server/routes/news.js

   1 // AJAX methods to get, create, update or delete a problem
   2
   3 let router = require("express").Router();
   4 const access = require("../utils/access");
   5 const NewsModel = require("../models/News");
   6 const sanitizeHtml = require('sanitize-html');
   7 const devs = [1]; //hard-coded list of developers, allowed to post news
   8
   9 router.get("/news", (req,res) => {
  10   const cursor = req.query["cursor"];
  11   if (!cursor.match(/^[0-9]+$/))
  12     return res.json({errmsg: "Bad cursor value"});
  13   NewsModel.getNext(cursor, (err,newsList) => {
  14     res.json(err || {newsList:newsList});
  15   });
  16 });
  17
  18 router.post("/news", access.logged, access.ajax, (req,res) => {
  19   if (!devs.includes(req.userId))
  20     return res.json({errmsg: "Not allowed to post"});
  21   const content = sanitizeHtml(req.body.news.content);
  22   NewsModel.create(content, req.userId, (err,ret) => {
  23     return res.json(err || {nid:ret.nid});
  24   });
  25 });
  26
  27 router.put("/news", access.logged, access.ajax, (req,res) => {
  28   if (!devs.includes(req.userId))
  29     return res.json({errmsg: "Not allowed to edit"});
  30   let news = req.body.news;
  31   if (!news.id.toString().match(/^[0-9]+$/))
  32     res.json({errmsg: "Bad news ID"});
  33   news.content = sanitizeHtml(news.content);
  34   NewsModel.update(news, (err) => {
  35     res.json(err || {});
  36   });
  37 });
  38
  39 router.delete("/news", access.logged, access.ajax, (req,res) => {
  40   if (!devs.includes(req.userId))
  41     return res.json({errmsg: "Not allowed to delete"});
  42   const nid = req.query.id;
  43   if (!nid.toString().match(/^[0-9]+$/))
  44     res.json({errmsg: "Bad news ID"});
  45   NewsModel.remove(nid, err => {
  46     res.json(err || {});
  47   });
  48 });
  49
  50 module.exports = router;