Docker/planka
Docker/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2025-07-23 15:19:44 +02:00
Code Issues Releases Activity

feat: Permissions for board members

Browse source 
Closes #262
This commit is contained in:
Maksim Eltyshev 2022-08-19 14:00:40 +02:00
parent d80a538857
commit 51fa7df69c
61 changed files with 1063 additions and 191 deletions
Download patch file Download diff file Expand all files Collapse all files

17
server/api/controllers/attachments/create.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
CARD_NOT_FOUND: {
cardNotFound: 'Card not found',
},
@ -18,6 +21,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
cardNotFound: {
responseType: 'notFound',
},
@ -33,12 +39,19 @@ module.exports = {
.getProjectPath(inputs.cardId)
.intercept('pathNotFound', () => Errors.CARD_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, card.boardId);
const boardMembership = await BoardMembership.findOne({
boardId: card.boardId,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.CARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
this.req
.file('file')
.upload(sails.helpers.utils.createAttachmentReceiver(), async (error, files) => {

17
server/api/controllers/attachments/delete.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
ATTACHMENT_NOT_FOUND: {
attachmentNotFound: 'Attachment not found',
},
@ -14,6 +17,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
attachmentNotFound: {
responseType: 'notFound',
},
@ -29,12 +35,19 @@ module.exports = {
let { attachment } = path;
const { card, board } = path;
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
const boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.ATTACHMENT_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
attachment = await sails.helpers.attachments.deleteOne(attachment, board, card, this.req);
if (!attachment) {

17
server/api/controllers/attachments/update.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
ATTACHMENT_NOT_FOUND: {
attachmentNotFound: 'Attachment not found',
},
@ -18,6 +21,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
attachmentNotFound: {
responseType: 'notFound',
},
@ -33,12 +39,19 @@ module.exports = {
let { attachment } = path;
const { board } = path;
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
const boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.ATTACHMENT_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
const values = _.pick(inputs, ['name']);
attachment = await sails.helpers.attachments.updateOne(attachment, values, board, this.req);

12
server/api/controllers/board-memberships/create.js
View file

@ -22,6 +22,14 @@ module.exports = {
regex: /^[0-9]+$/,
required: true,
},
role: {
type: 'string',
isIn: Object.values(BoardMembership.Roles),
required: true,
},
canComment: {
type: 'boolean',
},
},
exits: {
@ -58,8 +66,10 @@ module.exports = {
throw Error.USER_NOT_FOUND;
}
const values = _.pick(inputs, ['role', 'canComment']);
const boardMembership = await sails.helpers.boardMemberships
.createOne(user, board, this.req)
.createOne(values, user, board, this.req)
.intercept('userAlreadyBoardMember', () => Errors.USER_ALREADY_BOARD_MEMBER);
return {

57
server/api/controllers/board-memberships/update.js Normal file
View file

@ -0,0 +1,57 @@
const Errors = {
BOARD_MEMBERSHIP_NOT_FOUND: {
boardMembershipNotFound: 'Board membership not found',
},
};
module.exports = {
inputs: {
id: {
type: 'string',
regex: /^[0-9]+$/,
required: true,
},
role: {
type: 'string',
isIn: Object.values(BoardMembership.Roles),
},
canComment: {
type: 'boolean',
},
},
exits: {
boardMembershipNotFound: {
responseType: 'notFound',
},
},
async fn(inputs) {
const { currentUser } = this.req;
const path = await sails.helpers.boardMemberships
.getProjectPath(inputs.id)
.intercept('pathNotFound', () => Errors.BOARD_MEMBERSHIP_NOT_FOUND);
let { boardMembership } = path;
const { project } = path;
const isProjectManager = await sails.helpers.users.isProjectManager(currentUser.id, project.id);
if (!isProjectManager) {
throw Errors.BOARD_MEMBERSHIP_NOT_FOUND; // Forbidden
}
const values = _.pick(inputs, ['role', 'canComment']);
boardMembership = await sails.helpers.boardMemberships.updateOne(
boardMembership,
values,
this.req,
);
return {
item: boardMembership,
};
},
};

17
server/api/controllers/card-labels/create.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
CARD_NOT_FOUND: {
cardNotFound: 'Card not found',
},
@ -25,6 +28,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
cardNotFound: {
responseType: 'notFound',
},
@ -43,12 +49,19 @@ module.exports = {
.getProjectPath(inputs.cardId)
.intercept('pathNotFound', () => Errors.CARD_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, card.boardId);
const boardMembership = await BoardMembership.findOne({
boardId: card.boardId,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.CARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
const label = await Label.findOne({
id: inputs.labelId,
boardId: card.boardId,

17
server/api/controllers/card-labels/delete.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
CARD_NOT_FOUND: {
cardNotFound: 'Card not found',
},
@ -22,6 +25,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
cardNotFound: {
responseType: 'notFound',
},
@ -37,12 +43,19 @@ module.exports = {
.getProjectPath(inputs.cardId)
.intercept('pathNotFound', () => Errors.CARD_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
const boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.CARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
let cardLabel = await CardLabel.findOne({
cardId: inputs.cardId,
labelId: inputs.labelId,

19
server/api/controllers/card-memberships/create.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
CARD_NOT_FOUND: {
cardNotFound: 'Card not found',
},
@ -25,6 +28,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
cardNotFound: {
responseType: 'notFound',
},
@ -43,13 +49,20 @@ module.exports = {
.getProjectPath(inputs.cardId)
.intercept('pathNotFound', () => Errors.CARD_NOT_FOUND);
let isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, card.boardId);
const boardMembership = await BoardMembership.findOne({
boardId: card.boardId,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.CARD_NOT_FOUND; // Forbidden
}
isBoardMember = await sails.helpers.users.isBoardMember(inputs.userId, card.boardId);
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
const isBoardMember = await sails.helpers.users.isBoardMember(inputs.userId, card.boardId);
if (!isBoardMember) {
throw Errors.USER_NOT_FOUND;

17
server/api/controllers/card-memberships/delete.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
CARD_NOT_FOUND: {
cardNotFound: 'Card not found',
},
@ -22,6 +25,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
cardNotFound: {
responseType: 'notFound',
},
@ -37,12 +43,19 @@ module.exports = {
.getProjectPath(inputs.cardId)
.intercept('pathNotFound', () => Errors.CARD_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
const boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.CARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
let cardMembership = await CardMembership.findOne({
cardId: inputs.cardId,
userId: inputs.userId,

17
server/api/controllers/cards/create.js
View file

@ -1,6 +1,9 @@
const moment = require('moment');
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
BOARD_NOT_FOUND: {
boardNotFound: 'Board not found',
},
@ -67,6 +70,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
boardNotFound: {
responseType: 'notFound',
},
@ -88,12 +94,19 @@ module.exports = {
.getProjectPath(inputs.boardId)
.intercept('pathNotFound', () => Errors.BOARD_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
const boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.BOARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
let list;
if (!_.isUndefined(inputs.listId)) {
list = await List.findOne({

17
server/api/controllers/cards/delete.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
CARD_NOT_FOUND: {
cardNotFound: 'Card not found',
},
@ -14,6 +17,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
cardNotFound: {
responseType: 'notFound',
},
@ -26,12 +32,19 @@ module.exports = {
.getProjectPath(inputs.id)
.intercept('pathNotFound', () => Errors.CARD_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, card.boardId);
const boardMembership = await BoardMembership.findOne({
boardId: card.boardId,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.CARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
card = await sails.helpers.cards.deleteOne(card, this.req);
if (!card) {

28
server/api/controllers/cards/update.js
View file

@ -1,6 +1,9 @@
const moment = require('moment');
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
CARD_NOT_FOUND: {
cardNotFound: 'Card not found',
},
@ -83,6 +86,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
cardNotFound: {
responseType: 'notFound',
},
@ -110,23 +116,37 @@ module.exports = {
let { card } = path;
const { list, board } = path;
let isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
let boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.CARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
let nextBoard;
if (!_.isUndefined(inputs.boardId)) {
({ board: nextBoard } = await sails.helpers.boards
.getProjectPath(inputs.boardId)
.intercept('pathNotFound', () => Errors.BOARD_NOT_FOUND));
isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, nextBoard.id);
boardMembership = await BoardMembership.findOne({
boardId: nextBoard.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.BOARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
}
let nextList;

17
server/api/controllers/comment-actions/create.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
CARD_NOT_FOUND: {
cardNotFound: 'Card not found',
},
@ -18,6 +21,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
cardNotFound: {
responseType: 'notFound',
},
@ -30,12 +36,19 @@ module.exports = {
.getProjectPath(inputs.cardId)
.intercept('pathNotFound', () => Errors.CARD_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, card.boardId);
const boardMembership = await BoardMembership.findOne({
boardId: card.boardId,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.CARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR && !boardMembership.canComment) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
const values = {
type: Action.Types.COMMENT_CARD,
data: _.pick(inputs, ['text']),

17
server/api/controllers/comment-actions/delete.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
COMMENT_ACTION_NOT_FOUND: {
commentActionNotFound: 'Comment action not found',
},
@ -14,6 +17,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
commentActionNotFound: {
responseType: 'notFound',
},
@ -39,11 +45,18 @@ module.exports = {
throw Errors.COMMENT_ACTION_NOT_FOUND; // Forbidden
}
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
const boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.COMMENT_ACTION_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR && !boardMembership.canComment) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
}
action = await sails.helpers.actions.deleteOne(action, board, this.req);

17
server/api/controllers/comment-actions/update.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
COMMENT_ACTION_NOT_FOUND: {
commentActionNotFound: 'Comment action not found',
},
@ -18,6 +21,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
commentActionNotFound: {
responseType: 'notFound',
},
@ -43,11 +49,18 @@ module.exports = {
throw Errors.COMMENT_ACTION_NOT_FOUND; // Forbidden
}
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
const boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.COMMENT_ACTION_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR && !boardMembership.canComment) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
}
const values = {

17
server/api/controllers/labels/create.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
BOARD_NOT_FOUND: {
boardNotFound: 'Board not found',
},
@ -24,6 +27,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
boardNotFound: {
responseType: 'notFound',
},
@ -36,12 +42,19 @@ module.exports = {
.getProjectPath(inputs.boardId)
.intercept('pathNotFound', () => Errors.BOARD_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
const boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.BOARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
const values = _.pick(inputs, ['name', 'color']);
const label = await sails.helpers.labels.createOne(values, board, this.req);

17
server/api/controllers/labels/delete.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
LABEL_NOT_FOUND: {
labelNotFound: 'Label not found',
},
@ -14,6 +17,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
labelNotFound: {
responseType: 'notFound',
},
@ -26,12 +32,19 @@ module.exports = {
.getProjectPath(inputs.id)
.intercept('pathNotFound', () => Errors.LABEL_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, label.boardId);
const boardMembership = await BoardMembership.findOne({
boardId: label.boardId,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.LABEL_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
label = await sails.helpers.labels.deleteOne(label, this.req);
if (!label) {

17
server/api/controllers/labels/update.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
LABEL_NOT_FOUND: {
labelNotFound: 'Label not found',
},
@ -24,6 +27,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
labelNotFound: {
responseType: 'notFound',
},
@ -36,12 +42,19 @@ module.exports = {
.getProjectPath(inputs.id)
.intercept('pathNotFound', () => Errors.LABEL_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, label.boardId);
const boardMembership = await BoardMembership.findOne({
boardId: label.boardId,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.LABEL_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
const values = _.pick(inputs, ['name', 'color']);
label = await sails.helpers.labels.updateOne(label, values, this.req);

17
server/api/controllers/lists/create.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
BOARD_NOT_FOUND: {
boardNotFound: 'Board not found',
},
@ -22,6 +25,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
boardNotFound: {
responseType: 'notFound',
},
@ -34,12 +40,19 @@ module.exports = {
.getProjectPath(inputs.boardId)
.intercept('pathNotFound', () => Errors.BOARD_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
const boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.BOARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
const values = _.pick(inputs, ['position', 'name']);
const list = await sails.helpers.lists.createOne(values, board, this.req);

17
server/api/controllers/lists/delete.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
LIST_NOT_FOUND: {
listNotFound: 'List not found',
},
@ -14,6 +17,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
listNotFound: {
responseType: 'notFound',
},
@ -26,12 +32,19 @@ module.exports = {
.getProjectPath(inputs.id)
.intercept('pathNotFound', () => Errors.LIST_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, list.boardId);
const boardMembership = await BoardMembership.findOne({
boardId: list.boardId,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.LIST_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
list = await sails.helpers.lists.deleteOne(list, this.req);
if (!list) {

17
server/api/controllers/lists/update.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
LIST_NOT_FOUND: {
listNotFound: 'List not found',
},
@ -21,6 +24,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
listNotFound: {
responseType: 'notFound',
},
@ -33,12 +39,19 @@ module.exports = {
.getProjectPath(inputs.id)
.intercept('pathNotFound', () => Errors.LIST_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, list.boardId);
const boardMembership = await BoardMembership.findOne({
boardId: list.boardId,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.LIST_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
const values = _.pick(inputs, ['position', 'name']);
list = await sails.helpers.lists.updateOne(list, values, this.req);

17
server/api/controllers/tasks/create.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
CARD_NOT_FOUND: {
cardNotFound: 'Card not found',
},
@ -25,6 +28,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
cardNotFound: {
responseType: 'notFound',
},
@ -37,12 +43,19 @@ module.exports = {
.getProjectPath(inputs.cardId)
.intercept('pathNotFound', () => Errors.CARD_NOT_FOUND);
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, card.boardId);
const boardMembership = await BoardMembership.findOne({
boardId: card.boardId,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.CARD_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
const values = _.pick(inputs, ['position', 'name', 'isCompleted']);
const task = await sails.helpers.tasks.createOne(values, card, this.req);

17
server/api/controllers/tasks/delete.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
TASK_NOT_FOUND: {
taskNotFound: 'Task not found',
},
@ -14,6 +17,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
taskNotFound: {
responseType: 'notFound',
},
@ -29,12 +35,19 @@ module.exports = {
let { task } = path;
const { board } = path;
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
const boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.TASK_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
task = await sails.helpers.tasks.deleteOne(task, board, this.req);
if (!task) {

17
server/api/controllers/tasks/update.js
View file

@ -1,4 +1,7 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
TASK_NOT_FOUND: {
taskNotFound: 'Task not found',
},
@ -24,6 +27,9 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
taskNotFound: {
responseType: 'notFound',
},
@ -39,12 +45,19 @@ module.exports = {
let { task } = path;
const { board } = path;
const isBoardMember = await sails.helpers.users.isBoardMember(currentUser.id, board.id);
const boardMembership = await BoardMembership.findOne({
boardId: board.id,
userId: currentUser.id,
});
if (!isBoardMember) {
if (!boardMembership) {
throw Errors.TASK_NOT_FOUND; // Forbidden
}
if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
throw Errors.NOT_ENOUGH_RIGHTS;
}
const values = _.pick(inputs, ['position', 'name', 'isCompleted']);
task = await sails.helpers.tasks.updateOne(task, values, board, this.req);