Fix for #173. Board can be removed by owner/admin

callapa1 · Apr 29, 2021 · 3f59bb2 · 3f59bb2
1 parent c2a3571
commit 3f59bb2
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/api/controllers/board.js b/api/controllers/board.js
@@ -80,21 +80,26 @@ async function getPublicBoards(req, res) {
 }
 
 async function deleteBoard(req, res) {
-  const id = req.swagger.params.id.value;
-  Board.findByIdAndRemove(id, function (err, boards) {
+  Board.findByIdAndRemove(req, function (err, board) {
+    const id = req.swagger.params.id.value;
     if (err) {
       return res.status(404).json({
         message: 'Board not found. Board Id: ' + id,
         error: err.message
       });
     }
-    if (!boards) {
+    if (!board) {
       return res.status(404).json({
         message: 'Board not found. Board Id: ' + id,
         error: 'Board not found.'
       });
     }
-    return res.status(200).json(boards);
+    if (!req.user.isAdmin && req.user !== board.author) {
+      return res.status(403).json({
+        message: "You are not authorized to delete this user's board."
+      });
+    }
+    return res.status(200).json(board);
   });
 }