X-Git-Url: https://git.auder.net/?p=vchess.git;a=blobdiff_plain;f=server%2Froutes%2Fnews.js;h=80b91299df4ae5f328054405c588138b45b0caf2;hp=dbd6d382fffc3192d0750a254cb41246e12b975c;hb=866842c3c310524c034922870234120ed2a16cbf;hpb=8477e53d8e78606e4c4e4bf91c77b1011aab583c

diff --git a/server/routes/news.js b/server/routes/news.js
index dbd6d382..80b91299 100644
--- a/server/routes/news.js
+++ b/server/routes/news.js
@@ -1,50 +1,46 @@
-// AJAX methods to get, create, update or delete a problem
-
 let router = require("express").Router();
 const access = require("../utils/access");
 const NewsModel = require("../models/News");
 const sanitizeHtml = require('sanitize-html');
-const devs = [1]; //hard-coded list of developers, allowed to post news
+const devs = [1]; //hard-coded list of developers IDs, allowed to post news
 
-router.get("/news", (req,res) => {
-  const cursor = req.query["cursor"];
-  if (!cursor.match(/^[0-9]+$/))
-    return res.json({errmsg: "Bad cursor value"});
-  NewsModel.getNext(cursor, (err,newsList) => {
-    res.json(err || {newsList:newsList});
-  });
+router.post("/news", access.logged, access.ajax, (req,res) => {
+  if (devs.includes(req.userId))
+  {
+    const content = sanitizeHtml(req.body.news.content);
+    NewsModel.create(content, req.userId, (err,ret) => {
+      res.json(err || {id:ret.nid});
+    });
+  }
 });
 
-router.post("/news", access.logged, access.ajax, (req,res) => {
-  if (!devs.includes(req.userId))
-    return res.json({errmsg: "Not allowed to post"});
-  const content = sanitizeHtml(req.body.news.content);
-  NewsModel.create(content, req.userId, (err,ret) => {
-    return res.json(err || {id:ret.nid});
-  });
+router.get("/news", access.ajax, (req,res) => {
+  const cursor = req.query["cursor"];
+  if (cursor.match(/^[0-9]+$/))
+  {
+    NewsModel.getNext(cursor, (err,newsList) => {
+      res.json(err || {newsList:newsList});
+    });
+  }
 });
 
 router.put("/news", access.logged, access.ajax, (req,res) => {
-  if (!devs.includes(req.userId))
-    return res.json({errmsg: "Not allowed to edit"});
   let news = req.body.news;
-  if (!news.id.toString().match(/^[0-9]+$/))
-    res.json({errmsg: "Bad news ID"});
-  news.content = sanitizeHtml(news.content);
-  NewsModel.update(news, (err) => {
-    res.json(err || {});
-  });
+  if (devs.includes(req.userId) && news.id.toString().match(/^[0-9]+$/))
+  {
+    news.content = sanitizeHtml(news.content);
+    NewsModel.update(news);
+    res.json({});
+  }
 });
 
 router.delete("/news", access.logged, access.ajax, (req,res) => {
-  if (!devs.includes(req.userId))
-    return res.json({errmsg: "Not allowed to delete"});
   const nid = req.query.id;
-  if (!nid.toString().match(/^[0-9]+$/))
-    res.json({errmsg: "Bad news ID"});
-  NewsModel.remove(nid, err => {
-    res.json(err || {});
-  });
+  if (devs.includes(req.userId) && nid.toString().match(/^[0-9]+$/))
+  {
+    NewsModel.remove(nid);
+    res.json({});
+  }
 });
 
 module.exports = router;