Security Fix: Fix AdminBleed in WeKan, so that non-admin can not change to Admin.

Thanks to Christian Pöschl of usd AG Responsible Disclosure Team for reporting and xet7 for fixing !
2025-04-23 13:37:09 -04:00 · 2023-04-25 01:54:53 +03:00 · 2023-04-25 01:54:53 +03:00 · cbad4cf594
commit cbad4cf594
parent 11b61b8fe2
1 changed files with 9 additions and 0 deletions
--- a/models/users.js
+++ b/models/users.js
@ -539,6 +539,15 @@ Users.allow({
  fetch: [],
 });

+// Non-Admin users can not change to Admin
+Users.deny({
+  update(userId, board, fieldNames) {
+    return _.contains(fieldNames, 'isAdmin') && !Meteor.user().isAdmin;
+  },
+  fetch: [],
+});
+
+
 // Search a user in the complete server database by its name, username or emails adress. This
 // is used for instance to add a new user to a board.
 UserSearchIndex = new Index({