mirror of
https://github.com/wekan/wekan.git
synced 2025-12-16 15:30:13 +01:00
add token authentication, only admin can use api
This commit is contained in:
huneau romain
parent
548172949a
commit
b5271e5346
9 changed files with 50 additions and 0 deletions
|
|
@ -77,3 +77,4 @@ simple:json-routes
|
|||
rajit:bootstrap3-datepicker
|
||||
kadira:flow-router
|
||||
shell-server@0.2.3
|
||||
simple:rest-accounts-password
|
||||
|
|
|
|||
|
|
@ -134,7 +134,11 @@ service-configuration@1.0.11
|
|||
session@1.1.7
|
||||
sha@1.0.9
|
||||
shell-server@0.2.3
|
||||
simple:authenticate-user-by-token@1.0.1
|
||||
simple:json-routes@2.1.0
|
||||
simple:rest-accounts-password@1.1.2
|
||||
simple:rest-bearer-token-parser@1.0.1
|
||||
simple:rest-json-error-handler@1.0.1
|
||||
softwarerero:accounts-t9n@1.3.9
|
||||
spacebars@1.0.15
|
||||
spacebars-compiler@1.1.2
|
||||
|
|
|
|||
|
|
@ -557,6 +557,7 @@ if (Meteor.isServer) {
|
|||
//BOARDS REST API
|
||||
if (Meteor.isServer) {
|
||||
JsonRoutes.add('GET', '/api/boards', function (req, res, next) {
|
||||
Authentication.checkUserId(req.userId);
|
||||
JsonRoutes.sendResult(res, {
|
||||
code: 200,
|
||||
data: Boards.find({ permission: 'public' }).map(function (doc) {
|
||||
|
|
@ -569,6 +570,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('GET', '/api/boards/:id', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const id = req.params.id;
|
||||
JsonRoutes.sendResult(res, {
|
||||
code: 200,
|
||||
|
|
@ -577,6 +579,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('POST', '/api/boards', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const id = Boards.insert({
|
||||
title: req.body.title,
|
||||
members: [
|
||||
|
|
@ -599,6 +602,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('DELETE', '/api/boards/:id', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const id = req.params.id;
|
||||
Boards.remove({ _id: id });
|
||||
JsonRoutes.sendResult(res, {
|
||||
|
|
|
|||
|
|
@ -84,6 +84,7 @@ if (Meteor.isServer) {
|
|||
//CARD COMMENT REST API
|
||||
if (Meteor.isServer) {
|
||||
JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/comments', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
const paramCardId = req.params.cardId;
|
||||
JsonRoutes.sendResult(res, {
|
||||
|
|
@ -99,6 +100,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/comments/:commentId', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
const paramCommentId = req.params.commentId;
|
||||
const paramCardId = req.params.cardId;
|
||||
|
|
@ -109,6 +111,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('POST', '/api/boards/:boardId/cards/:cardId/comments', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
const paramCardId = req.params.cardId;
|
||||
const id = CardComments.insert({
|
||||
|
|
@ -126,6 +129,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('DELETE', '/api/boards/:boardId/cards/:cardId/comments/:commentId', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
const paramCommentId = req.params.commentId;
|
||||
const paramCardId = req.params.cardId;
|
||||
|
|
|
|||
|
|
@ -373,6 +373,7 @@ if (Meteor.isServer) {
|
|||
//LISTS REST API
|
||||
if (Meteor.isServer) {
|
||||
JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId/cards', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
const paramListId = req.params.listId;
|
||||
JsonRoutes.sendResult(res, {
|
||||
|
|
@ -388,6 +389,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId/cards/:cardId', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
const paramListId = req.params.listId;
|
||||
const paramCardId = req.params.cardId;
|
||||
|
|
@ -398,6 +400,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('POST', '/api/boards/:boardId/lists/:listId/cards', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
const paramListId = req.params.listId;
|
||||
const id = Cards.insert({
|
||||
|
|
@ -418,6 +421,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('DELETE', '/api/boards/:boardId/lists/:listId/cards/:cardId', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
const paramListId = req.params.listId;
|
||||
const paramCardId = req.params.cardId;
|
||||
|
|
|
|||
|
|
@ -177,6 +177,7 @@ if (Meteor.isServer) {
|
|||
//CARD COMMENT REST API
|
||||
if (Meteor.isServer) {
|
||||
JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/checklists', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramCardId = req.params.cardId;
|
||||
JsonRoutes.sendResult(res, {
|
||||
code: 200,
|
||||
|
|
@ -190,6 +191,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/checklists/:checklistId', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramChecklistId = req.params.checklistId;
|
||||
const paramCardId = req.params.cardId;
|
||||
JsonRoutes.sendResult(res, {
|
||||
|
|
@ -199,6 +201,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('POST', '/api/boards/:boardId/cards/:cardId/checklists', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramCardId = req.params.cardId;
|
||||
|
||||
const checklistToSend = {};
|
||||
|
|
@ -221,6 +224,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('DELETE', '/api/boards/:boardId/cards/:cardId/checklists/:checklistId', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramCommentId = req.params.commentId;
|
||||
const paramCardId = req.params.cardId;
|
||||
Checklists.remove({ _id: paramCommentId, cardId: paramCardId });
|
||||
|
|
|
|||
|
|
@ -132,6 +132,7 @@ if (Meteor.isServer) {
|
|||
//LISTS REST API
|
||||
if (Meteor.isServer) {
|
||||
JsonRoutes.add('GET', '/api/boards/:boardId/lists', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
JsonRoutes.sendResult(res, {
|
||||
code: 200,
|
||||
|
|
@ -145,6 +146,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
const paramListId = req.params.listId;
|
||||
JsonRoutes.sendResult(res, {
|
||||
|
|
@ -154,6 +156,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('POST', '/api/boards/:boardId/lists', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
const id = Lists.insert({
|
||||
title: req.body.title,
|
||||
|
|
@ -168,6 +171,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('DELETE', '/api/boards/:boardId/lists/:listId', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const paramBoardId = req.params.boardId;
|
||||
const paramListId = req.params.listId;
|
||||
Lists.remove({ _id: paramListId, boardId: paramBoardId });
|
||||
|
|
|
|||
|
|
@ -528,6 +528,7 @@ if (Meteor.isServer) {
|
|||
// USERS REST API
|
||||
if (Meteor.isServer) {
|
||||
JsonRoutes.add('GET', '/api/users', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
JsonRoutes.sendResult(res, {
|
||||
code: 200,
|
||||
data: Meteor.users.find({}).map(function (doc) {
|
||||
|
|
@ -536,6 +537,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
});
|
||||
JsonRoutes.add('GET', '/api/users/:id', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const id = req.params.id;
|
||||
JsonRoutes.sendResult(res, {
|
||||
code: 200,
|
||||
|
|
@ -543,6 +545,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
});
|
||||
JsonRoutes.add('POST', '/api/users/', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const id = Accounts.createUser({
|
||||
username: req.body.username,
|
||||
email: req.body.email,
|
||||
|
|
@ -558,6 +561,7 @@ if (Meteor.isServer) {
|
|||
});
|
||||
|
||||
JsonRoutes.add('DELETE', '/api/users/:id', function (req, res, next) {
|
||||
Authentication.checkUserId( req.userId);
|
||||
const id = req.params.id;
|
||||
Meteor.users.remove({ _id: id });
|
||||
JsonRoutes.sendResult(res, {
|
||||
|
|
|
|||
21
server/authentication.js
Normal file
21
server/authentication.js
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
Meteor.startup(() => {
|
||||
Authentication = {};
|
||||
|
||||
Authentication.checkUserId = function (userId) {
|
||||
if (userId === undefined) {
|
||||
const error = new Meteor.Error('Unauthorized', 'Unauthorized');
|
||||
error.statusCode = 401;
|
||||
throw error;
|
||||
}
|
||||
const admin = Users.findOne({ _id: userId, isAdmin: true });
|
||||
|
||||
if (admin === undefined) {
|
||||
const error = new Meteor.Error('Forbidden', 'Forbidden');
|
||||
error.statusCode = 403;
|
||||
throw error;
|
||||
}
|
||||
|
||||
};
|
||||
|
||||
});
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue