diff --git a/app.js b/app.js index 838d028..2e08c50 100644 --- a/app.js +++ b/app.js @@ -41,7 +41,7 @@ app.use( cors({ origin: true, credentials: true, - methods: ["GET", "PUT", "POST"], + methods: ["GET", "PUT", "POST", "DELETE"], allowedHeaders: [ "Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept", diff --git a/controllers/post.js b/controllers/post.js index 55076b6..d469327 100644 --- a/controllers/post.js +++ b/controllers/post.js @@ -10,24 +10,26 @@ const sameAuthor = require("../middleware/sameAuthor.js"); exports.index = asyncHandler(async (req, res, next) => { // get all posts - const dbPosts = await Post.find({ published: true }).lean().exec(); + let dbPosts = await Post.find().lean().exec(); // check for authorization const token = req.cookies.JWT_TOKEN; - blocc: if (token) { - try { - const username = jwt.verify(token, process.env.SECRET_KEY); - } catch { - break blocc; - } - // run through unpublished posts - const unpublished = await Post.find({ published: false }).lean().exec(); - for (let z = 0; z < unpublished.length; z++) { - const post = unpublished[i]; - // if any are by the current user, append to dbPosts - if (username == post.author) { - dbPosts.push(post); + if (token) { + const username = jwt.verify(token, process.env.SECRET_KEY).username; + // filter + dbPosts.forEach((post, index) => { + if (post.published == false) { + if (post.author != username) { + dbPosts.splice(index, 1); + } } - } + }); + } else { + // filter + dbPosts.forEach((post, index) => { + if (post.published == false) { + dbPosts.splice(index, 1); + } + }); } const posts = []; for (let i = 0; i < dbPosts.length; i++) { @@ -37,6 +39,7 @@ exports.index = asyncHandler(async (req, res, next) => { date: dbPosts[i].date, text: dbPosts[i].text, author: dbPosts[i].author, + published: dbPosts[i].published, _id: dbPosts[i]._id, comments: comments, }; @@ -108,14 +111,25 @@ exports.get = asyncHandler(async (req, res, next) => { date: dbPost.date, text: dbPost.text, author: dbPost.author, + published: dbPost.published, _id: dbPost._id, comments: comments, }; // if post is not published, not publicly visible if (!dbPost.published) { - hasToken(); - sameAuthor(); - return res.status(200).json({ post }); + const token = req.cookies.JWT_TOKEN; + if (token) { + const username = jwt.verify(token, process.env.SECRET_KEY).username; + if (username == dbPost.author) { + return res.status(200).json({ post }); + } + return res.status(403).json({ + message: "Not authorized!", + }); + } + return res.status(403).json({ + message: "Token not found!", + }); } // otherwise return post if published return res.status(200).json({ post }); diff --git a/middleware/sameAuthor.js b/middleware/sameAuthor.js index f8b3d43..24ac46c 100644 --- a/middleware/sameAuthor.js +++ b/middleware/sameAuthor.js @@ -7,7 +7,7 @@ const sameAuthor = asyncHandler(async (req, res, next) => { // get token const token = req.cookies.JWT_TOKEN; // extract username from token - const username = jwt.verify(token, process.env.SECRET_KEY); + const username = jwt.verify(token, process.env.SECRET_KEY).username; // get post const post = await Post.findById(req.params.postID).lean().exec(); // if different usernames diff --git a/middleware/sameUser.js b/middleware/sameUser.js index 03f80b7..fc6eb24 100644 --- a/middleware/sameUser.js +++ b/middleware/sameUser.js @@ -4,7 +4,7 @@ const sameUser = (req, res, next) => { // get token const token = req.cookies.JWT_TOKEN; // extract username from token - const username = jwt.verify(token, process.env.SECRET_KEY); + const username = jwt.verify(token, process.env.SECRET_KEY).username; // if different usernames if (username != req.params.username) { return res.status(403).json({