NoLog.cz/gancio-upstream
6
0
Fork 0
mirror of https://framagit.org/les/gancio.git synced 2025-02-01 09:02:01 +01:00
Code Issues Projects Releases Packages Wiki Activity

[fix] confirm/unconfirm event permission

Browse source
This commit is contained in:
les 2019-10-28 17:42:21 +01:00
parent e467a28902
commit a0e2f5e634
2 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
server/api/controller/event.js
View file

@ -124,6 +124,9 @@ const eventController = {
const id = Number(req.params.event_id) const id = Number(req.params.event_id)
const event = await Event.findByPk(id) const event = await Event.findByPk(id)
if (!event) { return res.sendStatus(404) } if (!event) { return res.sendStatus(404) }
if (!req.user.is_admin && req.user.id !== event.userId) {
return res.sendStatus(403)
}
try { try {
event.is_visible = true event.is_visible = true
@ -143,6 +146,9 @@ const eventController = {
const id = Number(req.params.event_id) const id = Number(req.params.event_id)
const event = await Event.findByPk(id) const event = await Event.findByPk(id)
if (!event) { return req.sendStatus(404) } if (!event) { return req.sendStatus(404) }
if (!req.user.is_admin && req.user.id !== event.userId) {
return res.sendStatus(403)
}
try { try {
event.is_visible = false event.is_visible = false

4
server/api/index.js
View file

@ -83,8 +83,8 @@ api.post('/settings', fillUser, isAdmin, settingsController.setRequest)
api.get('/settings/user_locale', settingsController.getUserLocale) api.get('/settings/user_locale', settingsController.getUserLocale)
// confirm event // confirm event
api.get('/event/confirm/:event_id', isAuth, isAdmin, eventController.confirm) api.get('/event/confirm/:event_id', isAuth, eventController.confirm)
api.get('/event/unconfirm/:event_id', isAuth, isAdmin, eventController.unconfirm) api.get('/event/unconfirm/:event_id', isAuth, eventController.unconfirm)
// get event // get event
api.get('/event/:event_id.:format?', fillUser, eventController.get) api.get('/event/:event_id.:format?', fillUser, eventController.get)