notifications route; added middleware.authenticate to user/uploadpicture api route

11 years ago · 94aeb3ab22
parent 5b8e8e4b67
commit 94aeb3ab22
4 changed files with 19 additions and 22 deletions
--- a/src/controllers/accounts.js
+++ b/src/controllers/accounts.js
@ -372,10 +372,6 @@ accountsController.accountSettings = function(req, res, next) {
 };
 accountsController.uploadPicture = function (req, res, next) {
 	if (!req.user) {
 		return userNotAllowed();
 	}
 	var uploadSize = parseInt(meta.config.maximumProfileImageSize, 10) || 256;
 	if (req.files.userPhoto.size > uploadSize * 1024) {
 		return res.json({
@ -473,4 +469,18 @@ accountsController.uploadPicture = function (req, res, next) {
 	});
 };
 accountsController.getNotifications = function(req, res, next) {
 	user.notifications.getAll(req.user.uid, null, null, function(err, notifications) {
 		if (res.locals.isAPI) {
 			res.json({
 				notifications: notifications
 			});	
 		} else {
 			res.render('notifications', {
 				notifications: notifications
 			});
 		}
 	});
 };
 module.exports = accountsController;
--- a/src/middleware/middleware.js
+++ b/src/middleware/middleware.js
@ -1,6 +1,5 @@
 "use strict";
 var app,
 	clientScripts,
 	middleware = {},
@ -19,7 +18,6 @@ var app,
 		api: require('./../controllers/api')
 	};
 middleware.authenticate = function(req, res, next) {
 	if(!req.user) {
 		if (res.locals.isAPI) {
--- a/src/routes/api.js
+++ b/src/routes/api.js
@ -40,18 +40,6 @@ module.exports =  function(app, middleware, controllers) {
 		app.get('/config', controllers.api.getConfig);
 		app.get('/notifications', function(req, res) {
 			if (req.user && req.user.uid) {
 				user.notifications.getAll(req.user.uid, null, null, function(err, notifications) {
 					res.json({
 						notifications: notifications
 					});
 				});
 			} else {
 				res.send(403);
 			}
 		});			
 		app.get('/search/:term', function (req, res, next) {
 			if (!plugins.hasListeners('filter:search.query')) {
 				return res.redirect('/404');
@ -176,7 +164,7 @@ module.exports =  function(app, middleware, controllers) {
 		});
 	});
-	// this should have been in the API namespace
+	// this should be in the API namespace
 	// also, perhaps pass in :userslug so we can use checkAccountPermissions middleware - in future will allow admins to upload a picture for a user
-	app.post('/user/uploadpicture', middleware.checkGlobalPrivacySettings, /*middleware.checkAccountPermissions,*/ controllers.accounts.uploadPicture);
+	app.post('/user/uploadpicture', middleware.authenticate, middleware.checkGlobalPrivacySettings, /*middleware.checkAccountPermissions,*/ controllers.accounts.uploadPicture);
 };
--- a/src/routes/index.js
+++ b/src/routes/index.js
@ -93,6 +93,9 @@ module.exports = function(app, middleware) {
 		app.get('/user/:userslug/settings', middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);
 		app.get('/api/user/:userslug/settings', middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);
 		app.get('/notifications', middleware.buildHeader, middleware.authenticate, controllers.accounts.getNotifications);
 		app.get('/api/notifications', middleware.authenticate, controllers.accounts.getNotifications);
 		/* Users */
 		app.get('/users', middleware.buildHeader, middleware.checkGlobalPrivacySettings, controllers.users.getOnlineUsers);
 		app.get('/api/users', middleware.checkGlobalPrivacySettings, controllers.users.getOnlineUsers);
@ -117,8 +120,6 @@ module.exports = function(app, middleware) {
 		app.get('/sitemap.xml', controllers.sitemap);
 		app.get('/robots.txt', controllers.robots);
 		//todo notifications
 		app.get('api/search/:term?', function (req, res) {
 			if ((req.user && req.user.uid) || meta.config.allowGuestSearching === '1') {
 				return res.json({