router.post("/games", access.logged, access.ajax, (req,res) => {
const gameInfo = req.body.gameInfo;
if (!Array.isArray(gameInfo.players) ||
- !gameInfo.players.some(p => p.id == req.userId))
+ gameInfo.players.every(p => p.id != req.userId))
{
return res.json({errmsg: "Cannot start someone else's game"});
}
return res.json({errmsg:error});
ChallengeModel.remove(cid);
GameModel.create(
- gameInfo.vid, gameInfo.fen, gameInfo.timeControl, gameInfo.players,
+ gameInfo.vid, gameInfo.fen, gameInfo.cadence, gameInfo.players,
(err,ret) => {
access.checkRequest(res, err, ret, "Cannot create game", () => {
const oppIdx = (gameInfo.players[0].id == req.userId ? 1 : 0);
const gameId = req.query["gid"];
if (!!gameId)
{
- GameModel.getOne(gameId, (err,game) => {
+ if (!gameId.match(/^[0-9]+$/))
+ return res.json({errmsg: "Wrong game ID"});
+ GameModel.getOne(gameId, false, (err,game) => {
access.checkRequest(res, err, game, "Game not found", () => {
res.json({game: game});
});
{
// Get by (non-)user ID:
const userId = req.query["uid"];
+ if (!userId.match(/^[0-9]+$/))
+ return res.json({errmsg: "Wrong user ID"});
const excluded = !!req.query["excluded"];
GameModel.getByUser(userId, excluded, (err,games) => {
if (!!err)