board export now checks authentication

models/boards.js

@@ -79,6 +79,33 @@ Boards.attachSchema(new SimpleSchema({
 
 
 Boards.helpers({
+  /**
+   * Is current logged-in user authorized to view this board?
+   */
+  isVisibleByUser() {
+    if(this.isPublic()) {
+      // public boards are visible to everyone
+      return true;
+    } else {
+      // otherwise you have to be logged-in and active member
+      return this.isActiveMember(Meteor.userId());
+    }
+  },
+
+  /**
+   * Is the user one of the active members of the board?
+   *
+   * @param userId
+   * @returns {boolean} the member that matches, or undefined/false
+   */
+  isActiveMember(userId) {
+    if(userId) {
+      return this.members.find((member) => (member.userId === userId && member.isActive));
+    } else {
+      return false;
+    }
+  },
+
   isPublic() {
     return this.permission === 'public';
   },

models/export.js

@@ -1,25 +1,15 @@
-/* global JsonRoutes */
-if(Meteor.isServer) {
-  console.log(`userId is ${this.userId}`);
-  JsonRoutes.add('get', '/api/b/:id', function (req, res) {
-    const id = req.params.id;
-    const board = Boards.findOne(id);
-    //if(Meteor.userId() && allowIsBoardMember(Meteor.userId(), board)) {
-    const exporter = new Exporter(id);
-    JsonRoutes.sendResult(res, 200, exporter.build());
-    //} else {
-    //  // 403 = forbidden
-    //  JsonRoutes.sendError(res, 403);
-    //}
-  });
-}
+
 
 Meteor.methods({
   exportBoard(boardId) {
+    check(boardId, String);
     const board = Boards.findOne(boardId);
-//    //if(Meteor.userId() && allowIsBoardMember(Meteor.userId(), board)) {
-    const exporter = new Exporter(boardId);
-    return exporter.build();
+    if(board.isVisibleByUser()) {
+      const exporter = new Exporter(boardId);
+      return exporter.build();
+    } else {
+      throw new Meteor.Error('error-board-notAMember');
+    }
   }
 });