Only allow non-admin users to edit their own games

main
sudoer777 2021-11-25 19:33:53 -07:00
parent bd5b393a27
commit 79123c14bd
2 changed files with 19 additions and 9 deletions

View File

@ -5,7 +5,7 @@ const database = require('./../database');
class Game {
constructor(id, date, team1ID, team2ID, team1Score, team2Score, divisionID, seasonID) {
constructor(id, date, team1ID, team2ID, team1Score, team2Score, divisionID, seasonID, submitterID) {
this.id = id;
this.date = date;
this.team1ID = team1ID;
@ -14,6 +14,7 @@ class Game {
this.team2Score = team2Score;
this.divisionID = divisionID;
this.seasonID = seasonID;
this.submitterID = submitterID;
}
}
@ -100,11 +101,11 @@ async function edit(gameID, divisionID, seasonID, date, team1ID, team2ID, team1S
}
async function getFromID(gameID) {
const query = `SELECT game_id, division_id, season_id, game_date, team1_id, team2_id, team1_score, team2_score
const query = `SELECT game_id, division_id, season_id, game_date, team1_id, team2_id, team1_score, team2_score, submitter_id
FROM scores.games
WHERE game_id = $1;`;
const row = (await database.executeQuery(query, [gameID]))[0];
return new Game(row[0], row[3].toISOString().slice(0,10), row[4], row[5], row[6], row[7], row[1], row[2]);
return new Game(row[0], row[3].toISOString().slice(0,10), row[4], row[5], row[6], row[7], row[1], row[2], row[8]);
}

View File

@ -55,12 +55,21 @@ router.post('/game', userLoggedIn, function(req, res, next) {
const id = req.body['game'];
const remove = req.body['remove'];
if(remove) games.remove(id)
.then(res.redirect("/manage"));
else if(id) games.edit(id, divisionID, seasonID, date, team1ID, team2ID, team1Score, team2Score)
.then(res.redirect('/manage'));
else games.add(divisionID, seasonID, date, team1ID, team2ID, team1Score, team2Score, userID)
.then(res.redirect("/manage"));
const loggedInUserID = req.user[0];
const loggedInUserIsAdmin = req.user[2];
games.getFromID(id)
.then(game => {
if(!loggedInUserIsAdmin && loggedInUserID != game.submitterID) {
res.status(403).send("ACCESS DENIED");
}
else if(remove) games.remove(id)
.then(res.redirect("/manage"));
else if(id) games.edit(id, divisionID, seasonID, date, team1ID, team2ID, team1Score, team2Score)
.then(res.redirect('/manage'));
else games.add(divisionID, seasonID, date, team1ID, team2ID, team1Score, team2Score, userID)
.then(res.redirect("/manage"));
});
});
router.get('/season', adminLoggedIn, function(req, res, next) {