From c59891d44b09af1ed2112b1f524046376167dbed Mon Sep 17 00:00:00 2001
From: mayjs <johannes.may@udo.edu>
Date: Mon, 15 May 2017 21:41:21 +0200
Subject: Added readonly user access to cards

---
 models/cards.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'models')

diff --git a/models/cards.js b/models/cards.js
index bbe46b55..c48b4845 100644
--- a/models/cards.js
+++ b/models/cards.js
@@ -373,9 +373,9 @@ if (Meteor.isServer) {
 //LISTS REST API
 if (Meteor.isServer) {
   JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId/cards', function (req, res, next) {
-    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramListId = req.params.listId;
+    Authentication.checkBoardAccess( req.userId, paramBoardId);
     JsonRoutes.sendResult(res, {
       code: 200,
       data: Cards.find({ boardId: paramBoardId, listId: paramListId, archived: false }).map(function (doc) {
@@ -389,10 +389,10 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId/cards/:cardId', function (req, res, next) {
-    Authentication.checkUserId( req.userId);
     const paramBoardId = req.params.boardId;
     const paramListId = req.params.listId;
     const paramCardId = req.params.cardId;
+    Authentication.checkBoardAccess( req.userId, paramBoardId);
     JsonRoutes.sendResult(res, {
       code: 200,
       data: Cards.findOne({ _id: paramCardId, listId: paramListId, boardId: paramBoardId, archived: false }),
-- 
cgit v1.2.3-1-g7c22