apitech
/
wekan
mirror of https://github.com/wekan/wekan
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Security Fix: Fix AdminBleed in WeKan, so that non-admin can not change to Admin.

Browse Source 
Thanks to Christian Pöschl of usd AG Responsible Disclosure Team for reporting and xet7 for fixing !
pull/4910/head
Lauri Ojansivu 2 years ago
parent 11b61b8fe2
commit cbad4cf594
1 changed files with 9 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 9
      models/users.js

9
models/users.js
Unescape View File

@ -539,6 +539,15 @@ Users.allow({
fetch: [],
});
// Non-Admin users can not change to Admin
Users.deny({
update(userId, board, fieldNames) {
return _.contains(fieldNames, 'isAdmin') && !Meteor.user().isAdmin;
},
fetch: [],
});
// Search a user in the complete server database by its name, username or emails adress. This
// is used for instance to add a new user to a board.
UserSearchIndex = new Index({

Write Preview
Loading…
Cancel
Save