| 1 | // AJAX methods to get, create, update or delete a problem |
| 2 | |
| 3 | let router = require("express").Router(); |
| 4 | const access = require("../utils/access"); |
| 5 | const NewsModel = require("../models/News"); |
| 6 | const sanitizeHtml = require('sanitize-html'); |
| 7 | const devs = [1]; //hard-coded list of developers, allowed to post news |
| 8 | |
| 9 | router.get("/news", (req,res) => { |
| 10 | const cursor = req.query["cursor"]; |
| 11 | if (!cursor.match(/^[0-9]+$/)) |
| 12 | return res.json({errmsg: "Bad cursor value"}); |
| 13 | NewsModel.getNext(cursor, (err,newsList) => { |
| 14 | res.json(err || {newsList:newsList}); |
| 15 | }); |
| 16 | }); |
| 17 | |
| 18 | router.post("/news", access.logged, access.ajax, (req,res) => { |
| 19 | if (!devs.includes(req.userId)) |
| 20 | return res.json({errmsg: "Not allowed to post"}); |
| 21 | const content = sanitizeHtml(req.body.news.content); |
| 22 | NewsModel.create(content, req.userId, (err,ret) => { |
| 23 | return res.json(err || {nid:ret.nid}); |
| 24 | }); |
| 25 | }); |
| 26 | |
| 27 | router.put("/news", access.logged, access.ajax, (req,res) => { |
| 28 | if (!devs.includes(req.userId)) |
| 29 | return res.json({errmsg: "Not allowed to edit"}); |
| 30 | let news = req.body.news; |
| 31 | if (!news.id.toString().match(/^[0-9]+$/)) |
| 32 | res.json({errmsg: "Bad news ID"}); |
| 33 | news.content = sanitizeHtml(news.content); |
| 34 | NewsModel.update(news, (err) => { |
| 35 | res.json(err || {}); |
| 36 | }); |
| 37 | }); |
| 38 | |
| 39 | router.delete("/news", access.logged, access.ajax, (req,res) => { |
| 40 | if (!devs.includes(req.userId)) |
| 41 | return res.json({errmsg: "Not allowed to delete"}); |
| 42 | const nid = req.query.id; |
| 43 | if (!nid.toString().match(/^[0-9]+$/)) |
| 44 | res.json({errmsg: "Bad news ID"}); |
| 45 | NewsModel.remove(nid, err => { |
| 46 | res.json(err || {}); |
| 47 | }); |
| 48 | }); |
| 49 | |
| 50 | module.exports = router; |