apitech
/
wekan
mirror of https://github.com/wekan/wekan
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Commit Graph

  • 1ed942bb8a Updated translations. main Lauri Ojansivu 2026-06-13 09:09:57 +0300
  • 179157ccd2 Updated translations. Lauri Ojansivu 2026-06-13 07:45:56 +0300
  • 3e36b931a6 Updated translations. Lauri Ojansivu 2026-06-13 06:57:06 +0300
  • c9e60847d0 Updated translations. Lauri Ojansivu 2026-06-13 06:35:09 +0300
  • 4d83dc0c05 Updated translations. Lauri Ojansivu 2026-06-13 05:45:53 +0300
  • 995965d157 Updated translations. Lauri Ojansivu 2026-06-13 03:01:17 +0300
  • 15fbb314b0 Updated ChangeLog. Lauri Ojansivu 2026-06-12 20:21:35 +0300
  • 68e0032c6d Fix Board Export/Import error. Fix import/clone of inconsistent board JSON so the newest WeKan can import board exports from any newer or older WeKan version. A syntactically valid export can still be internally inconsistent (a board member whose user account was deleted is no longer in the export's `users`, cards pointing at a missing `listId`, orphaned checklists, or a missing `lists` array). Such exports previously failed import as "error-json-malformed" or silently dropped data (cards with an undefined list never rendered). The importer now skips dangling user references in the member mapper (client `wekanMembersMapper`, server `wekanmapper` used by board cloning, and `WekanCreator`), falls back to the first imported list — creating one default list when the export has none — for cards with a dangling `listId`, and skips orphaned checklists whose card is missing. The importer remains version-agnostic: it never reads `_format`, normalizes old `id` vs `_id` fields, and ignores the source `boardId`. Added `tests/wekanCreator.inconsistent.test.js` covering these cases. Lauri Ojansivu 2026-06-12 20:15:56 +0300
  • cffca535b5 Updated ChangeLog. Lauri Ojansivu 2026-06-12 19:49:07 +0300
  • b2d2632e3b Fix Wrong card number after Import. Lauri Ojansivu 2026-06-12 19:46:39 +0300
  • 119379d4b4 Updated translations. Lauri Ojansivu 2026-06-12 19:46:12 +0300
  • c434f83dfc Bump versions for v9.41 v9.41 github-actions[bot] 2026-06-11 22:17:23 +0000
  • 1527f364b1 Updated ChangeLog. Lauri Ojansivu 2026-06-12 01:13:32 +0300
  • 5779d94d78 Updated translations. Lauri Ojansivu 2026-06-12 01:12:06 +0300
  • 096a3dc46b Add pagination and search to Admin Panel / Reports. Fix pagination at Admin Panel / Organizations and Teams. Lauri Ojansivu 2026-06-12 01:06:28 +0300
  • c883f31d35 Bump versions for v9.40 v9.40 github-actions[bot] 2026-06-11 18:35:38 +0000
  • 1fa9714d4e Updated ChangeLog. Lauri Ojansivu 2026-06-11 21:29:53 +0300
  • 53b64ee222 Fix releasing Helm Charts. Lauri Ojansivu 2026-06-11 21:26:59 +0300
  • e4b8396a3b Bump versions for v9.39 v9.39 github-actions[bot] 2026-06-11 18:19:21 +0000
  • 8cf7e83493 Updated ChangeLog. Lauri Ojansivu 2026-06-11 21:15:15 +0300
  • 68220f944b Fix building Docker image. Lauri Ojansivu 2026-06-11 21:08:33 +0300
  • fc4d84574e Bump versions for v9.38 v9.38 github-actions[bot] 2026-06-11 17:52:20 +0000
  • 2989e1d5b1 Prepare v9.38 release Lauri Ojansivu 2026-06-11 20:47:00 +0300
  • 5844e20d55 Fix Incorrect link in invite email. Lauri Ojansivu 2026-06-11 20:44:25 +0300
  • 2376237b6e Updated ChangeLog. Lauri Ojansivu 2026-06-11 20:23:48 +0300
  • bcf55bdc3a Fix Admin Panel/People View is broken. Lauri Ojansivu 2026-06-11 20:17:51 +0300
  • ac44706461 Updated ChangeLog. Lauri Ojansivu 2026-06-11 20:03:57 +0300
  • 928db8d675 Fix Docker image is broken. Lauri Ojansivu 2026-06-11 20:01:16 +0300
  • 5c9407f729 Bump versions for v9.37 v9.37 github-actions[bot] 2026-06-11 14:34:36 +0000
  • 93f50a7fb3 Prepare v9.37 release Lauri Ojansivu 2026-06-11 17:27:45 +0300
  • 39d84f8fe8 Update release website script version numbering. Lauri Ojansivu 2026-06-11 17:25:12 +0300
  • d369a3614a [Fixed BoardBleed: broken access control lets any authenticated user move their Cards/Lists/Swimlanes into a private board they are not a member of (cross-board write via collection allow rule)](https://github.com/wekan/wekan/security/advisories/GHSA-gm7v-pc38-53jr) (CWE-284, CWE-639). WeKan boards are membership-scoped, but the DDP collection write policies for Cards, Lists and Swimlanes (`server/permissions/cards.js`, `server/permissions/lists.js`, `server/permissions/swimlanes.js`) authorized an update by checking only the CURRENT (pre-update) `boardId` of the document — i.e. the attacker's own source board — and never validated the NEW `boardId` supplied in the update modifier. Because every logged-in user can create a board where they are admin, an attacker could take a document they own and, in a single `/cards/update`, `/lists/update` or `/swimlanes/update` DDP call, `$set` its `boardId` (plus `swimlaneId`/`listId`) to a victim's private board: the allow rule saw the attacker's own source board, approved the write, and the document was relocated into a board the attacker is not a member of and cannot even read. This let an unprivileged user inject arbitrary cards/lists/swimlanes (attacker-controlled titles, descriptions, assignees, etc.) into any private board by id, defeating board-level access control. The REST API for the same operation (`PUT /api/boards/:boardId/lists/:listId/cards/:cardId` with `newBoardId`) was not affected because it correctly calls `Authentication.checkBoardWriteAccess(req.userId, newBoardId)` on the destination board; only the DDP allow/deny layer was vulnerable. Fixed by adding a `denyCrossBoardMove` helper in `server/lib/utils.js` and a `Cards.deny`/`Lists.deny`/ `Swimlanes.deny` `update` rule on each collection that rejects any update whose modifier `$set`s a `boardId` on which the caller does not have write access, so a cross-board move is only allowed into a destination board where the user is an active write-capable member. Affected Wekan v9.35 and earlier. Lauri Ojansivu 2026-06-11 17:13:06 +0300
  • 078ab4125e Release scripts: Fix Launchpad build Snap. Lauri Ojansivu 2026-06-11 06:34:29 +0300
  • 3f0dc8b7be Bump versions for v9.36 github-actions[bot] 2026-06-11 02:25:57 +0000
  • c020e09aff Release scripts: Removed build-mac-amd64 that does work. Lauri Ojansivu 2026-06-11 05:15:37 +0300
  • b0c007d44f Updated GitHub workflows. Lauri Ojansivu 2026-06-11 01:49:43 +0300
  • b777ee2a12 Bump versions for v9.36 v9.36 github-actions[bot] 2026-06-10 21:19:30 +0000
  • b328cae552 Prepare v9.36 release Lauri Ojansivu 2026-06-11 00:10:49 +0300
  • 5357bb47c3 Updated release scripts. Lauri Ojansivu 2026-06-10 23:49:17 +0300
  • 447877733b Updated dependencies. Lauri Ojansivu 2026-06-10 22:23:27 +0300
  • feb491f8d4 Updated ChangeLog. Lauri Ojansivu 2026-06-10 21:48:16 +0300
  • 8f59d76a4e Update release scripts, trying to fix GitHub Actions builds. Lauri Ojansivu 2026-06-10 21:46:00 +0300
  • 3a52565ab4 Updated ChangeLog. Lauri Ojansivu 2026-06-10 19:42:32 +0300
  • 08ae61161c Fixed TokenBleed: unauthenticated login-token minting via un-awaited auth check in `POST /api/createtoken/:userId`](https://github.com/wekan/wekan/blob/main/CHANGELOG.md) (CWE-863, CWE-287). `Authentication.checkUserId` in `server/authentication.js` is an `async` function, so its 401 (undefined `userId`) and 403 (not an admin) throws become rejected promises rather than synchronous exceptions. The REST handlers in `server/models/users.js` and `server/models/boards.js` called it without `await` inside a plain synchronous `try/catch`, which cannot catch a rejected promise, so the failed check never stopped execution. `POST /api/createtoken/:userId` then went on to mint and return a usable login token for any user ID in the URL — including an admin — with no credentials at all (unauthenticated account takeover). The same detached-rejection bypass also affected `GET /api/users`, `GET /api/users/:userId`, `PUT /api/users/:userId`, `POST /api/users/`, `DELETE /api/users/:userId`, `POST /api/deletetoken`, `GET /api/boards`, `GET /api/boards_count`, `DELETE /api/boards/:boardId`, `GET /api/users/:userId/boards` and `POST /api/boards/:boardId/copy`. Fixed by awaiting every async `Authentication` check (and making the two non-`async` handlers `async`) so a failed check rejects before any privileged code runs. The same un-awaited pattern in the board/card/Excel/PDF export handlers (`models/export.js`, `models/exportExcel.js`, `models/exportExcelCard.js`, `models/exportPDF.js`, which were backstopped by `exporter.canExport()`) and in the checklist-create handler (`server/models/checklists.js`) was given the same await pass. Affected Wekan v9.35 and earlier. Lauri Ojansivu 2026-06-10 19:39:05 +0300
  • 1835245943 Updated translations Lauri Ojansivu 2026-06-10 18:37:30 +0300
  • 83de473e4e Updated ChangeLog. Lauri Ojansivu 2026-06-10 18:32:03 +0300
  • a532ee7f14 Fix tests. Lauri Ojansivu 2026-06-10 18:29:58 +0300
  • f00b265b34 Updated ChangeLog. Lauri Ojansivu 2026-06-10 14:13:39 +0300
  • 2931cc990f Add more API and fix API. Lauri Ojansivu 2026-06-10 14:33:15 +0300
  • 25a4672d6d Update build scripts. Lauri Ojansivu 2026-06-10 11:57:04 +0300
  • 969a4016ee Update rebuild-wekan.sh Node.js version Lauri Ojansivu 2026-06-10 11:25:06 +0300
  • 5c2d7079ce Updated ChangeLog. Lauri Ojansivu 2026-06-08 22:06:29 +0300
  • d1c71d0526 Updated Code of Conduct. Lauri Ojansivu 2026-06-08 22:04:32 +0300
  • 1fa2ab0146 Updated ChangeLog. Lauri Ojansivu 2026-06-08 21:24:52 +0300
  • 26a03f4845 Improved CONTRIBUTING.md . Lauri Ojansivu 2026-06-08 21:22:27 +0300
  • 58bfad3adf Updated ChangeLog. Lauri Ojansivu 2026-06-08 20:46:29 +0300
  • f1c2f1f40f Improved Security Advisory process. Lauri Ojansivu 2026-06-08 20:43:54 +0300
  • 7d3e8eb89f Updated ChangeLog. Lauri Ojansivu 2026-06-07 01:00:36 +0300
  • 3fe8f602c8 Fix LDAP_SYNC_ADMIN_GROUPS so that admin status sync and group/role sync no longer require LDAP_GROUP_FILTER_ENABLE=true, which only controls the login restriction filter. Lauri Ojansivu 2026-06-07 00:58:46 +0300
  • d87eed36a0 Updated ChangeLog. Lauri Ojansivu 2026-06-07 00:48:16 +0300
  • 9cc0660410 Fix MultiSelect, so that it's possible to click select checkbox or minicard to select. Lauri Ojansivu 2026-06-07 00:45:56 +0300
  • 58ff88890d Updated ChangeLog. Lauri Ojansivu 2026-06-06 23:07:26 +0300
  • 77d60b21a1 Fix Admin Panel / Reports icons and spacing. Lauri Ojansivu 2026-06-06 23:05:12 +0300
  • 9df2db0314 Updated translations. Lauri Ojansivu 2026-06-06 22:51:30 +0300
  • 91839cf3ef Updated translations. Lauri Ojansivu 2026-06-06 22:39:05 +0300
  • 74f2352387 v9.35 v9.35 Lauri Ojansivu 2026-06-06 10:54:38 +0300
  • f299ca1285 Updated translations. Lauri Ojansivu 2026-06-06 10:29:24 +0300
  • f47e67b5b4 Fixed Move Attachments and Avatars. Lauri Ojansivu 2026-06-06 10:19:03 +0300
  • fe16b94c1e Updated ChangeLog. Lauri Ojansivu 2026-06-06 09:59:16 +0300
  • b77b62bfa2 Ask to install npm dependencies before running tests. Lauri Ojansivu 2026-06-06 09:57:06 +0300
  • 43d8bf1b92 Updated ChangeLog. Lauri Ojansivu 2026-06-06 09:31:39 +0300
  • dca9427bfb New features: Lauri Ojansivu 2026-06-06 09:28:05 +0300
  • 7f17616b75 Updated translations. Lauri Ojansivu 2026-06-06 09:23:15 +0300
  • 4a9dcdd0ef Updated translations. Lauri Ojansivu 2026-06-06 08:41:23 +0300
  • a1a4176ffb Updated ChangeLog. Lauri Ojansivu 2026-06-06 07:30:45 +0300
  • a86a087915 New features: Lauri Ojansivu 2026-06-06 07:21:59 +0300
  • f9ace4cde9 Updated translations. Lauri Ojansivu 2026-06-06 06:47:36 +0300
  • 4677324425 Updated translations. Lauri Ojansivu 2026-06-06 05:23:18 +0300
  • 7e5852c62c Updated ChangeLog. Lauri Ojansivu 2026-06-06 04:23:25 +0300
  • e01f99eb52 Fix Dropdown list cannot be created with values. Lauri Ojansivu 2026-06-06 04:19:03 +0300
  • 8ff9a41f2d Updated ChangeLog. Lauri Ojansivu 2026-06-06 04:14:25 +0300
  • 075e86b00e **Fixed new checklists (and checklist items) on a newly added card not being visible until logout/login.** The `board` publication batched checklists, checklist items, comments and attachments into board-level cursors filtered by `cardId: { $in: cardIds }`, where `cardIds` was a one-time snapshot. In `reywood:publish-composite` a child cursor only re-runs when its parent (the board) document changes, so the snapshot never refreshed when a card was added — a checklist on a card created after subscribing matched no published card and only appeared on the next subscribe (logout/login). This was a regression from the "Optimized board loading" change, which had replaced the original reactive per-card child cursors with these batched snapshots. Fixed by **denormalizing a `boardId` field onto `Checklists` and `ChecklistItems`** so they can be published with a single board-level cursor filtered by `boardId` — one cursor per collection (keeping the load optimization) that still reacts to checklists on newly added cards, because a new checklist is created already carrying the board's id. `boardId` is set on insert (server `before.insert` hooks, plus explicitly in the Trello/WeKan board importers, which use `direct.insert` and bypass hooks), re-derived when a checklist/item or its card moves to another card (`before.update` on `cardId`) or the card moves to another board (`Cards.after.update` cascade), and backfilled for existing data by an idempotent startup migration. New `{ boardId: 1 }` indexes were added on both collections. Comments and attachments instead remain reactive as per-card children of the cards cursor. Assigned-only board members still only receive checklists for cards assigned to them (the board-level cursor falls back to the assigned cards' ids for those roles). Lauri Ojansivu 2026-06-06 04:02:48 +0300
  • f20080a603 Updated translations. Lauri Ojansivu 2026-06-06 03:26:10 +0300
  • 3594d75b5d Updated ChangeLog. Lauri Ojansivu 2026-06-06 03:13:31 +0300
  • 72767ad9a7 - Fixed SyncedCron crash. **Fixed deleting archived lists (or many cards) crashing the server with `SyncedCron: Fatal error encountered (unhandledRejection): TypeError: Cannot read properties of undefined (reading 'boardId')` at `server/models/checklistItems.js`.** Deleting a list cascades into removing its cards, and each card's checklists, checklist items, comments and attachments (`cardRemover` in `models/cards.js`). `Cards.before.remove` called `cardRemover` **without `await`** (and was not `async`), so the card document was deleted first and the cascade then ran with the parent card already gone; the `ChecklistItems.before.remove` / `Checklists.before.remove` hooks dereferenced the now-undefined card (`card.boardId`) and threw, and because the promise was unhandled, SyncedCron caught the rejection and tore down all running cron jobs. Fixed by making `Cards.before.remove` `async` and awaiting `cardRemover` (so sub-items are removed while the card still exists), and the REST card-delete handler now runs `cardRemover` before removing the card. As defense in depth, every card-activity hook and helper that looked up a card and used its `boardId` / `listId` / `swimlaneId` now skips (with a warning) when the parent card — or, for checklist-completion activities, the parent checklist — is missing, instead of throwing: `before.remove` on checklist items and checklists, `Checklists.after.insert`, the `Cards.before.update` timing activity, and the shared `itemCreation` / `publishCheckActivity` / `publishChekListCompleted` / `publishChekListUncompleted` / `commentCreation` helpers (matching the guards already present in `server/models/cardComments.js`). Lauri Ojansivu 2026-06-06 03:10:13 +0300
  • 7db386fda3 Updated ChangeLog. Lauri Ojansivu 2026-06-06 02:55:55 +0300
  • 39f3c89b0a Fixed upgrade crash. Lauri Ojansivu 2026-06-06 02:53:58 +0300
  • 15a598525f Updated ChangeLog. Lauri Ojansivu 2026-06-06 02:10:21 +0300
  • d30803276d - **Fixed Admin Panel / Attachments / Move Attachment doing nothing / crashing.** Several issues in the bulk move: - The GridFS source matcher required `meta.gridFsFileId` to be *absent*, but Meteor-Files always sets it, so selecting "MongoDB Meteor-Files" matched zero files and "nothing happened". The matcher now recognizes real GridFS files (`versions.*.storage === 'gridfs'` or a `meta.gridFsFileId` reference), and a "nothing to move" message is shown when a source is empty instead of silently doing nothing. - Moving files crashed the whole server with `FilesCollection#findOne() not available in server` — `ReactiveCache.getAttachment` used a synchronous `findOne()`; it now uses `findOneAsync()`. The background job is also hardened so a single failing file is skipped instead of crashing the server via an unhandled rejection. - The attachment **copy** API now honours the admin API upload limits (it previously skipped them). - **Fixed the "MongoDB Meteor-Files" file-count statistic** in Admin Panel / Attachments, which counted *every* attachment metadata document (so files on the Filesystem were wrongly reported as being in GridFS). It now counts only attachments actually stored in GridFS, consistent with the move tool. Also renamed the mislabeled "Mongo-Files" column to "Meteor-Files". Thanks to Claude. - **Unified attachment/avatar storage migration: move any → any.** Admin Panel / Attachments / Move Attachment can now move **Attachments, Avatars, or both**, from **any source to any destination** across Filesystem, Meteor-Files GridFS, Cloud (S3/Azure/GCS) and legacy CollectionFS GridFS. The default source is "All Read-enabled storages" (every backend whose Read flag is enabled and whose settings work), so everything can be consolidated into one destination in a single run. All metadata is preserved (board / swimlane / list / card / user / uploaded date / name / type / size), attachment cover references (`cards.coverId`) are remapped when an id changes, and the legacy source is deleted only after the new copy is verified. Thanks to Claude. - **Legacy CollectionFS GridFS is now a first-class storage backend** (read, migrate-from, and export-to) for both attachments and avatars, via the new `models/lib/collectionFsStore.js` (binary keyed by `copies.<coll>.key` in the `cfs_gridfs.<coll>` bucket, metadata in `cfs.<coll>.filerecord`). Thanks to Claude. - **The storage strategy layer is now collection-aware.** `moveToStorage` and the GridFS/Cloud strategies previously hard-coded the `Attachments` collection, so moving avatars to GridFS/cloud would have updated the wrong collection. The factory now carries its collection (`Attachments` or `Avatars`), so **avatars can be stored in Meteor-Files GridFS and cloud**, not only on the filesystem. Attachment behavior is unchanged. Thanks to Claude. - **Read legacy CollectionFS attachments and avatars in place** (without migrating). The backward-compatibility layer (`models/lib/attachmentBackwardCompatibility.js`) was broken — it looked up the GridFS binary by the filerecord `_id` and by filename instead of by `ObjectId(copies.<coll>.key)`, so legacy files were never found. It is fixed and generalized for attachments and avatars. Legacy attachments now appear in the card attachment gallery (new `legacyBoardAttachments` publication) and stream from the `cfs_gridfs.attachments` bucket, and legacy avatars (`/cfs/files/avatars/<id>` URLs) are served from the `cfs_gridfs.avatars` bucket instead of redirecting to a 404. Lauri Ojansivu 2026-06-06 02:06:16 +0300
  • be63a357dd Updated ChangeLog. Lauri Ojansivu 2026-06-05 23:47:19 +0300
  • c71a97cba2 **Fixed OpenAPI REST API documentation generation**, which had been broken since after WeKan v7.93 and only generated docs for the `login`/`register` endpoints (2 operations) instead of the full API. The Meteor 3 migration moved the REST routes from `models/*.js` (`JsonRoutes.add(...)`) into `server/models/*.js` (`WebApp.handlers.get/post/put/delete(...)`) and introduced optional chaining (`?.`) that the `esprima` Python parser cannot read, so `openapi/generate_openapi.py` silently skipped every route file. The generator now understands both routing styles, scans both `models/` and `server/models/`, downlevels modern JS syntax so files parse, handles the `type: Array` SimpleSchema idiom, and `releases/rebuild-docs.sh` works directly with Python 3.12.x (PEP 668). The generated `public/api/wekan.yml` / `wekan.html` now cover the full API again (89 operations / 61 paths). Thanks to Claude. Lauri Ojansivu 2026-06-05 23:44:04 +0300
  • 357de728c0 Fix [CloneBleed](https://wekan.fi/hall-of-fame/clonebleed/) and other security issues. Added more security tests to test suite. Lauri Ojansivu 2026-06-05 21:40:24 +0300
  • db3c0c18f9 Updated ChangeLog. Lauri Ojansivu 2026-06-05 19:09:11 +0300
  • 45706292e7 Updated translations. Lauri Ojansivu 2026-06-05 19:08:57 +0300
  • 29b3f52e50 Updated to Meteor 3.5-rc.1 . Lauri Ojansivu 2026-06-05 19:04:12 +0300
  • f81a0d1537
         Merge pull request #6365 from italojs/main Lauri Ojansivu 2026-06-05 18:57:44 +0300
  • e613e8763b Updated Docker Meteor 3 settings. Part 2. Lauri Ojansivu 2026-06-02 00:03:27 +0300
  • 3d17810293 Updated Docker Meteor 3 settings. Lauri Ojansivu 2026-06-02 00:00:22 +0300
  • 1871873da0 Caddyfile: Separate websocket port not required. Lauri Ojansivu 2026-06-01 23:40:52 +0300
  • 15b3213a4d Fix typos Lauri Ojansivu 2026-06-01 22:51:20 +0300