Merge branch 'master' of https://github.com/FreeCodeCamp/freecodecamp

Conflicts: .gitignore
2015-03-17 15:41:52 -07:00
parent f3f6d0d16e d4f3a4e213
commit 95c249afc6
5 changed files with 34 additions and 13 deletions
--- a/controllers/story.js
+++ b/controllers/story.js
@@ -148,7 +148,7 @@ exports.returnIndividualStory = function(req, res, next) {
            upVotes: story.upVotes,
            comments: story.comments,
            id: story._id,
-            user: req.user,
+            user: req.user || null,
            timeAgo: moment(story.timePosted).fromNow(),
            image: story.image,
            page: 'show',
@@ -227,6 +227,9 @@ exports.comments = function(req, res, next) {
 };

 exports.newStory = function(req, res) {
+    if (!req.user) {
+      return res.status(500);
+    }
    var url = req.body.data.url;
    var cleanURL = sanitizeHtml(url, {
      allowedTags: [],
@@ -284,6 +287,9 @@ exports.newStory = function(req, res) {

 exports.storySubmission = function(req, res) {
    var data = req.body.data;
+    if (req.user._id.toString() !== data.author.userId.toString()) {
+        return res.status(500);
+    }
    var storyLink = data.headline
        .replace(/\'/g, '')
        .replace(/\"/g, '')
@@ -327,6 +333,9 @@ exports.storySubmission = function(req, res) {

 exports.commentSubmit = function(req, res) {
    var data = req.body.data;
+    if (req.user._id.toString() !== data.author.userId.toString()) {
+        return res.status(500);
+    }
    var sanitizedBody = sanitizeHtml(data.body,
        {
            allowedTags: [],
@@ -353,6 +362,11 @@ exports.commentSubmit = function(req, res) {

 exports.commentOnCommentSubmit = function(req, res) {
    var data = req.body.data;
+
+    if (req.user._id.toString() !== data.author.userId.toString()) {
+        return res.status(500);
+    }
+
    var sanitizedBody = sanitizeHtml(data.body,
        {
            allowedTags: [],
--- a/controllers/user.js
+++ b/controllers/user.js
@@ -322,7 +322,6 @@ exports.updateProgress = function(req, res) {

 exports.postUpdateProfile = function(req, res, next) {

-    // What does this do?
    User.findById(req.user.id, function(err, user) {
        if (err) return next(err);
        var errors = req.validationErrors();
@@ -342,7 +341,7 @@ exports.postUpdateProfile = function(req, res, next) {
                });
                return res.redirect('/account');
            }
-            User.findOne({ username: req.body.username }, function(err, existingUsername) {
+            User.findOne({ 'profile.username': req.body.username }, function(err, existingUsername) {
                if (err) {
                    return next(err);
                }