From abbd5f46a151e6f579bbdb386e6210848dc316ee Mon Sep 17 00:00:00 2001 From: wiggin77 Date: Tue, 3 Jan 2023 17:47:20 -0500 Subject: [PATCH] fix export board permission --- server/api/archive.go | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/server/api/archive.go b/server/api/archive.go index 5a54e949b..c1856c7d8 100644 --- a/server/api/archive.go +++ b/server/api/archive.go @@ -55,23 +55,18 @@ func (a *API) handleArchiveExportBoard(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) boardID := vars["boardID"] userID := getUserID(r) - isSysAdmin := a.permissions.HasPermissionTo(userID, mmModel.PermissionManageSystem) - // Don't need to check permission for a board if user has `manage_system` permissions - if !isSysAdmin { - if !a.permissions.HasPermissionToBoard(userID, boardID, model.PermissionViewBoard) { + // check user has permission to board + if !a.permissions.HasPermissionToBoard(userID, boardID, model.PermissionViewBoard) { + // if this user has `manage_system` permission and there is a license with the compliance + // feature enabled, then we will allow the export. + license := a.app.GetLicense() + if !a.permissions.HasPermissionTo(userID, mmModel.PermissionManageSystem) || license == nil || !(*license.Features.Compliance) { a.errorResponse(w, r, model.NewErrPermission("access denied to board")) return } } - // Check for valid license feature: compliance - license := a.app.GetLicense() - if license == nil || !(*license.Features.Compliance) { - a.errorResponse(w, r, model.NewErrNotImplemented("insufficient license")) - return - } - auditRec := a.makeAuditRecord(r, "archiveExportBoard", audit.Fail) defer a.audit.LogRecord(audit.LevelRead, auditRec) auditRec.AddMeta("BoardID", boardID)