X-Git-Url: https://git.auder.net/?a=blobdiff_plain;f=server%2Froutes%2Fchallenges.js;h=a7adcf5cc2c1707679c15eb0b80a826b27695fda;hb=99b7a14c6e01c53a49459c8d4681acf6abe635d8;hp=146bbe2d182b4d5c9c6dcbeede300e301ba072c2;hpb=2be5d6140901fc7bb2a33d672e52cfdc545a1912;p=vchess.git

diff --git a/server/routes/challenges.js b/server/routes/challenges.js
index 146bbe2d..a7adcf5c 100644
--- a/server/routes/challenges.js
+++ b/server/routes/challenges.js
@@ -4,8 +4,11 @@ let router = require("express").Router();
 const access = require("../utils/access");
 const ChallengeModel = require("../models/Challenge");
 const UserModel = require("../models/User"); //for name check
+const params = require("../config/parameters");
 
 router.get("/challenges", (req,res) => {
+  if (!req.query["uid"].match(/^[0-9]+$/))
+    res.json({errmsg: "Bad user ID"});
   ChallengeModel.getByUser(req.query["uid"], (err,challenges) => {
     res.json(err || {challenges:challenges});
   });
@@ -35,6 +38,8 @@ router.post("/challenges", access.logged, access.ajax, (req,res) => {
         return res.json(err | {errmsg: "Typo in player name"});
       challenge.to = user.id; //ready now to insert challenge
       insertChallenge();
+      if (user.notify)
+        UserModel.notify(user, "New challenge: " + params.siteURL + "/");
     });
   }
   else
@@ -43,6 +48,8 @@ router.post("/challenges", access.logged, access.ajax, (req,res) => {
 
 router.delete("/challenges", access.logged, access.ajax, (req,res) => {
   const cid = req.query.id;
+  if (!cid.match(/^[0-9]+$/))
+    res.json({errmsg: "Bad challenge ID"});
   ChallengeModel.safeRemove(cid, req.userId, err => {
     res.json(err || {}); //TODO: just "return err" because is empty if no errors
   });