Only allow non-admin users to edit their own games

main
sudoer777 2021-11-25 19:33:53 -07:00
parent bd5b393a27
commit 79123c14bd
2 changed files with 19 additions and 9 deletions

View File

@ -5,7 +5,7 @@ const database = require('./../database');
class Game { class Game {
constructor(id, date, team1ID, team2ID, team1Score, team2Score, divisionID, seasonID) { constructor(id, date, team1ID, team2ID, team1Score, team2Score, divisionID, seasonID, submitterID) {
this.id = id; this.id = id;
this.date = date; this.date = date;
this.team1ID = team1ID; this.team1ID = team1ID;
@ -14,6 +14,7 @@ class Game {
this.team2Score = team2Score; this.team2Score = team2Score;
this.divisionID = divisionID; this.divisionID = divisionID;
this.seasonID = seasonID; this.seasonID = seasonID;
this.submitterID = submitterID;
} }
} }
@ -100,11 +101,11 @@ async function edit(gameID, divisionID, seasonID, date, team1ID, team2ID, team1S
} }
async function getFromID(gameID) { async function getFromID(gameID) {
const query = `SELECT game_id, division_id, season_id, game_date, team1_id, team2_id, team1_score, team2_score const query = `SELECT game_id, division_id, season_id, game_date, team1_id, team2_id, team1_score, team2_score, submitter_id
FROM scores.games FROM scores.games
WHERE game_id = $1;`; WHERE game_id = $1;`;
const row = (await database.executeQuery(query, [gameID]))[0]; const row = (await database.executeQuery(query, [gameID]))[0];
return new Game(row[0], row[3].toISOString().slice(0,10), row[4], row[5], row[6], row[7], row[1], row[2]); return new Game(row[0], row[3].toISOString().slice(0,10), row[4], row[5], row[6], row[7], row[1], row[2], row[8]);
} }

View File

@ -55,12 +55,21 @@ router.post('/game', userLoggedIn, function(req, res, next) {
const id = req.body['game']; const id = req.body['game'];
const remove = req.body['remove']; const remove = req.body['remove'];
if(remove) games.remove(id) const loggedInUserID = req.user[0];
.then(res.redirect("/manage")); const loggedInUserIsAdmin = req.user[2];
else if(id) games.edit(id, divisionID, seasonID, date, team1ID, team2ID, team1Score, team2Score)
.then(res.redirect('/manage')); games.getFromID(id)
else games.add(divisionID, seasonID, date, team1ID, team2ID, team1Score, team2Score, userID) .then(game => {
.then(res.redirect("/manage")); if(!loggedInUserIsAdmin && loggedInUserID != game.submitterID) {
res.status(403).send("ACCESS DENIED");
}
else if(remove) games.remove(id)
.then(res.redirect("/manage"));
else if(id) games.edit(id, divisionID, seasonID, date, team1ID, team2ID, team1Score, team2Score)
.then(res.redirect('/manage'));
else games.add(divisionID, seasonID, date, team1ID, team2ID, team1Score, team2Score, userID)
.then(res.redirect("/manage"));
});
}); });
router.get('/season', adminLoggedIn, function(req, res, next) { router.get('/season', adminLoggedIn, function(req, res, next) {