From 94aeb3ab2204721692c35390ae130fe7972cc247 Mon Sep 17 00:00:00 2001
From: psychobunny <psycho.bunny@hotmail.com>
Date: Mon, 3 Mar 2014 12:30:27 -0500
Subject: [PATCH] notifications route; added middleware.authenticate to
 user/uploadpicture api route

---
 src/controllers/accounts.js  | 18 ++++++++++++++----
 src/middleware/middleware.js |  2 --
 src/routes/api.js            | 16 ++--------------
 src/routes/index.js          |  5 +++--
 4 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/src/controllers/accounts.js b/src/controllers/accounts.js
index fd71b17b9d..283f1474c3 100644
--- a/src/controllers/accounts.js
+++ b/src/controllers/accounts.js
@@ -372,10 +372,6 @@ accountsController.accountSettings = function(req, res, next) {
 };
 
 accountsController.uploadPicture = function (req, res, next) {
-	if (!req.user) {
-		return userNotAllowed();
-	}
-
 	var uploadSize = parseInt(meta.config.maximumProfileImageSize, 10) || 256;
 	if (req.files.userPhoto.size > uploadSize * 1024) {
 		return res.json({
@@ -473,4 +469,18 @@ accountsController.uploadPicture = function (req, res, next) {
 	});
 };
 
+accountsController.getNotifications = function(req, res, next) {
+	user.notifications.getAll(req.user.uid, null, null, function(err, notifications) {
+		if (res.locals.isAPI) {
+			res.json({
+				notifications: notifications
+			});	
+		} else {
+			res.render('notifications', {
+				notifications: notifications
+			});
+		}
+	});
+};
+
 module.exports = accountsController;
\ No newline at end of file
diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js
index fbcc5196c6..1868c69e6f 100644
--- a/src/middleware/middleware.js
+++ b/src/middleware/middleware.js
@@ -1,6 +1,5 @@
 "use strict";
 
-
 var app,
 	clientScripts,
 	middleware = {},
@@ -19,7 +18,6 @@ var app,
 		api: require('./../controllers/api')
 	};
 
-
 middleware.authenticate = function(req, res, next) {
 	if(!req.user) {
 		if (res.locals.isAPI) {
diff --git a/src/routes/api.js b/src/routes/api.js
index 1f1bd36c80..f44532e9d0 100644
--- a/src/routes/api.js
+++ b/src/routes/api.js
@@ -40,18 +40,6 @@ module.exports =  function(app, middleware, controllers) {
 
 		app.get('/config', controllers.api.getConfig);
 
-		app.get('/notifications', function(req, res) {
-			if (req.user && req.user.uid) {
-				user.notifications.getAll(req.user.uid, null, null, function(err, notifications) {
-					res.json({
-						notifications: notifications
-					});
-				});
-			} else {
-				res.send(403);
-			}
-		});			
-
 		app.get('/search/:term', function (req, res, next) {
 			if (!plugins.hasListeners('filter:search.query')) {
 				return res.redirect('/404');
@@ -176,7 +164,7 @@ module.exports =  function(app, middleware, controllers) {
 		});
 	});
 
-	// this should have been in the API namespace
+	// this should be in the API namespace
 	// also, perhaps pass in :userslug so we can use checkAccountPermissions middleware - in future will allow admins to upload a picture for a user
-	app.post('/user/uploadpicture', middleware.checkGlobalPrivacySettings, /*middleware.checkAccountPermissions,*/ controllers.accounts.uploadPicture);
+	app.post('/user/uploadpicture', middleware.authenticate, middleware.checkGlobalPrivacySettings, /*middleware.checkAccountPermissions,*/ controllers.accounts.uploadPicture);
 };
\ No newline at end of file
diff --git a/src/routes/index.js b/src/routes/index.js
index 3a0944dc48..0811e3218a 100644
--- a/src/routes/index.js
+++ b/src/routes/index.js
@@ -93,6 +93,9 @@ module.exports = function(app, middleware) {
 		app.get('/user/:userslug/settings', middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);
 		app.get('/api/user/:userslug/settings', middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);
 
+		app.get('/notifications', middleware.buildHeader, middleware.authenticate, controllers.accounts.getNotifications);
+		app.get('/api/notifications', middleware.authenticate, controllers.accounts.getNotifications);
+
 		/* Users */
 		app.get('/users', middleware.buildHeader, middleware.checkGlobalPrivacySettings, controllers.users.getOnlineUsers);
 		app.get('/api/users', middleware.checkGlobalPrivacySettings, controllers.users.getOnlineUsers);
@@ -117,8 +120,6 @@ module.exports = function(app, middleware) {
 		app.get('/sitemap.xml', controllers.sitemap);
 		app.get('/robots.txt', controllers.robots);
 
-		//todo notifications
-
 		app.get('api/search/:term?', function (req, res) {
 			if ((req.user && req.user.uid) || meta.config.allowGuestSearching === '1') {
 				return res.json({