Browse Source

Commit 8-2: Added basic permission to check the posts's owner. Removed insecure.

Frederic G. MARAND 9 years ago
parent
commit
13d032a638
4 changed files with 23 additions and 3 deletions
  1. 0 1
      .meteor/packages
  2. 0 1
      .meteor/versions
  3. 10 1
      lib/collections/posts.js
  4. 13 0
      lib/permissions.js

+ 0 - 1
.meteor/packages

@@ -12,4 +12,3 @@ sacha:spin
 ian:accounts-ui-bootstrap-3
 accounts-password
 audit-argument-checks
-insecure

+ 0 - 1
.meteor/versions

@@ -21,7 +21,6 @@ htmljs@1.0.4
 http@1.1.0
 ian:accounts-ui-bootstrap-3@1.2.79
 id-map@1.0.3
-insecure@1.0.3
 iron:controller@1.0.8
 iron:core@1.0.8
 iron:dynamic-template@1.0.8

+ 10 - 1
lib/collections/posts.js

@@ -12,7 +12,16 @@ Posts = new Mongo.Collection('posts');
 
 // Removed Posts.allow : we no longer trigger inserts from client.
 
-// This is in lib/ instead of server/ for latency compensation (?).
+Posts.allow({
+  update: function (userId, post) {
+    return ownsDocument(userId, post);
+  },
+  remove: function (userId, post) {
+    return ownsDocument(userId, post);
+  }
+});
+
+// This is in lib/ instead of server/ for latency compensation.
 Meteor.methods({
   postInsert: function(postAttributes) {
     "use strict";

+ 13 - 0
lib/permissions.js

@@ -0,0 +1,13 @@
+/**
+ * @file
+ *
+ *
+ * User: marand
+ * Date: 02/09/15
+ * Time: 08:58
+ */
+
+// Global, so no "var".
+ownsDocument = function (userId, doc) {
+  return doc && doc.userId === userId;
+}