Fixed REST API, it shoud work now by Admin user.

Reverted Allow board members to use more of API of Wekan v5.35
https://github.com/wekan/wekan/commit/a719e8fda1f78bcbf9af6e7b4341f8be1d141e90

Thanks to tomhughes.

Fixes #4009,
fixes #2793,
fixes #2790

models/boards.js

@@ -1831,8 +1831,7 @@ if (Meteor.isServer) {
                     */
   JsonRoutes.add('GET', '/api/boards', function(req, res) {
     try {
-      const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
+      Authentication.checkUserId(req.userId);
       JsonRoutes.sendResult(res, {
         code: 200,
         data: Boards.find(
@@ -1888,8 +1887,8 @@ if (Meteor.isServer) {
    */
   JsonRoutes.add('GET', '/api/boards/:boardId', function(req, res) {
     try {
+      Authentication.checkUserId(req.userId);
       const id = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, id);
 
       JsonRoutes.sendResult(res, {
         code: 200,
@@ -2006,8 +2005,7 @@ if (Meteor.isServer) {
    * @return_type string
    */
   JsonRoutes.add('PUT', '/api/boards/:boardId/labels', function(req, res) {
-    const paramBoardId = req.params.boardId;
-    Authentication.checkBoardAccess(req.userId, paramBoardId);
+    Authentication.checkUserId(req.userId);
     const id = req.params.boardId;
     try {
       if (req.body.hasOwnProperty('label')) {
@@ -2054,10 +2052,10 @@ if (Meteor.isServer) {
     res,
   ) {
     try {
+      Authentication.checkUserId(req.userId);
       const boardId = req.params.boardId;
       const memberId = req.params.memberId;
       const { isAdmin, isNoComments, isCommentOnly, isWorker } = req.body;
-      Authentication.checkBoardAccess(req.userId, boardId);
       const board = Boards.findOne({ _id: boardId });
       function isTrue(data) {
         try {
@@ -2101,8 +2099,8 @@ if (Meteor.isServer) {
    *                swimlaneId: string}]
    */
   JsonRoutes.add('GET', '/api/boards/:boardId/attachments', function(req, res) {
+    Authentication.checkUserId(req.userId);
     const paramBoardId = req.params.boardId;
-    Authentication.checkBoardAccess(req.userId, paramBoardId);
     JsonRoutes.sendResult(res, {
       code: 200,
       data: Attachments.files

models/cardComments.js

@@ -234,8 +234,8 @@ if (Meteor.isServer) {
     res,
   ) {
     try {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramCardId = req.params.cardId;
       JsonRoutes.sendResult(res, {
         code: 200,
@@ -272,8 +272,8 @@ if (Meteor.isServer) {
     '/api/boards/:boardId/cards/:cardId/comments/:commentId',
     function (req, res) {
       try {
+        Authentication.checkUserId(req.userId);
         const paramBoardId = req.params.boardId;
-        Authentication.checkBoardAccess(req.userId, paramBoardId);
         const paramCommentId = req.params.commentId;
         const paramCardId = req.params.cardId;
         JsonRoutes.sendResult(res, {
@@ -308,8 +308,8 @@ if (Meteor.isServer) {
     '/api/boards/:boardId/cards/:cardId/comments',
     function (req, res) {
       try {
+        Authentication.checkUserId(req.userId);
         const paramBoardId = req.params.boardId;
-        Authentication.checkBoardAccess(req.userId, paramBoardId);
         const paramCardId = req.params.cardId;
         const id = CardComments.direct.insert({
           userId: req.body.authorId,
@@ -354,8 +354,8 @@ if (Meteor.isServer) {
     '/api/boards/:boardId/cards/:cardId/comments/:commentId',
     function (req, res) {
       try {
+        Authentication.checkUserId(req.userId);
         const paramBoardId = req.params.boardId;
-        Authentication.checkBoardAccess(req.userId, paramBoardId);
         const paramCommentId = req.params.commentId;
         const paramCardId = req.params.cardId;
         CardComments.remove({

models/cards.js

@@ -3110,9 +3110,9 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/swimlanes/:swimlaneId/cards',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
       const paramSwimlaneId = req.params.swimlaneId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       JsonRoutes.sendResult(res, {
         code: 200,
         data: Cards.find({
@@ -3152,9 +3152,9 @@ if (Meteor.isServer) {
     req,
     res,
   ) {
+    Authentication.checkUserId(req.userId);
     const paramBoardId = req.params.boardId;
     const paramListId = req.params.listId;
-    Authentication.checkBoardAccess(req.userId, paramBoardId);
     JsonRoutes.sendResult(res, {
       code: 200,
       data: Cards.find({
@@ -3189,10 +3189,10 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/lists/:listId/cards/:cardId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
       const paramListId = req.params.listId;
       const paramCardId = req.params.cardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       JsonRoutes.sendResult(res, {
         code: 200,
         data: Cards.findOne({
@@ -3339,8 +3339,8 @@ if (Meteor.isServer) {
     'PUT',
     '/api/boards/:boardId/lists/:listId/cards/:cardId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramCardId = req.params.cardId;
       const paramListId = req.params.listId;
 
@@ -3697,8 +3697,8 @@ if (Meteor.isServer) {
     'DELETE',
     '/api/boards/:boardId/lists/:listId/cards/:cardId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramListId = req.params.listId;
       const paramCardId = req.params.cardId;
 
@@ -3737,11 +3737,10 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/cardsByCustomField/:customFieldId/:customFieldValue',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
       const paramCustomFieldId = req.params.customFieldId;
       const paramCustomFieldValue = req.params.customFieldValue;
-
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       JsonRoutes.sendResult(res, {
         code: 200,
         data: Cards.find({

models/checklistItems.js

@@ -265,8 +265,8 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramItemId = req.params.itemId;
       const checklistItem = ChecklistItems.findOne({ _id: paramItemId });
       if (checklistItem) {
@@ -299,9 +299,8 @@ if (Meteor.isServer) {
     'PUT',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
-
       const paramItemId = req.params.itemId;
 
       function isTrue(data) {
@@ -351,8 +350,8 @@ if (Meteor.isServer) {
     'DELETE',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId/items/:itemId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramItemId = req.params.itemId;
       ChecklistItems.direct.remove({ _id: paramItemId });
       JsonRoutes.sendResult(res, {

models/checklists.js

@@ -204,8 +204,8 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/cards/:cardId/checklists',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramCardId = req.params.cardId;
       const checklists = Checklists.find({ cardId: paramCardId }).map(function(
         doc,
@@ -248,8 +248,8 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramChecklistId = req.params.checklistId;
       const paramCardId = req.params.cardId;
       const checklist = Checklists.findOne({
@@ -292,8 +292,9 @@ if (Meteor.isServer) {
     'POST',
     '/api/boards/:boardId/cards/:cardId/checklists',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       // Check user is logged in
-      Authentication.checkLoggedIn(req.userId);
+      //Authentication.checkLoggedIn(req.userId);
       const paramBoardId = req.params.boardId;
       // Check user has permission to add checklist to the card
       const board = Boards.findOne({
@@ -353,8 +354,8 @@ if (Meteor.isServer) {
     'DELETE',
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramChecklistId = req.params.checklistId;
       Checklists.remove({ _id: paramChecklistId });
       JsonRoutes.sendResult(res, {

models/customFields.js

@@ -301,8 +301,8 @@ if (Meteor.isServer) {
     req,
     res,
   ) {
+    Authentication.checkUserId(req.userId);
     const paramBoardId = req.params.boardId;
-    Authentication.checkBoardAccess(req.userId, paramBoardId);
     JsonRoutes.sendResult(res, {
       code: 200,
       data: CustomFields.find({ boardIds: { $in: [paramBoardId] } }).map(
@@ -330,8 +330,8 @@ if (Meteor.isServer) {
     'GET',
     '/api/boards/:boardId/custom-fields/:customFieldId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramCustomFieldId = req.params.customFieldId;
       JsonRoutes.sendResult(res, {
         code: 200,
@@ -361,8 +361,8 @@ if (Meteor.isServer) {
     req,
     res,
   ) {
+    Authentication.checkUserId(req.userId);
     const paramBoardId = req.params.boardId;
-    Authentication.checkBoardAccess(req.userId, paramBoardId);
     const board = Boards.findOne({ _id: paramBoardId });
     const id = CustomFields.direct.insert({
       name: req.body.name,
@@ -406,9 +406,8 @@ if (Meteor.isServer) {
     'PUT',
     '/api/boards/:boardId/custom-fields/:customFieldId',
     (req, res) => {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
-
       const paramFieldId = req.params.customFieldId;
 
       if (req.body.hasOwnProperty('name')) {
@@ -480,9 +479,8 @@ if (Meteor.isServer) {
     'POST',
     '/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items',
     (req, res) => {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
-
       const paramCustomFieldId = req.params.customFieldId;
       const paramItems = req.body.items;
 
@@ -524,9 +522,8 @@ if (Meteor.isServer) {
     'PUT',
     '/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId',
     (req, res) => {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
-
       const paramDropdownItemId = req.params.dropdownItemId;
       const paramCustomFieldId = req.params.customFieldId;
       const paramName = req.body.name;
@@ -566,9 +563,8 @@ if (Meteor.isServer) {
     'DELETE',
     '/api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId',
     (req, res) => {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
-
       paramCustomFieldId = req.params.customFieldId;
       paramDropdownItemId = req.params.dropdownItemId;
 
@@ -602,8 +598,8 @@ if (Meteor.isServer) {
     'DELETE',
     '/api/boards/:boardId/custom-fields/:customFieldId',
     function(req, res) {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const id = req.params.customFieldId;
       CustomFields.remove({ _id: id, boardIds: { $in: [paramBoardId] } });
       JsonRoutes.sendResult(res, {

models/lists.js

@@ -467,8 +467,8 @@ if (Meteor.isServer) {
    */
   JsonRoutes.add('GET', '/api/boards/:boardId/lists', function(req, res) {
     try {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
 
       JsonRoutes.sendResult(res, {
         code: 200,
@@ -502,9 +502,9 @@ if (Meteor.isServer) {
     res,
   ) {
     try {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
       const paramListId = req.params.listId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       JsonRoutes.sendResult(res, {
         code: 200,
         data: Lists.findOne({
@@ -531,8 +531,8 @@ if (Meteor.isServer) {
    */
   JsonRoutes.add('POST', '/api/boards/:boardId/lists', function(req, res) {
     try {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const board = Boards.findOne(paramBoardId);
       const id = Lists.insert({
         title: req.body.title,
@@ -569,8 +569,8 @@ if (Meteor.isServer) {
     res,
   ) {
     try {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const paramListId = req.params.listId;
       Lists.remove({ _id: paramListId, boardId: paramBoardId });
       JsonRoutes.sendResult(res, {

models/swimlanes.js

@@ -388,8 +388,8 @@ if (Meteor.isServer) {
    */
   JsonRoutes.add('GET', '/api/boards/:boardId/swimlanes', function(req, res) {
     try {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
 
       JsonRoutes.sendResult(res, {
         code: 200,
@@ -424,9 +424,9 @@ if (Meteor.isServer) {
     res,
   ) {
     try {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
       const paramSwimlaneId = req.params.swimlaneId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       JsonRoutes.sendResult(res, {
         code: 200,
         data: Swimlanes.findOne({
@@ -454,8 +454,8 @@ if (Meteor.isServer) {
    */
   JsonRoutes.add('POST', '/api/boards/:boardId/swimlanes', function(req, res) {
     try {
+      Authentication.checkUserId(req.userId);
       const paramBoardId = req.params.boardId;
-      Authentication.checkBoardAccess(req.userId, paramBoardId);
       const board = Boards.findOne(paramBoardId);
       const id = Swimlanes.insert({
         title: req.body.title,