routes and api restrictions fix relax#32

SnowMan2074 · Oct 5, 2015 · 9785875 · 9785875
1 parent c05b53d
commit 9785875
Show file tree

Hide file tree

Showing 5 changed files with 132 additions and 62 deletions.
diff --git a/lib/routers/public.js b/lib/routers/public.js
@@ -14,12 +14,16 @@ export default [
             stores.styles.findAll()
           ])
           .spread((page, elements, colors, styles) => {
-            render({
-              page,
-              elements,
-              colors,
-              styles
-            });
+            if (page.state === 'published') {
+              render({
+                page,
+                elements,
+                colors,
+                styles
+              });
+            } else {
+              next();
+            }
           })
           .catch(next);
       } else {
@@ -43,13 +47,17 @@ export default [
             stores.styles.findAll()
           ]))
           .spread((schemaEntry, schema, elements, colors, styles) => {
-            render({
-              schema,
-              schemaEntry,
-              elements,
-              colors,
-              styles
-            });
+            if (schemaEntry._state === 'published') {
+              render({
+                schema,
+                schemaEntry,
+                elements,
+                colors,
+                styles
+              });
+            } else {
+              next();
+            }
           })
           .catch(next);
       } else {

diff --git a/lib/server/routers/api/draft.js b/lib/server/routers/api/draft.js
@@ -4,6 +4,14 @@ import {Types} from 'mongoose';
 
 var draftApiRouter = new Router();
 
+draftApiRouter.use('/api/draft*', (req, res, next) => {
+  if (req.isAuthenticated()) {
+    next();
+  } else {
+    res.status(401).send();
+  }
+});
+
 draftApiRouter.get('/api/draft', (req, res, next) => {
   let options = req.query;
   if (options.id) {

diff --git a/lib/server/routers/api/page.js b/lib/server/routers/api/page.js
@@ -2,62 +2,91 @@ import {Router} from 'express';
 import pagesStore from '../../stores/pages';
 import revisionsStore from '../../stores/revisions';
 import {Types} from 'mongoose';
+import forEach from 'lodash.foreach';
 
 var pageApiRouter = new Router();
 
 pageApiRouter.get('/api/page', (req, res, next) => {
   pagesStore
     .findAll(req.query)
-    .then((pages) => {
+    .then((responsePages) => {
+      let pages = [];
+
+      if (req.isAuthenticated()) {
+        pages = responsePages;
+      } else {
+        forEach(responsePages, (page) => {
+          if (page.state === 'published') {
+            pages.push(page);
+          }
+        });
+      }
+
       res.status(200).send(pages);
     })
     .catch(next);
 });
 
 pageApiRouter.get('/api/page/count', (req, res, next) => {
-  pagesStore
-    .count({})
-    .then((count) => {
-      res.status(200).send({count});
-    })
-    .catch(next);
+  if (req.isAuthenticated()) {
+    pagesStore
+      .count({})
+      .then((count) => {
+        res.status(200).send({count});
+      })
+      .catch(next);
+  } else {
+    next();
+  }
 });
 
 pageApiRouter.get('/api/page/restore/:id/:version', (req, res, next) => {
-  const _id = new Types.ObjectId(req.params.id);
-  const __v = parseInt(req.params.version, 10);
+  if (req.isAuthenticated()) {
+    const _id = new Types.ObjectId(req.params.id);
+    const __v = parseInt(req.params.version, 10);
 
-  revisionsStore
-    .findById({_id, __v})
-    .then((revision) => {
-      return pagesStore.update(_id, revision.doc);
-    })
-    .then((page) => {
-      res.status(200).send(page);
-    })
-    .catch(next);
+    revisionsStore
+      .findById({_id, __v})
+      .then((revision) => {
+        return pagesStore.update(_id, revision.doc);
+      })
+      .then((page) => {
+        res.status(200).send(page);
+      })
+      .catch(next);
+  } else {
+    res.status(401).send();
+  }
 });
 
 pageApiRouter.get('/api/page/:id', (req, res, next) => {
-  var pageId = req.params.id;
+  if (req.isAuthenticated()) {
+    var pageId = req.params.id;
 
-  pagesStore
-    .findById(pageId)
-    .then((page) => {
-      res.status(200).send(page);
-    })
-    .catch(next);
+    pagesStore
+      .findById(pageId)
+      .then((page) => {
+        res.status(200).send(page);
+      })
+      .catch(next);
+  } else {
+    next();
+  }
 });
 
 pageApiRouter.get('/api/page/slug/:slug', (req, res, next) => {
-  var slug = req.params.slug;
+  if (req.isAuthenticated()) {
+    var slug = req.params.slug;
 
-  pagesStore
-    .count({slug: slug})
-    .then((count) => {
-      res.status(200).send({count});
-    })
-    .catch(next);
+    pagesStore
+      .count({slug: slug})
+      .then((count) => {
+        res.status(200).send({count});
+      })
+      .catch(next);
+  } else {
+    next();
+  }
 });
 
 pageApiRouter.post('/api/page',  (req, res, next) => {

diff --git a/lib/server/routers/api/revision.js b/lib/server/routers/api/revision.js
@@ -4,6 +4,14 @@ import {Types} from 'mongoose';
 
 var revisionApiRouter = new Router();
 
+revisionApiRouter.use('/api/revision*', (req, res, next) => {
+  if (req.isAuthenticated()) {
+    next();
+  } else {
+    res.status(401).send();
+  }
+});
+
 revisionApiRouter.get('/api/revision', (req, res, next) => {
   let options = req.query;
   if (options.id) {

diff --git a/lib/server/routers/api/schema-entry.js b/lib/server/routers/api/schema-entry.js
@@ -3,13 +3,26 @@ import schemaEntriesStoreFactory from '../../stores/schema-entries';
 import revisionsStore from '../../stores/revisions';
 import {Types} from 'mongoose';
 import Q from 'q';
+import forEach from 'lodash.foreach';
 
 var schemaEntryApiRouter = new Router();
 
 schemaEntryApiRouter.get('/api/schema-entry/:slug', (req, res, next) => {
   schemaEntriesStoreFactory(req.params.slug)
     .then((schemaEntryStore) => schemaEntryStore.findAll(req.query))
-    .then((schemaEntries) => {
+    .then((responseSchemaEntries) => {
+      let schemaEntries = [];
+
+      if (req.isAuthenticated()) {
+        schemaEntries = responseSchemaEntries;
+      } else {
+        forEach(responseSchemaEntries, (schemaEntry) => {
+          if (schemaEntry._state === 'published') {
+            schemaEntries.push(schemaEntry);
+          }
+        });
+      }
+
       res.status(200).send(schemaEntries);
     })
     .catch(next);
@@ -25,22 +38,26 @@ schemaEntryApiRouter.get('/api/schema-entry/:slug/count', (req, res, next) => {
 });
 
 schemaEntryApiRouter.get('/api/schema-entry/restore/:slug/:id/:version', (req, res, next) => {
-  const slug = req.params.slug;
-  const _id = new Types.ObjectId(req.params.id);
-  const __v = parseInt(req.params.version, 10);
-
-  Q
-    .all([
-      schemaEntriesStoreFactory(slug),
-      revisionsStore.findById({_id, __v})
-    ])
-    .spread((store, revision) => {
-      return store.update(_id, revision.doc);
-    })
-    .then((entry) => {
-      res.status(200).send(entry);
-    })
-    .catch(next);
+  if (req.isAuthenticated()) {
+    const slug = req.params.slug;
+    const _id = new Types.ObjectId(req.params.id);
+    const __v = parseInt(req.params.version, 10);
+
+    Q
+      .all([
+        schemaEntriesStoreFactory(slug),
+        revisionsStore.findById({_id, __v})
+      ])
+      .spread((store, revision) => {
+        return store.update(_id, revision.doc);
+      })
+      .then((entry) => {
+        res.status(200).send(entry);
+      })
+      .catch(next);
+  } else {
+    res.status(401).send();
+  }
 });
 
 schemaEntryApiRouter.get('/api/schema-entry/:slug/:id', (req, res, next) => {