|
@@ -42,14 +42,20 @@ Meteor.methods({
|
|
|
},
|
|
},
|
|
|
|
|
|
|
|
removeTask(taskId) {
|
|
removeTask(taskId) {
|
|
|
- // Without checking user ?
|
|
|
|
|
- Meteor._debug("removing", taskId);
|
|
|
|
|
|
|
+ const task = Tasks.find(taskId);
|
|
|
|
|
+ if (task.private && task.owner !== Meteor.userId) {
|
|
|
|
|
+ throw new Meteor.Error("not-authorized");
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
Tasks.remove(taskId);
|
|
Tasks.remove(taskId);
|
|
|
},
|
|
},
|
|
|
|
|
|
|
|
setChecked(taskId, setChecked) {
|
|
setChecked(taskId, setChecked) {
|
|
|
- // Without checking user ?
|
|
|
|
|
- Meteor._debug("setCheck", taskId, setChecked);
|
|
|
|
|
|
|
+ const task = Tasks.find(taskId);
|
|
|
|
|
+
|
|
|
|
|
+ if (task.private && task.owner != Meteor.userId) {
|
|
|
|
|
+ throw new Meteor.Error("not-authorized");
|
|
|
|
|
+ }
|
|
|
Tasks.update(taskId, { $set: { checked: setChecked }});
|
|
Tasks.update(taskId, { $set: { checked: setChecked }});
|
|
|
},
|
|
},
|
|
|
|
|
|
