diff options
| -rw-r--r-- | bucky/app/bucky.js | 13 | ||||
| -rw-r--r-- | bucky/app/router.js | 1 | ||||
| -rw-r--r-- | bucky/db/index.js | 7 |
3 files changed, 20 insertions, 1 deletions
diff --git a/bucky/app/bucky.js b/bucky/app/bucky.js index 1b14f43..ec0ab8c 100644 --- a/bucky/app/bucky.js +++ b/bucky/app/bucky.js @@ -448,6 +448,12 @@ var bucky = module.exports = { /* PRIVACY */ + checkIsAdmin: function(req, res, next){ + if (req.user.get('ulevel') !== 3) { + return res.sendStatus(500) + } + next() + }, checkUserPrivacy: function(req, res, next) { if (req.user.get('username') !== res.user.get('username')) { return res.sendStatus(500) @@ -455,7 +461,7 @@ var bucky = module.exports = { next() }, checkThreadPrivacy: function(req, res, next) { - if (req.user.get('ulevel') !== 3 && req.user.get('username') !== res.thread.get('username')) { + if (res.thread.checkPrivacy(req.user)) { return res.sendStatus(500) } next() @@ -473,6 +479,11 @@ var bucky = module.exports = { } next() }, + checkThreadsPrivacy: function(req, res, next) { + res.threads = res.threads.filter(thread => { + return thread.checkPrivacy(req.user) + }) + }, /* MAIL */ diff --git a/bucky/app/router.js b/bucky/app/router.js index cb90350..106c65e 100644 --- a/bucky/app/router.js +++ b/bucky/app/router.js @@ -142,6 +142,7 @@ module.exports = function(app){ middleware.ensureAuthenticated, bucky.ensureThread, bucky.bumpViewCount, + bucky.ensureThreadPrivacy, bucky.ensureKeywordForThread, bucky.ensureCommentsForThread, bucky.ensureFilesForThread, diff --git a/bucky/db/index.js b/bucky/db/index.js index 36e5c93..652f723 100644 --- a/bucky/db/index.js +++ b/bucky/db/index.js @@ -14,6 +14,13 @@ var User = db.User = bookshelf.Model.extend({ var Thread = db.Thread = bookshelf.Model.extend({ tableName: 'threads', hasTimestamps: false, + checkPrivacy: function(user){ + if (this.get('privacy') === 0) return true + let username = user.get('username') + if (this.get('username') === username) return true + let allowed = this.get('allowed').split(',') + if (allowed.findIndex(username) !== -1) return true + } }) var ThreadUser = db.ThreadUser = bookshelf.Model.extend({ tableName: 'thread_users', |