X-Git-Url: https://git.auder.net/?a=blobdiff_plain;f=server%2Froutes%2Fgames.js;h=e9d9ab46c59a647aca2b5bc16ff4493d796ad303;hb=58e7b94e6e1a8d5721b9211b45c40e65fc13f600;hp=3b91e8b771070b0bd8c71b31b12a716041c76a99;hpb=411d23cd80a2dbf53d21008976d34e7f450154bf;p=vchess.git

diff --git a/server/routes/games.js b/server/routes/games.js
index 3b91e8b7..e9d9ab46 100644
--- a/server/routes/games.js
+++ b/server/routes/games.js
@@ -9,11 +9,22 @@ var params = require("../config/parameters");
 // From main hall, start game between players 0 and 1
 router.post("/games", access.logged, access.ajax, (req,res) => {
   const gameInfo = req.body.gameInfo;
-	if (!gameInfo.players.some(p => p.id == req.userId))
+	if (!Array.isArray(gameInfo.players) ||
+    !gameInfo.players.some(p => p.id == req.userId))
+  {
 		return res.json({errmsg: "Cannot start someone else's game"});
+  }
   const cid = req.body.cid;
+  // Check all entries of gameInfo + cid:
+  let error = GameModel.checkGameInfo(gameInfo);
+  if (!error)
+  {
+    if (!cid.toString().match(/^[0-9]+$/))
+      error = "Wrong challenge ID";
+  }
+  if (!!error)
+    return res.json({errmsg:error});
   ChallengeModel.remove(cid);
-	const fen = req.body.fen;
 	GameModel.create(
     gameInfo.vid, gameInfo.fen, gameInfo.timeControl, gameInfo.players,
 		(err,ret) => {
@@ -34,7 +45,7 @@ router.get("/games", access.ajax, (req,res) => {
   {
     GameModel.getOne(gameId, (err,game) => {
 		  access.checkRequest(res, err, game, "Game not found", () => {
-			  res.json({game: game});
+        res.json({game: game});
 		  });
 	  });
   }
@@ -44,7 +55,7 @@ router.get("/games", access.ajax, (req,res) => {
     const userId = req.query["uid"];
     const excluded = !!req.query["excluded"];
     GameModel.getByUser(userId, excluded, (err,games) => {
-		  if (!!err)
+			if (!!err)
         return res.json({errmsg: err.errmsg || err.toString()});
 			res.json({games: games});
 	  });
@@ -54,9 +65,14 @@ router.get("/games", access.ajax, (req,res) => {
 // New move + fen update + score, potentially
 // TODO: if newmove fail, takeback in GUI
 router.put("/games", access.logged, access.ajax, (req,res) => {
-	const gid = req.body.gid;
-	const oppId = req.body.oppId;
-	const obj = req.body.newObj;
+  const gid = req.body.gid;
+  let error = "";
+  if (!gid.toString().match(/^[0-9]+$/))
+    error = "Wrong game ID";
+  const obj = req.body.newObj;
+	error = GameModel.checkGameUpdate(obj);
+  if (!!error)
+    return res.json({errmsg: error});
 	GameModel.update(gid, obj, (err) => {
 		if (!!err)
       return res.json(err);