diff options
author | Xavier Priour <xavier.priour@bubblyware.com> | 2015-12-16 21:54:35 +0100 |
---|---|---|
committer | Xavier Priour <xavier.priour@bubblyware.com> | 2015-12-16 21:58:43 +0100 |
commit | d08e1cc45b7f894f360f3a8a89e235ccc47b8f96 (patch) | |
tree | c6e38bc7e4f25a7185d787191a34959ce673b1a4 /models | |
parent | efe7c21d579a0cffe682741d2daf832062001a3a (diff) | |
download | wekan-d08e1cc45b7f894f360f3a8a89e235ccc47b8f96.tar.gz wekan-d08e1cc45b7f894f360f3a8a89e235ccc47b8f96.tar.bz2 wekan-d08e1cc45b7f894f360f3a8a89e235ccc47b8f96.zip |
Export Wekan now server-based with proper auth
Diffstat (limited to 'models')
-rw-r--r-- | models/boards.js | 6 | ||||
-rw-r--r-- | models/export.js | 30 |
2 files changed, 30 insertions, 6 deletions
diff --git a/models/boards.js b/models/boards.js index cdf83ce0..d5363f4e 100644 --- a/models/boards.js +++ b/models/boards.js @@ -80,15 +80,15 @@ Boards.attachSchema(new SimpleSchema({ Boards.helpers({ /** - * Is current logged-in user authorized to view this board? + * Is supplied user authorized to view this board? */ - isVisibleByUser() { + isVisibleBy(user) { if(this.isPublic()) { // public boards are visible to everyone return true; } else { // otherwise you have to be logged-in and active member - return this.isActiveMember(Meteor.userId()); + return this.isActiveMember(user._id); } }, diff --git a/models/export.js b/models/export.js index aab81c64..8d1be64e 100644 --- a/models/export.js +++ b/models/export.js @@ -1,11 +1,30 @@ +/* global JsonRoutes */ +if(Meteor.isServer) { + JsonRoutes.add('get', '/api/b/:boardId/:userId/:loginToken', function (req, res) { + const { userId, loginToken, boardId } = req.params; + const hashToken = Accounts._hashLoginToken(loginToken); + const user = Meteor.users.findOne({ + _id: userId, + 'services.resume.loginTokens.hashedToken': hashToken, + }); + + const exporter = new Exporter(boardId); + if(user && exporter.canExport(user)) { + JsonRoutes.sendResult(res, 200, exporter.build()); + } else { + // we could send an explicit error message, but on the other + // hand the only way to get there is by hacking the UI so... + JsonRoutes.sendResult(res, 403); + } + }); +} Meteor.methods({ exportBoard(boardId) { check(boardId, String); - const board = Boards.findOne(boardId); - if(board.isVisibleByUser()) { - const exporter = new Exporter(boardId); + const exporter = new Exporter(boardId); + if(exporter.canExport(Meteor.user())) { return exporter.build(); } else { throw new Meteor.Error('error-board-notAMember'); @@ -56,4 +75,9 @@ class Exporter { result.users = Users.find(byUserIds, userFields).fetch(); return result; } + + canExport(user) { + const board = Boards.findOne(this._boardId); + return board && board.isVisibleBy(user); + } } |