diff options
author | mayjs <johannes.may@udo.edu> | 2017-05-15 19:43:53 +0200 |
---|---|---|
committer | mayjs <johannes.may@udo.edu> | 2017-05-15 19:43:53 +0200 |
commit | 95e2025ff9ac07644175689b873749fc2087eef2 (patch) | |
tree | 103e0307370cdb540fac98ffc13aa7ddba3e2acc | |
parent | ef6f2e8d62a2322b9172edf0f7d07e2fe66b85c9 (diff) | |
download | wekan-95e2025ff9ac07644175689b873749fc2087eef2.tar.gz wekan-95e2025ff9ac07644175689b873749fc2087eef2.tar.bz2 wekan-95e2025ff9ac07644175689b873749fc2087eef2.zip |
Changed GET /api/boards/:id to allow access by the normally also allowed users.
-rw-r--r-- | models/boards.js | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/models/boards.js b/models/boards.js index f2ac794e..3778963f 100644 --- a/models/boards.js +++ b/models/boards.js @@ -557,7 +557,6 @@ if (Meteor.isServer) { //BOARDS REST API if (Meteor.isServer) { JsonRoutes.add('GET', '/api/user/boards', function (req, res, next) { - // TODO: This should be changed to be less restrictive! Authentication.checkLoggedIn(req.userId); const data = Boards.find({ @@ -589,8 +588,12 @@ if (Meteor.isServer) { }); JsonRoutes.add('GET', '/api/boards/:id', function (req, res, next) { - Authentication.checkUserId( req.userId); + Authentication.checkLoggedIn( req.userId); const id = req.params.id; + const board = Boards.findOne({ _id: id }); + const normalAccess = board.permission === 'public' || board.members.some(e => e._id === req.userId); + Authentication.checkAdminOrCondition(req.userId, normalAccess); + JsonRoutes.sendResult(res, { code: 200, data: Boards.findOne({ _id: id }), |