From cc585396a85e3107bb7b4298098b84b738919c8f Mon Sep 17 00:00:00 2001
From: Jules Laplace <julescarbon@gmail.com>
Date: Fri, 15 Dec 2017 02:52:15 +0100
Subject: more middleware

---
 bucky/app/bucky.js  | 13 ++++++++++++-
 bucky/app/router.js |  1 +
 bucky/db/index.js   |  7 +++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/bucky/app/bucky.js b/bucky/app/bucky.js
index 1b14f43..ec0ab8c 100644
--- a/bucky/app/bucky.js
+++ b/bucky/app/bucky.js
@@ -448,6 +448,12 @@ var bucky = module.exports = {
 
   /* PRIVACY */
 
+  checkIsAdmin: function(req, res, next){
+    if (req.user.get('ulevel') !== 3) {
+      return res.sendStatus(500)
+    }
+    next()
+  },
   checkUserPrivacy: function(req, res, next) {
     if (req.user.get('username') !== res.user.get('username')) {
       return res.sendStatus(500)
@@ -455,7 +461,7 @@ var bucky = module.exports = {
     next()
   },
   checkThreadPrivacy: function(req, res, next) {
-    if (req.user.get('ulevel') !== 3 && req.user.get('username') !== res.thread.get('username')) {
+    if (res.thread.checkPrivacy(req.user)) {
       return res.sendStatus(500)
     }
     next()
@@ -473,6 +479,11 @@ var bucky = module.exports = {
     }
     next()
   },
+  checkThreadsPrivacy: function(req, res, next) {
+    res.threads = res.threads.filter(thread => {
+      return thread.checkPrivacy(req.user)
+    })
+  },
 
   /* MAIL */
 
diff --git a/bucky/app/router.js b/bucky/app/router.js
index cb90350..106c65e 100644
--- a/bucky/app/router.js
+++ b/bucky/app/router.js
@@ -142,6 +142,7 @@ module.exports = function(app){
     middleware.ensureAuthenticated,
     bucky.ensureThread,
     bucky.bumpViewCount,
+    bucky.ensureThreadPrivacy,
     bucky.ensureKeywordForThread,
     bucky.ensureCommentsForThread,
     bucky.ensureFilesForThread,
diff --git a/bucky/db/index.js b/bucky/db/index.js
index 36e5c93..652f723 100644
--- a/bucky/db/index.js
+++ b/bucky/db/index.js
@@ -14,6 +14,13 @@ var User = db.User = bookshelf.Model.extend({
 var Thread = db.Thread = bookshelf.Model.extend({
   tableName: 'threads',
   hasTimestamps: false,
+  checkPrivacy: function(user){
+    if (this.get('privacy') === 0) return true
+    let username = user.get('username')
+    if (this.get('username') === username) return true
+    let allowed = this.get('allowed').split(',')
+    if (allowed.findIndex(username) !== -1) return true
+  }
 })
 var ThreadUser = db.ThreadUser = bookshelf.Model.extend({
   tableName: 'thread_users',
-- 
cgit v1.2.3-70-g09d2