =
-      board.permission === 'public' ||
-      board.members.some(e => e.userId === userId && e.isActive);
+    const normalAccess = board.members.some(e => e.userId === userId && e.isActive && !e.isNoComments && !e.isCommentOnly && !e.isWorker);
     Authentication.checkAdminOrCondition(userId, normalAccess);
   };