Skip to content

Commit

Permalink
Restrict to delete somebody else's story
Browse files Browse the repository at this point in the history
  • Loading branch information
@mellonis
mellonis committed Jun 20, 2020
1 parent 57f25bb commit d2fea33
Showing 1 changed file with 12 additions and 2 deletions.
14 changes: 12 additions & 2 deletions routes/stories.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,8 +115,18 @@ router.put('/:id', ensureAuth, async (req, res) => {
// @route DELETE /stories/:id
router.delete('/:id', ensureAuth, async (req, res) => {
try {
await Story.remove({ _id: req.params.id })
res.redirect('/dashboard')
let story = await Story.findById(req.params.id).lean()

if (!story) {
return res.render('error/404')
}

if (story.user != req.user.id) {
res.redirect('/stories')
} else {
await Story.remove({ _id: req.params.id })
res.redirect('/dashboard')
}
} catch (err) {
console.error(err)
return res.render('error/500')
Expand Down

0 comments on commit d2fea33

Please sign in to comment.