diff options
| author | Xavier Priour <xavier.priour@bubblyware.com> | 2015-12-13 20:02:34 +0100 |
|---|---|---|
| committer | Xavier Priour <xavier.priour@bubblyware.com> | 2015-12-13 20:02:34 +0100 |
| commit | 18697d45f652a119ba21b0cef42fbf732902bfa9 (patch) | |
| tree | 2ca8bc680acb8c148478660158a2f82ae4f61e7d /models | |
| parent | 7cfc72da995a247b77d24dca215e59af2f5ed5f0 (diff) | |
| download | wekan-18697d45f652a119ba21b0cef42fbf732902bfa9.tar.gz wekan-18697d45f652a119ba21b0cef42fbf732902bfa9.tar.bz2 wekan-18697d45f652a119ba21b0cef42fbf732902bfa9.zip | |
board export now checks authentication
Diffstat (limited to 'models')
| -rw-r--r-- | models/boards.js | 27 | ||||
| -rw-r--r-- | models/export.js | 26 |
2 files changed, 35 insertions, 18 deletions
diff --git a/models/boards.js b/models/boards.js index 6aba0b1e..b3d5b0d0 100644 --- a/models/boards.js +++ b/models/boards.js @@ -79,6 +79,33 @@ Boards.attachSchema(new SimpleSchema({ Boards.helpers({ + /** + * Is current logged-in user authorized to view this board? + */ + isVisibleByUser() { + if(this.isPublic()) { + // public boards are visible to everyone + return true; + } else { + // otherwise you have to be logged-in and active member + return this.isActiveMember(Meteor.userId()); + } + }, + + /** + * Is the user one of the active members of the board? + * + * @param userId + * @returns {boolean} the member that matches, or undefined/false + */ + isActiveMember(userId) { + if(userId) { + return this.members.find((member) => (member.userId === userId && member.isActive)); + } else { + return false; + } + }, + isPublic() { return this.permission === 'public'; }, diff --git a/models/export.js b/models/export.js index 7be97986..20b1186a 100644 --- a/models/export.js +++ b/models/export.js @@ -1,25 +1,15 @@ -/* global JsonRoutes */ -if(Meteor.isServer) { - console.log(`userId is ${this.userId}`); - JsonRoutes.add('get', '/api/b/:id', function (req, res) { - const id = req.params.id; - const board = Boards.findOne(id); - //if(Meteor.userId() && allowIsBoardMember(Meteor.userId(), board)) { - const exporter = new Exporter(id); - JsonRoutes.sendResult(res, 200, exporter.build()); - //} else { - // // 403 = forbidden - // JsonRoutes.sendError(res, 403); - //} - }); -} + Meteor.methods({ exportBoard(boardId) { + check(boardId, String); const board = Boards.findOne(boardId); -// //if(Meteor.userId() && allowIsBoardMember(Meteor.userId(), board)) { - const exporter = new Exporter(boardId); - return exporter.build(); + if(board.isVisibleByUser()) { + const exporter = new Exporter(boardId); + return exporter.build(); + } else { + throw new Meteor.Error('error-board-notAMember'); + } } }); |