From b5271e5346cde2563d36c64a300729e27336a86b Mon Sep 17 00:00:00 2001
From: huneau romain <huneau.romain@gmail.com>
Date: Thu, 11 May 2017 12:15:02 +0200
Subject: add token authentication, only admin can use api

---
 models/users.js | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'models/users.js')

diff --git a/models/users.js b/models/users.js
index c1ce146a..aa870dca 100644
--- a/models/users.js
+++ b/models/users.js
@@ -528,6 +528,7 @@ if (Meteor.isServer) {
 // USERS REST API
 if (Meteor.isServer) {
   JsonRoutes.add('GET', '/api/users', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     JsonRoutes.sendResult(res, {
       code: 200,
       data: Meteor.users.find({}).map(function (doc) {
@@ -536,6 +537,7 @@ if (Meteor.isServer) {
     });
   });
   JsonRoutes.add('GET', '/api/users/:id', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const id = req.params.id;
     JsonRoutes.sendResult(res, {
       code: 200,
@@ -543,6 +545,7 @@ if (Meteor.isServer) {
     });
   });
   JsonRoutes.add('POST', '/api/users/', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const id = Accounts.createUser({
       username: req.body.username,
       email: req.body.email,
@@ -558,6 +561,7 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('DELETE', '/api/users/:id', function (req, res, next) {
+    Authentication.checkUserId( req.userId);
     const id = req.params.id;
     Meteor.users.remove({ _id: id });
     JsonRoutes.sendResult(res, {
-- 
cgit v1.2.3-1-g7c22