From 3f59bb24c7cda181b079bdfad37e528f5bbdebce Mon Sep 17 00:00:00 2001
From: Cristian <54779545+callapa1@users.noreply.github.com>
Date: Thu, 29 Apr 2021 17:54:40 +0200
Subject: [PATCH] Fix for #173. Board can be removed by owner/admin

---
 api/controllers/board.js | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/api/controllers/board.js b/api/controllers/board.js
index 1f7c692..7458599 100644
--- a/api/controllers/board.js
+++ b/api/controllers/board.js
@@ -80,21 +80,26 @@ async function getPublicBoards(req, res) {
 }
 
 async function deleteBoard(req, res) {
-  const id = req.swagger.params.id.value;
-  Board.findByIdAndRemove(id, function (err, boards) {
+  Board.findByIdAndRemove(req, function (err, board) {
+    const id = req.swagger.params.id.value;
     if (err) {
       return res.status(404).json({
         message: 'Board not found. Board Id: ' + id,
         error: err.message
       });
     }
-    if (!boards) {
+    if (!board) {
       return res.status(404).json({
         message: 'Board not found. Board Id: ' + id,
         error: 'Board not found.'
       });
     }
-    return res.status(200).json(boards);
+    if (!req.user.isAdmin && req.user !== board.author) {
+      return res.status(403).json({
+        message: "You are not authorized to delete this user's board."
+      });
+    }
+    return res.status(200).json(board);
   });
 }