From 18697d45f652a119ba21b0cef42fbf732902bfa9 Mon Sep 17 00:00:00 2001
From: Xavier Priour <xavier.priour@bubblyware.com>
Date: Sun, 13 Dec 2015 20:02:34 +0100
Subject: board export now checks authentication

---
 models/boards.js | 27 +++++++++++++++++++++++++++
 models/export.js | 26 ++++++++------------------
 2 files changed, 35 insertions(+), 18 deletions(-)

(limited to 'models')

diff --git a/models/boards.js b/models/boards.js
index 6aba0b1e..b3d5b0d0 100644
--- a/models/boards.js
+++ b/models/boards.js
@@ -79,6 +79,33 @@ Boards.attachSchema(new SimpleSchema({
 
 
 Boards.helpers({
+  /**
+   * Is current logged-in user authorized to view this board?
+   */
+  isVisibleByUser() {
+    if(this.isPublic()) {
+      // public boards are visible to everyone
+      return true;
+    } else {
+      // otherwise you have to be logged-in and active member
+      return this.isActiveMember(Meteor.userId());
+    }
+  },
+
+  /**
+   * Is the user one of the active members of the board?
+   *
+   * @param userId
+   * @returns {boolean} the member that matches, or undefined/false
+   */
+  isActiveMember(userId) {
+    if(userId) {
+      return this.members.find((member) => (member.userId === userId && member.isActive));
+    } else {
+      return false;
+    }
+  },
+
   isPublic() {
     return this.permission === 'public';
   },
diff --git a/models/export.js b/models/export.js
index 7be97986..20b1186a 100644
--- a/models/export.js
+++ b/models/export.js
@@ -1,25 +1,15 @@
-/* global JsonRoutes */
-if(Meteor.isServer) {
-  console.log(`userId is ${this.userId}`);
-  JsonRoutes.add('get', '/api/b/:id', function (req, res) {
-    const id = req.params.id;
-    const board = Boards.findOne(id);
-    //if(Meteor.userId() && allowIsBoardMember(Meteor.userId(), board)) {
-    const exporter = new Exporter(id);
-    JsonRoutes.sendResult(res, 200, exporter.build());
-    //} else {
-    //  // 403 = forbidden
-    //  JsonRoutes.sendError(res, 403);
-    //}
-  });
-}
+
 
 Meteor.methods({
   exportBoard(boardId) {
+    check(boardId, String);
     const board = Boards.findOne(boardId);
-//    //if(Meteor.userId() && allowIsBoardMember(Meteor.userId(), board)) {
-    const exporter = new Exporter(boardId);
-    return exporter.build();
+    if(board.isVisibleByUser()) {
+      const exporter = new Exporter(boardId);
+      return exporter.build();
+    } else {
+      throw new Meteor.Error('error-board-notAMember');
+    }
   }
 });
 
-- 
cgit v1.2.3-1-g7c22