From 12c2d252cf76c45bb8a2b457812540400465de3b Mon Sep 17 00:00:00 2001 From: Jannik Schönartz Date: Mon, 8 Jun 2020 00:31:55 +0000 Subject: [server] PM integration in all missing api-points but groups --- server/api/events.js | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'server/api/events.js') diff --git a/server/api/events.js b/server/api/events.js index 7e330e5..310a64a 100644 --- a/server/api/events.js +++ b/server/api/events.js @@ -11,6 +11,27 @@ socket.connect('ipc:///tmp/bas_zeromq_events') const log = require(path.join(__appdir, 'lib', 'log')) const HttpResponse = require(path.join(__appdir, 'lib', 'httpresponse')) +// Permission check middleware +router.all(['', '/:x'], async (req, res, next) => { + switch (req.method) { + case 'GET': + if (!await req.user.hasPermission('events.view')) return res.status(403).send({ error: 'Missing permission', permission: 'events.view' }) + break + + case 'POST': + // TODO: REMOVE blacklist free pass IF PM uses own blacklist function --> HELPER LIB?! + if (req.params.x === 'blacklist') break + + if (!await req.user.hasPermission('events.edit')) return res.status(403).send({ error: 'Missing permission', permission: 'events.edit' }) + break + + default: + return res.status(400).send() + } + + next() +}) + // ############################################################################ // ########################### GET requests ################################# -- cgit v1.2.3-55-g7522