Export Wekan now server-based with proper auth

2026-01-02 15:48:49 +01:00 · 2015-12-16 21:54:35 +01:00 · 2015-12-16 21:54:35 +01:00 · d08e1cc45b
commit d08e1cc45b
parent efe7c21d57
6 changed files with 42 additions and 26 deletions
--- a/models/export.js
+++ b/models/export.js
@ -1,11 +1,30 @@
+/* global JsonRoutes */
+if(Meteor.isServer) {
+  JsonRoutes.add('get', '/api/b/:boardId/:userId/:loginToken', function (req, res) {
+    const { userId, loginToken, boardId } = req.params;
+    const hashToken = Accounts._hashLoginToken(loginToken);
+    const user = Meteor.users.findOne({
+      _id: userId,
+      'services.resume.loginTokens.hashedToken': hashToken,
+    });
+
+    const exporter = new Exporter(boardId);
+    if(user && exporter.canExport(user)) {
+      JsonRoutes.sendResult(res, 200, exporter.build());
+    } else {
+      // we could send an explicit error message, but on the other
+      // hand the only way to get there is by hacking the UI so...
+      JsonRoutes.sendResult(res, 403);
+    }
+  });
+}


 Meteor.methods({
  exportBoard(boardId) {
    check(boardId, String);
-    const board = Boards.findOne(boardId);
-    if(board.isVisibleByUser()) {
-      const exporter = new Exporter(boardId);
+    const exporter = new Exporter(boardId);
+    if(exporter.canExport(Meteor.user())) {
      return exporter.build();
    } else {
      throw new Meteor.Error('error-board-notAMember');
@ -56,4 +75,9 @@ class Exporter {
    result.users = Users.find(byUserIds, userFields).fetch();
    return result;
  }
+
+  canExport(user) {
+    const board = Boards.findOne(this._boardId);
+    return board && board.isVisibleBy(user);
+  }
 }