Skip to content

Commit 73eb98c

Browse files
xet7xet7
committed
Fix GHSL-2026-044_Wekan.
Thanks to GHSL and xet7.
1 parent 1ee9b2e commit 73eb98c

File tree

1 file changed

+21
-12
lines changed

1 file changed

+21
-12
lines changed

models/customFields.js

Lines changed: 21 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -409,52 +409,57 @@ if (Meteor.isServer) {
409409
const paramFieldId = req.params.customFieldId;
410410
Authentication.checkBoardAccess(req.userId, paramBoardId);
411411

412+
const boardScopedField = {
413+
_id: paramFieldId,
414+
boardIds: { $in: [paramBoardId] },
415+
};
416+
412417
if (req.body.hasOwnProperty('name')) {
413418
CustomFields.direct.update(
414-
{ _id: paramFieldId },
419+
boardScopedField,
415420
{ $set: { name: req.body.name } },
416421
);
417422
}
418423
if (req.body.hasOwnProperty('type')) {
419424
CustomFields.direct.update(
420-
{ _id: paramFieldId },
425+
boardScopedField,
421426
{ $set: { type: req.body.type } },
422427
);
423428
}
424429
if (req.body.hasOwnProperty('settings')) {
425430
CustomFields.direct.update(
426-
{ _id: paramFieldId },
431+
boardScopedField,
427432
{ $set: { settings: req.body.settings } },
428433
);
429434
}
430435
if (req.body.hasOwnProperty('showOnCard')) {
431436
CustomFields.direct.update(
432-
{ _id: paramFieldId },
437+
boardScopedField,
433438
{ $set: { showOnCard: req.body.showOnCard } },
434439
);
435440
}
436441
if (req.body.hasOwnProperty('automaticallyOnCard')) {
437442
CustomFields.direct.update(
438-
{ _id: paramFieldId },
443+
boardScopedField,
439444
{ $set: { automaticallyOnCard: req.body.automaticallyOnCard } },
440445
);
441446
}
442447
if (req.body.hasOwnProperty('alwaysOnCard')) {
443448
CustomFields.direct.update(
444-
{ _id: paramFieldId },
449+
boardScopedField,
445450
{ $set: { alwaysOnCard: req.body.alwaysOnCard } },
446451
);
447452
}
448453
if (req.body.hasOwnProperty('showLabelOnMiniCard')) {
449454
CustomFields.direct.update(
450-
{ _id: paramFieldId },
455+
boardScopedField,
451456
{ $set: { showLabelOnMiniCard: req.body.showLabelOnMiniCard } },
452457
);
453458
}
454459

455460
if (req.body.hasOwnProperty('showSumAtTopOfList')) {
456461
CustomFields.direct.update(
457-
{ _id: paramFieldId },
462+
boardScopedField,
458463
{ $set: { showSumAtTopOfList: req.body.showSumAtTopOfList } },
459464
);
460465
}
@@ -486,7 +491,10 @@ if (Meteor.isServer) {
486491
if (req.body.hasOwnProperty('items')) {
487492
if (Array.isArray(paramItems)) {
488493
CustomFields.direct.update(
489-
{ _id: paramCustomFieldId },
494+
{
495+
_id: paramCustomFieldId,
496+
boardIds: { $in: [paramBoardId] },
497+
},
490498
{
491499
$push: {
492500
'settings.dropdownItems': {
@@ -531,6 +539,7 @@ if (Meteor.isServer) {
531539
CustomFields.direct.update(
532540
{
533541
_id: paramCustomFieldId,
542+
boardIds: { $in: [paramBoardId] },
534543
'settings.dropdownItems._id': paramDropdownItemId,
535544
},
536545
{
@@ -563,12 +572,12 @@ if (Meteor.isServer) {
563572
'/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId',
564573
(req, res) => {
565574
const paramBoardId = req.params.boardId;
566-
paramCustomFieldId = req.params.customFieldId;
567-
paramDropdownItemId = req.params.dropdownItemId;
575+
const paramCustomFieldId = req.params.customFieldId;
576+
const paramDropdownItemId = req.params.dropdownItemId;
568577
Authentication.checkBoardAccess(req.userId, paramBoardId);
569578

570579
CustomFields.direct.update(
571-
{ _id: paramCustomFieldId },
580+
{ _id: paramCustomFieldId, boardIds: { $in: [paramBoardId] } },
572581
{
573582
$pull: {
574583
'settings.dropdownItems': { _id: paramDropdownItemId },

0 commit comments

Comments
 (0)