Allow board members to use more of API. Please add issue (or pull request) if this allows too much.

Thanks to JayVii and xet7 !

Fixes #3862

models/boards.js

@@ -1678,7 +1678,8 @@ if (Meteor.isServer) {
                     */
   JsonRoutes.add('GET', '/api/boards', function(req, res) {
     try {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       JsonRoutes.sendResult(res, {
         code: 200,
         data: Boards.find(
@@ -1852,7 +1853,8 @@ if (Meteor.isServer) {
    * @return_type string
    */
   JsonRoutes.add('PUT', '/api/boards/:boardId/labels', function(req, res) {
-    Authentication.checkUserId(req.userId);
+    const paramBoardId = req.params.boardId;
+    Authentication.checkBoardAccess(req.userId, paramBoardId);
     const id = req.params.boardId;
     try {
       if (req.body.hasOwnProperty('label')) {

models/cardComments.js

@@ -192,8 +192,8 @@ if (Meteor.isServer) {
     res,
   ) {
     try {
-      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramCardId = req.params.cardId;
       JsonRoutes.sendResult(res, {
         code: 200,
@@ -230,8 +230,8 @@ if (Meteor.isServer) {
     '/api/boards/:boardId/cards/:cardId/comments/:commentId',
     function(req, res) {
       try {
-        Authentication.checkUserId(req.userId);
         const paramBoardId = req.params.boardId;
+        Authentication.checkBoardAccess(req.userId, paramBoardId);
         const paramCommentId = req.params.commentId;
         const paramCardId = req.params.cardId;
         JsonRoutes.sendResult(res, {
@@ -266,8 +266,8 @@ if (Meteor.isServer) {
     '/api/boards/:boardId/cards/:cardId/comments',
     function(req, res) {
       try {
-        Authentication.checkUserId(req.userId);
         const paramBoardId = req.params.boardId;
+        Authentication.checkBoardAccess(req.userId, paramBoardId);
         const paramCardId = req.params.cardId;
         const id = CardComments.direct.insert({
           userId: req.body.authorId,
@@ -312,8 +312,8 @@ if (Meteor.isServer) {
     '/api/boards/:boardId/cards/:cardId/comments/:commentId',
     function(req, res) {
       try {
-        Authentication.checkUserId(req.userId);
         const paramBoardId = req.params.boardId;
+        Authentication.checkBoardAccess(req.userId, paramBoardId);
         const paramCommentId = req.params.commentId;
         const paramCardId = req.params.cardId;
         CardComments.remove({

models/cards.js

@@ -3308,8 +3308,8 @@ if (Meteor.isServer) {
     'PUT',
     '/api/boards/:boardId/lists/:listId/cards/:cardId',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramCardId = req.params.cardId;
       const paramListId = req.params.listId;
 
@@ -3666,8 +3666,8 @@ if (Meteor.isServer) {
     'DELETE',
     '/api/boards/:boardId/lists/:listId/cards/:cardId',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramListId = req.params.listId;
       const paramCardId = req.params.cardId;
 

models/checklistItems.js

@@ -265,7 +265,8 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramItemId = req.params.itemId;
       const checklistItem = ChecklistItems.findOne({ _id: paramItemId });
       if (checklistItem) {
@@ -298,7 +299,8 @@ if (Meteor.isServer) {
     'PUT',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
 
       const paramItemId = req.params.itemId;
 
@@ -349,7 +351,8 @@ if (Meteor.isServer) {
     'DELETE',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramItemId = req.params.itemId;
       ChecklistItems.direct.remove({ _id: paramItemId });
       JsonRoutes.sendResult(res, {

models/checklists.js

@@ -204,7 +204,8 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/cards/:cardId/checklists',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramCardId = req.params.cardId;
       const checklists = Checklists.find({ cardId: paramCardId }).map(function(
         doc,
@@ -247,7 +248,8 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramChecklistId = req.params.checklistId;
       const paramCardId = req.params.cardId;
       const checklist = Checklists.findOne({
@@ -351,7 +353,8 @@ if (Meteor.isServer) {
     'DELETE',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramChecklistId = req.params.checklistId;
       Checklists.remove({ _id: paramChecklistId });
       JsonRoutes.sendResult(res, {

models/customFields.js

@@ -294,8 +294,8 @@ if (Meteor.isServer) {
     req,
     res,
   ) {
-    Authentication.checkUserId(req.userId);
     const paramBoardId = req.params.boardId;
+    Authentication.checkBoardAccess(req.userId, paramBoardId);
     JsonRoutes.sendResult(res, {
       code: 200,
       data: CustomFields.find({ boardIds: { $in: [paramBoardId] } }).map(
@@ -323,8 +323,8 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/custom-fields/:customFieldId',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramCustomFieldId = req.params.customFieldId;
       JsonRoutes.sendResult(res, {
         code: 200,
@@ -353,8 +353,8 @@ if (Meteor.isServer) {
     req,
     res,
   ) {
-    Authentication.checkUserId(req.userId);
     const paramBoardId = req.params.boardId;
+    Authentication.checkBoardAccess(req.userId, paramBoardId);
     const board = Boards.findOne({ _id: paramBoardId });
     const id = CustomFields.direct.insert({
       name: req.body.name,
@@ -396,7 +396,8 @@ if (Meteor.isServer) {
     'PUT',
     '/api/boards/:boardId/custom-fields/:customFieldId',
     (req, res) => {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
 
       const paramFieldId = req.params.customFieldId;
 
@@ -461,7 +462,8 @@ if (Meteor.isServer) {
     'POST',
     '/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items',
     (req, res) => {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
 
       const paramCustomFieldId = req.params.customFieldId;
       const paramItems = req.body.items;
@@ -504,7 +506,8 @@ if (Meteor.isServer) {
     'PUT',
     '/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId',
     (req, res) => {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
 
       const paramDropdownItemId = req.params.dropdownItemId;
       const paramCustomFieldId = req.params.customFieldId;
@@ -545,7 +548,8 @@ if (Meteor.isServer) {
     'DELETE',
     '/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId',
     (req, res) => {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
 
       paramCustomFieldId = req.params.customFieldId;
       paramDropdownItemId = req.params.dropdownItemId;
@@ -580,7 +584,8 @@ if (Meteor.isServer) {
     'DELETE',
     '/api/boards/:boardId/custom-fields/:customFieldId',
     function(req, res) {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramBoardId = req.params.boardId;
       const id = req.params.customFieldId;
       CustomFields.remove({ _id: id, boardIds: { $in: [paramBoardId] } });

models/lists.js

@@ -531,7 +531,8 @@ if (Meteor.isServer) {
    */
   JsonRoutes.add('POST', '/api/boards/:boardId/lists', function(req, res) {
     try {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramBoardId = req.params.boardId;
       const board = Boards.findOne(paramBoardId);
       const id = Lists.insert({
@@ -569,7 +570,8 @@ if (Meteor.isServer) {
     res,
   ) {
     try {
-      Authentication.checkUserId(req.userId);
+      const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramBoardId = req.params.boardId;
       const paramListId = req.params.listId;
       Lists.remove({ _id: paramListId, boardId: paramBoardId });

models/swimlanes.js

@@ -454,8 +454,8 @@ if (Meteor.isServer) {
    */
   JsonRoutes.add('POST', '/api/boards/:boardId/swimlanes', function(req, res) {
     try {
-      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
+      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const board = Boards.findOne(paramBoardId);
       const id = Swimlanes.insert({
         title: req.body.title,