X-Git-Url: https://git.auder.net/?p=vchess.git;a=blobdiff_plain;f=server%2Froutes%2Fgames.js;h=e9d9ab46c59a647aca2b5bc16ff4493d796ad303;hp=a444acdf5127854e9d323a6fa4c46baff1278528;hb=58e7b94e6e1a8d5721b9211b45c40e65fc13f600;hpb=d36ca1989daec86e5ad4b2e65c8a045af171fafd

diff --git a/server/routes/games.js b/server/routes/games.js
index a444acdf..e9d9ab46 100644
--- a/server/routes/games.js
+++ b/server/routes/games.js
@@ -9,11 +9,22 @@ var params = require("../config/parameters");
 // From main hall, start game between players 0 and 1
 router.post("/games", access.logged, access.ajax, (req,res) => {
   const gameInfo = req.body.gameInfo;
-	if (!gameInfo.players.some(p => p.id == req.userId))
+	if (!Array.isArray(gameInfo.players) ||
+    !gameInfo.players.some(p => p.id == req.userId))
+  {
 		return res.json({errmsg: "Cannot start someone else's game"});
+  }
   const cid = req.body.cid;
+  // Check all entries of gameInfo + cid:
+  let error = GameModel.checkGameInfo(gameInfo);
+  if (!error)
+  {
+    if (!cid.toString().match(/^[0-9]+$/))
+      error = "Wrong challenge ID";
+  }
+  if (!!error)
+    return res.json({errmsg:error});
   ChallengeModel.remove(cid);
-	const fen = req.body.fen;
 	GameModel.create(
     gameInfo.vid, gameInfo.fen, gameInfo.timeControl, gameInfo.players,
 		(err,ret) => {
@@ -55,7 +66,13 @@ router.get("/games", access.ajax, (req,res) => {
 // TODO: if newmove fail, takeback in GUI
 router.put("/games", access.logged, access.ajax, (req,res) => {
   const gid = req.body.gid;
-	const obj = req.body.newObj;
+  let error = "";
+  if (!gid.toString().match(/^[0-9]+$/))
+    error = "Wrong game ID";
+  const obj = req.body.newObj;
+	error = GameModel.checkGameUpdate(obj);
+  if (!!error)
+    return res.json({errmsg: error});
 	GameModel.update(gid, obj, (err) => {
 		if (!!err)
       return res.json(err);