projects
/
vchess.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Sanitize more
[vchess.git]
/
server
/
routes
/
challenges.js
diff --git
a/server/routes/challenges.js
b/server/routes/challenges.js
index
28103fc
..
a7adcf5
100644
(file)
--- a/
server/routes/challenges.js
+++ b/
server/routes/challenges.js
@@
-7,6
+7,8
@@
const UserModel = require("../models/User"); //for name check
const params = require("../config/parameters");
router.get("/challenges", (req,res) => {
const params = require("../config/parameters");
router.get("/challenges", (req,res) => {
+ if (!req.query["uid"].match(/^[0-9]+$/))
+ res.json({errmsg: "Bad user ID"});
ChallengeModel.getByUser(req.query["uid"], (err,challenges) => {
res.json(err || {challenges:challenges});
});
ChallengeModel.getByUser(req.query["uid"], (err,challenges) => {
res.json(err || {challenges:challenges});
});
@@
-46,6
+48,8
@@
router.post("/challenges", access.logged, access.ajax, (req,res) => {
router.delete("/challenges", access.logged, access.ajax, (req,res) => {
const cid = req.query.id;
router.delete("/challenges", access.logged, access.ajax, (req,res) => {
const cid = req.query.id;
+ if (!cid.match(/^[0-9]+$/))
+ res.json({errmsg: "Bad challenge ID"});
ChallengeModel.safeRemove(cid, req.userId, err => {
res.json(err || {}); //TODO: just "return err" because is empty if no errors
});
ChallengeModel.safeRemove(cid, req.userId, err => {
res.json(err || {}); //TODO: just "return err" because is empty if no errors
});