Skip to content
Browse files

Harden camper news and don't expose user object. Upvoting still needs…

… to be looked at.
  • Loading branch information...
1 parent 2c53a17 commit 08bf658897bad23baab1784f0f97b20eb6d6b0f0 @terakilobyte terakilobyte committed
Showing with 58 additions and 63 deletions.
  1. +2 −2 .bowerrc
  2. +24 −9 controllers/story.js
  3. +21 −35 public/js/main.js
  4. +1 −0 views/partials/universal-head.jade
  5. +3 −10 views/stories/comments.jade
  6. +6 −5 views/stories/index.jade
  7. +1 −2 views/stories/show.jade
View
4 .bowerrc
@@ -1,3 +1,3 @@
{
- "directory" : "public/js/lib"
-}
+ "directory" : "public/bower_components"
+}
View
33 controllers/story.js
@@ -223,8 +223,8 @@ exports.upvote = function(req, res, next) {
story.rank++;
story.upVotes.push(
{
- upVotedBy: data.upVoter._id,
- upVotedByUsername: data.upVoter.profile.username
+ upVotedBy: req.user._id,
+ upVotedByUsername: req.user.profile.username
}
);
story.markModified('rank');
@@ -314,7 +314,7 @@ exports.newStory = function(req, res, next) {
exports.storySubmission = function(req, res, next) {
var data = req.body.data;
- if (req.user._id.toString() !== data.author.userId.toString()) {
+ if (!req.user) {
return next(new Error('Not authorized'));
}
var storyLink = data.headline
@@ -341,7 +341,12 @@ exports.storySubmission = function(req, res, next) {
}).replace(/"/g, '"'),
rank: 1,
upVotes: data.upVotes,
- author: data.author,
+ author: {
+ picture: req.user.profile.picture,
+ userId: req.user._id,
+ username: req.user.profile.username,
+ email: req.user.email
+ },
comments: [],
image: data.image,
storyLink: storyLink,
@@ -361,7 +366,7 @@ exports.storySubmission = function(req, res, next) {
exports.commentSubmit = function(req, res, next) {
var data = req.body.data;
- if (req.user._id.toString() !== data.author.userId.toString()) {
+ if (!req.user) {
return next(new Error('Not authorized'));
}
var sanitizedBody = sanitizeHtml(data.body,
@@ -378,11 +383,16 @@ exports.commentSubmit = function(req, res, next) {
var comment = new Comment({
associatedPost: data.associatedPost,
originalStoryLink: data.originalStoryLink,
- originalStoryAuthorEmail: data.originalStoryAuthorEmail,
+ originalStoryAuthorEmail: req.user.email,
body: sanitizedBody,
rank: 0,
upvotes: 0,
- author: data.author,
+ author: {
+ picture: req.user.profile.picture,
+ userId: req.user._id,
+ username: req.user.profile.username,
+ email: req.user.email
+ },
comments: [],
topLevel: true,
commentOn: Date.now()
@@ -393,7 +403,7 @@ exports.commentSubmit = function(req, res, next) {
exports.commentOnCommentSubmit = function(req, res, next) {
var data = req.body.data;
- if (req.user._id.toString() !== data.author.userId.toString()) {
+ if (!req.user) {
return next(new Error('Not authorized'));
}
@@ -415,7 +425,12 @@ exports.commentOnCommentSubmit = function(req, res, next) {
upvotes: 0,
originalStoryLink: data.originalStoryLink,
originalStoryAuthorEmail: data.originalStoryAuthorEmail,
- author: data.author,
+ author: {
+ picture: req.user.profile.picture,
+ userId: req.user._id,
+ username: req.user.profile.username,
+ email: req.user.email
+ },
comments: [],
topLevel: false,
commentOn: Date.now()
View
56 public/js/main.js
@@ -234,7 +234,7 @@ $(document).ready(function() {
$('#upvote').unbind('click');
var alreadyUpvoted = false;
for (var i = 0; i < upVotes.length; i++) {
- if (upVotes[i].upVotedBy === user._id) {
+ if (upVotes[i].upVotedBy === B3BA669EC5C1DD70FB478221E067A7E1B686929C569F5E73561B69C8F42129B) {

@terakilobyte Not sure if this should be hardcoded, but if it should, it needs to be surrounded by double-quotes :-)

Wow, my bad; didn't see this:

var B3BA669EC5C1DD70FB478221E067A7E1B686929C569F5E73561B69C8F42129B = !{JSON.stringify(user._id)}

var userID = "..."?

I tried evaluating B3BA669EC5C1DD70FB478221E067A7E1B686929C569F5E73561B69C8F42129B in the console and got an error, so I thought this was supposed to be a string, but... nope

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
alreadyUpvoted = true;
break;
}
@@ -243,8 +243,7 @@ $(document).ready(function() {
$.post('/stories/upvote',
{
data: {
- id: _id,
- upVoter: user
+ id: _id
}
})
.fail(function (xhr, textStatus, errorThrown) {
@@ -264,10 +263,7 @@ $(document).ready(function() {
var link = $('#story-url').val();
var headline = $('#story-title').val();
var description = $('#description-box').val();
- var userDataForUpvote = {
- upVotedBy: user._id,
- upVotedByUsername: user.profile.username
- };
+
$('#story-submit').unbind('click');
$.post('/stories/',
{
@@ -277,15 +273,7 @@ $(document).ready(function() {
timePosted: Date.now(),
description: description,
storyMetaDescription: storyMetaDescription,
- originalStoryAuthorEmail: user.email,
rank: 1,
- upVotes: [userDataForUpvote],
- author: {
- picture: user.profile.picture,
- email: user.email,
- userId: user._id,
- username: user.profile.username
- },
comments: [],
image: storyImage
}
@@ -311,14 +299,7 @@ $(document).ready(function() {
data: {
associatedPost: storyId,
originalStoryLink: originalStoryLink,
- originalStoryAuthorEmail: originalStoryAuthorEmail,
- body: data,
- author: {
- picture: user.profile.picture,
- userId: user._id,
- username: user.profile.username,
- email: user.email
- }
+ body: data
}
})
.fail(function (xhr, textStatus, errorThrown) {
@@ -332,7 +313,8 @@ $(document).ready(function() {
$('#comment-button').on('click', commentSubmitButtonHandler);
});
-var profileValidation = angular.module('profileValidation',['ui.bootstrap']);
+var profileValidation = angular.module('profileValidation',
+ ['ui.bootstrap', 'ngLodash']);
profileValidation.controller('profileValidationController', ['$scope', '$http',
function($scope, $http) {
$http.get('/account/api').success(function(data) {
@@ -389,7 +371,7 @@ profileValidation.controller('submitStoryController', ['$scope',
}
]);
-profileValidation.directive('uniqueUsername',['$http',function($http) {
+profileValidation.directive('uniqueUsername', ['$http', function($http) {
return {
restrict: 'A',
require: 'ngModel',
@@ -398,7 +380,7 @@ profileValidation.directive('uniqueUsername',['$http',function($http) {
ngModel.$setValidity('unique', true);
if (element.val()) {
$http.get("/api/checkUniqueUsername/" + element.val()).success(function (data) {
- if (element.val() == scope.storedUsername) {
+ if (element.val() === scope.storedUsername) {
ngModel.$setValidity('unique', true);
} else if (data) {
ngModel.$setValidity('unique', false);
@@ -407,10 +389,11 @@ profileValidation.directive('uniqueUsername',['$http',function($http) {
}
});
}
- }
+ };
}]);
-profileValidation.directive('existingUsername', ['$http', function($http) {
+profileValidation.directive('existingUsername',
+ ['$http', 'lodash', function($http, lodash) {
return {
restrict: 'A',
require: 'ngModel',
@@ -423,15 +406,18 @@ profileValidation.directive('existingUsername', ['$http', function($http) {
ngModel.$setPristine();
}
if (element.val()) {
- $http
- .get("/api/checkExistingUsername/" + element.val())
- .success(function (data) {
- ngModel.$setValidity('exists', data);
- });
+ var debo = lodash.debounce(function() {
+ $http
+ .get('/api/checkExistingUsername/' + element.val())
+ .success(function (data) {
+ ngModel.$setValidity('exists', data);
+ });
+ }, 2000);
+ debo();
}
});
}
- }
+ };
}]);
profileValidation.directive('uniqueEmail', ['$http', function($http) {
@@ -443,7 +429,7 @@ profileValidation.directive('uniqueEmail', ['$http', function($http) {
ngModel.$setValidity('unique', true);
if (element.val()) {
$http.get("/api/checkUniqueEmail/" + encodeURIComponent(element.val())).success(function (data) {
- if (element.val() == scope.storedEmail) {
+ if (element.val() === scope.storedEmail) {
ngModel.$setValidity('unique', true);
} else if (data) {
ngModel.$setValidity('unique', false);
View
1 views/partials/universal-head.jade
@@ -1,6 +1,7 @@
script(src="//ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js")
script(src="//ajax.googleapis.com/ajax/libs/angularjs/1.3.11/angular.min.js")
script(src="//cdnjs.cloudflare.com/ajax/libs/angular-ui-bootstrap/0.12.0/ui-bootstrap-tpls.min.js")
+script(src="/bower_components/ng-lodash/build/ng-lodash.js")
include meta
title #{title} | Free Code Camp
meta(charset='utf-8')
View
13 views/stories/comments.jade
@@ -56,8 +56,9 @@
sentinel--;
if (!sentinel) {
$('.comment-a-comment').on('click', 'a', function () {
- if (typeof user == "undefined" || !user) {
- window.location.href = '/signin';
+ if (!isLoggedIn) {
+ console.log('not logged in');
+ //window.location.href = '/signin';
return;
}
$(this).unbind('click');
@@ -92,20 +93,12 @@
});
var submitCommentToCommentHandler = function submitCommentToCommentHandler() {
$('#submit-comment-to-comment').unbind('click');
- console.log('in comments.jade', originalStoryAuthorEmail);
$.post('/stories/comment/' + commentId + '/comment',
{
data: {
associatedPost: commentId,
originalStoryLink: originalStoryLink,
- originalStoryAuthorEmail: originalStoryAuthorEmail,
body: $('#comment-to-comment-textinput').val(),
- author: {
- picture: user.profile.picture,
- userId: user._id,
- username: user.profile.username,
- email: user.email
- }
}
})
.fail(function (xhr, textStatus, errorThrown) {
View
11 views/stories/index.jade
@@ -2,11 +2,12 @@ extends ../layout
block content
script(src='/js/lib/moment/moment.js')
if (user)
- script.
- var user = !{JSON.stringify(user)};
+ script.
+ var isLoggedIn = true;
+ var B3BA669EC5C1DD70FB478221E067A7E1B686929C569F5E73561B69C8F42129B = !{JSON.stringify(user._id)}
else
- script.
- var user = undefined;
+ script.
+ var isLoggedIn = false;
script.
var challengeName = 'Camper News';
var page = !{JSON.stringify(page)};
@@ -32,4 +33,4 @@ block content
if (page === 'storySubmission')
include ./submit-story
if (page === 'show')
- include ./show
+ include ./show
View
3 views/stories/show.jade
@@ -2,7 +2,6 @@
script.
var storyId = !{JSON.stringify(id)};
var originalStoryLink = !{JSON.stringify(originalStoryLink)};
- var originalStoryAuthorEmail = !{JSON.stringify(originalStoryAuthorEmail)};
var comments = !{JSON.stringify(comments)};
var upVotes = !{JSON.stringify(upVotes)};
var image = !{JSON.stringify(image)};
@@ -58,7 +57,7 @@
$('#image-display').removeClass('hidden-element')
}
$('#reply-to-main-post').on('click', function() {
- if (typeof user == "undefined" || !user) {
+ if (!isLoggedIn) {
window.location.href = '/signin';
return;
}

0 comments on commit 08bf658

Please sign in to comment.
Something went wrong with that request. Please try again.