jschaufuss/DiceCloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add permission check to JSONcharacter

Browse Source
This commit is contained in:
Andrew Zhu
2018-06-07 01:38:29 -07:00
parent 1a18d1f816
commit 216e502c8a
2 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
app/Routes/API.js
View File

@@ -30,8 +30,14 @@ Router.map(function() {
this.response.setHeader("Content-Type", "application/json");
var query = this.params.query;
var key = query && query.key;
ifKeyValid(key, this.response, "jsonCharacterSheet", () =>
this.response.end(JSONExport(this.params._id))
ifKeyValid(key, this.response, "jsonCharacterSheet", () => {
if (canViewCharacter(this.params._id, userIdFromKey(key))){
this.response.end(JSONExport(this.params._id))
} else {
this.response.writeHead(403, "You do not have permission to view this character");
this.response.end();
}
}
);
},
});
@@ -62,6 +68,11 @@ var isKeyValid = function(apiKey){
return !blackListed;
};
var userIdFromKey = function(apiKey){
var user = Meteor.users.findOne({apiKey}); // we know user exists from isKeyValid
return user._id;
}
var rateLimiter = new RateLimiter();
rateLimiter.addRule({apiKey: String}, 5, 5000);
rateLimiter.addRule({apiKey: String, method: "vmixCharacter"}, 2, 10000);