Export Wekan now server-based with proper auth

author: Xavier Priour <xavier.priour@bubblyware.com> 2015-12-16 21:54:35 +0100
committer: Xavier Priour <xavier.priour@bubblyware.com> 2015-12-16 21:58:43 +0100
commit: d08e1cc45b7f894f360f3a8a89e235ccc47b8f96 (patch)
tree: c6e38bc7e4f25a7185d787191a34959ce673b1a4 /models
parent: efe7c21d579a0cffe682741d2daf832062001a3a (diff)
download: wekan-d08e1cc45b7f894f360f3a8a89e235ccc47b8f96.tar.gz
wekan-d08e1cc45b7f894f360f3a8a89e235ccc47b8f96.tar.bz2
wekan-d08e1cc45b7f894f360f3a8a89e235ccc47b8f96.zip
2 files changed, 30 insertions, 6 deletions
diff --git a/models/boards.js b/models/boards.js
index cdf83ce0..d5363f4e 100644
--- a/models/boards.js
+++ b/models/boards.js
@@ -80,15 +80,15 @@ Boards.attachSchema(new SimpleSchema({
 
 Boards.helpers({
   /**
-   * Is current logged-in user authorized to view this board?
+   * Is supplied user authorized to view this board?
    */
-  isVisibleByUser() {
+  isVisibleBy(user) {
     if(this.isPublic()) {
       // public boards are visible to everyone
       return true;
     } else {
       // otherwise you have to be logged-in and active member
-      return this.isActiveMember(Meteor.userId());
+      return this.isActiveMember(user._id);
     }
   },
 
diff --git a/models/export.js b/models/export.js
index aab81c64..8d1be64e 100644
--- a/models/export.js
+++ b/models/export.js
@@ -1,11 +1,30 @@
+/* global JsonRoutes */
+if(Meteor.isServer) {
+  JsonRoutes.add('get', '/api/b/:boardId/:userId/:loginToken', function (req, res) {
+    const { userId, loginToken, boardId } = req.params;
+    const hashToken = Accounts._hashLoginToken(loginToken);
+    const user = Meteor.users.findOne({
+      _id: userId,
+      'services.resume.loginTokens.hashedToken': hashToken,
+    });
+
+    const exporter = new Exporter(boardId);
+    if(user && exporter.canExport(user)) {
+      JsonRoutes.sendResult(res, 200, exporter.build());
+    } else {
+      // we could send an explicit error message, but on the other
+      // hand the only way to get there is by hacking the UI so...
+      JsonRoutes.sendResult(res, 403);
+    }
+  });
+}
 
 
 Meteor.methods({
   exportBoard(boardId) {
     check(boardId, String);
-    const board = Boards.findOne(boardId);
-    if(board.isVisibleByUser()) {
-      const exporter = new Exporter(boardId);
+    const exporter = new Exporter(boardId);
+    if(exporter.canExport(Meteor.user())) {
       return exporter.build();
     } else {
       throw new Meteor.Error('error-board-notAMember');
@@ -56,4 +75,9 @@ class Exporter {
     result.users = Users.find(byUserIds, userFields).fetch();
     return result;
   }
+
+  canExport(user) {
+    const board = Boards.findOne(this._boardId);
+    return board && board.isVisibleBy(user);
+  }
 }
author	Xavier Priour <xavier.priour@bubblyware.com>	2015-12-16 21:54:35 +0100
committer	Xavier Priour <xavier.priour@bubblyware.com>	2015-12-16 21:58:43 +0100
commit	d08e1cc45b7f894f360f3a8a89e235ccc47b8f96 (patch)
tree	c6e38bc7e4f25a7185d787191a34959ce673b1a4 /models
parent	efe7c21d579a0cffe682741d2daf832062001a3a (diff)
download	wekan-d08e1cc45b7f894f360f3a8a89e235ccc47b8f96.tar.gz wekan-d08e1cc45b7f894f360f3a8a89e235ccc47b8f96.tar.bz2 wekan-d08e1cc45b7f894f360f3a8a89e235ccc47b8f96.zip