Skip to content

/FreeCodeCamp

Browse files

Harden camper news and don't expose user object. Upvoting still needs… 

… to be looked at.
1 parent 2c53a17 commit 08bf658897bad23baab1784f0f97b20eb6d6b0f0 @terakilobyte terakilobyte committed
Unified Split
Showing with 58 additions and 63 deletions.
  1. +2 −2 .bowerrc
  2. +24 −9 controllers/story.js
  3. +21 −35 public/js/main.js
  4. +1 −0 views/partials/universal-head.jade
  5. +3 −10 views/stories/comments.jade
  6. +6 −5 views/stories/index.jade
  7. +1 −2 views/stories/show.jade
View
4 .bowerrc
@@ -1,3 +1,3 @@
{ {
- "directory" : "public/js/lib" + "directory" : "public/bower_components"
-} +}
View
33 controllers/story.js
@@ -223,8 +223,8 @@ exports.upvote = function(req, res, next) {
story.rank++; story.rank++;
story.upVotes.push( story.upVotes.push(
{ {
- upVotedBy: data.upVoter._id, + upVotedBy: req.user._id,
- upVotedByUsername: data.upVoter.profile.username + upVotedByUsername: req.user.profile.username
} }
); );
story.markModified('rank'); story.markModified('rank');
@@ -314,7 +314,7 @@ exports.newStory = function(req, res, next) {
exports.storySubmission = function(req, res, next) { exports.storySubmission = function(req, res, next) {
var data = req.body.data; var data = req.body.data;
- if (req.user._id.toString() !== data.author.userId.toString()) { + if (!req.user) {
return next(new Error('Not authorized')); return next(new Error('Not authorized'));
} }
var storyLink = data.headline var storyLink = data.headline
@@ -341,7 +341,12 @@ exports.storySubmission = function(req, res, next) {
}).replace(/"/g, '"'), }).replace(/"/g, '"'),
rank: 1, rank: 1,
upVotes: data.upVotes, upVotes: data.upVotes,
- author: data.author, + author: {
+ picture: req.user.profile.picture,
+ userId: req.user._id,
+ username: req.user.profile.username,
+ email: req.user.email
+ },
comments: [], comments: [],
image: data.image, image: data.image,
storyLink: storyLink, storyLink: storyLink,
@@ -361,7 +366,7 @@ exports.storySubmission = function(req, res, next) {
exports.commentSubmit = function(req, res, next) { exports.commentSubmit = function(req, res, next) {
var data = req.body.data; var data = req.body.data;
- if (req.user._id.toString() !== data.author.userId.toString()) { + if (!req.user) {
return next(new Error('Not authorized')); return next(new Error('Not authorized'));
} }
var sanitizedBody = sanitizeHtml(data.body, var sanitizedBody = sanitizeHtml(data.body,
@@ -378,11 +383,16 @@ exports.commentSubmit = function(req, res, next) {
var comment = new Comment({ var comment = new Comment({
associatedPost: data.associatedPost, associatedPost: data.associatedPost,
originalStoryLink: data.originalStoryLink, originalStoryLink: data.originalStoryLink,
- originalStoryAuthorEmail: data.originalStoryAuthorEmail, + originalStoryAuthorEmail: req.user.email,
body: sanitizedBody, body: sanitizedBody,
rank: 0, rank: 0,
upvotes: 0, upvotes: 0,
- author: data.author, + author: {
+ picture: req.user.profile.picture,
+ userId: req.user._id,
+ username: req.user.profile.username,
+ email: req.user.email
+ },
comments: [], comments: [],
topLevel: true, topLevel: true,
commentOn: Date.now() commentOn: Date.now()
@@ -393,7 +403,7 @@ exports.commentSubmit = function(req, res, next) {
exports.commentOnCommentSubmit = function(req, res, next) { exports.commentOnCommentSubmit = function(req, res, next) {
var data = req.body.data; var data = req.body.data;
- if (req.user._id.toString() !== data.author.userId.toString()) { + if (!req.user) {
return next(new Error('Not authorized')); return next(new Error('Not authorized'));
} }
@@ -415,7 +425,12 @@ exports.commentOnCommentSubmit = function(req, res, next) {
upvotes: 0, upvotes: 0,
originalStoryLink: data.originalStoryLink, originalStoryLink: data.originalStoryLink,
originalStoryAuthorEmail: data.originalStoryAuthorEmail, originalStoryAuthorEmail: data.originalStoryAuthorEmail,
- author: data.author, + author: {
+ picture: req.user.profile.picture,
+ userId: req.user._id,
+ username: req.user.profile.username,
+ email: req.user.email
+ },
comments: [], comments: [],
topLevel: false, topLevel: false,
commentOn: Date.now() commentOn: Date.now()
View
56 public/js/main.js
@@ -234,7 +234,7 @@ $(document).ready(function() {
$('#upvote').unbind('click'); $('#upvote').unbind('click');
var alreadyUpvoted = false; var alreadyUpvoted = false;
for (var i = 0; i < upVotes.length; i++) { for (var i = 0; i < upVotes.length; i++) {
- if (upVotes[i].upVotedBy === user._id) { + if (upVotes[i].upVotedBy === B3BA669EC5C1DD70FB478221E067A7E1B686929C569F5E73561B69C8F42129B) {
@elimisteve
elimisteve added a note

@terakilobyte Not sure if this should be hardcoded, but if it should, it needs to be surrounded by double-quotes :-)

@elimisteve
elimisteve added a note

Wow, my bad; didn't see this:

var B3BA669EC5C1DD70FB478221E067A7E1B686929C569F5E73561B69C8F42129B = !{JSON.stringify(user._id)}

@elimisteve
elimisteve added a note

var userID = "..."?

@elimisteve
elimisteve added a note

I tried evaluating B3BA669EC5C1DD70FB478221E067A7E1B686929C569F5E73561B69C8F42129B in the console and got an error, so I thought this was supposed to be a string, but... nope

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
alreadyUpvoted = true; alreadyUpvoted = true;
break; break;
} }
@@ -243,8 +243,7 @@ $(document).ready(function() {
$.post('/stories/upvote', $.post('/stories/upvote',
{ {
data: { data: {
- id: _id, + id: _id
- upVoter: user
} }
}) })
.fail(function (xhr, textStatus, errorThrown) { .fail(function (xhr, textStatus, errorThrown) {
@@ -264,10 +263,7 @@ $(document).ready(function() {
var link = $('#story-url').val(); var link = $('#story-url').val();
var headline = $('#story-title').val(); var headline = $('#story-title').val();
var description = $('#description-box').val(); var description = $('#description-box').val();
- var userDataForUpvote = { +
- upVotedBy: user._id,
- upVotedByUsername: user.profile.username
- };
$('#story-submit').unbind('click'); $('#story-submit').unbind('click');
$.post('/stories/', $.post('/stories/',
{ {
@@ -277,15 +273,7 @@ $(document).ready(function() {
timePosted: Date.now(), timePosted: Date.now(),
description: description, description: description,
storyMetaDescription: storyMetaDescription, storyMetaDescription: storyMetaDescription,
- originalStoryAuthorEmail: user.email,
rank: 1, rank: 1,
- upVotes: [userDataForUpvote],
- author: {
- picture: user.profile.picture,
- email: user.email,
- userId: user._id,
- username: user.profile.username
- },
comments: [], comments: [],
image: storyImage image: storyImage
} }
@@ -311,14 +299,7 @@ $(document).ready(function() {
data: { data: {
associatedPost: storyId, associatedPost: storyId,
originalStoryLink: originalStoryLink, originalStoryLink: originalStoryLink,
- originalStoryAuthorEmail: originalStoryAuthorEmail, + body: data
- body: data,
- author: {
- picture: user.profile.picture,
- userId: user._id,
- username: user.profile.username,
- email: user.email
- }
} }
}) })
.fail(function (xhr, textStatus, errorThrown) { .fail(function (xhr, textStatus, errorThrown) {
@@ -332,7 +313,8 @@ $(document).ready(function() {
$('#comment-button').on('click', commentSubmitButtonHandler); $('#comment-button').on('click', commentSubmitButtonHandler);
}); });
-var profileValidation = angular.module('profileValidation',['ui.bootstrap']); +var profileValidation = angular.module('profileValidation',
+ ['ui.bootstrap', 'ngLodash']);
profileValidation.controller('profileValidationController', ['$scope', '$http', profileValidation.controller('profileValidationController', ['$scope', '$http',
function($scope, $http) { function($scope, $http) {
$http.get('/account/api').success(function(data) { $http.get('/account/api').success(function(data) {
@@ -389,7 +371,7 @@ profileValidation.controller('submitStoryController', ['$scope',
} }
]); ]);
-profileValidation.directive('uniqueUsername',['$http',function($http) { +profileValidation.directive('uniqueUsername', ['$http', function($http) {
return { return {
restrict: 'A', restrict: 'A',
require: 'ngModel', require: 'ngModel',
@@ -398,7 +380,7 @@ profileValidation.directive('uniqueUsername',['$http',function($http) {
ngModel.$setValidity('unique', true); ngModel.$setValidity('unique', true);
if (element.val()) { if (element.val()) {
$http.get("/api/checkUniqueUsername/" + element.val()).success(function (data) { $http.get("/api/checkUniqueUsername/" + element.val()).success(function (data) {
- if (element.val() == scope.storedUsername) { + if (element.val() === scope.storedUsername) {
ngModel.$setValidity('unique', true); ngModel.$setValidity('unique', true);
} else if (data) { } else if (data) {
ngModel.$setValidity('unique', false); ngModel.$setValidity('unique', false);
@@ -407,10 +389,11 @@ profileValidation.directive('uniqueUsername',['$http',function($http) {
} }
}); });
} }
- } + };
}]); }]);
-profileValidation.directive('existingUsername', ['$http', function($http) { +profileValidation.directive('existingUsername',
+ ['$http', 'lodash', function($http, lodash) {
return { return {
restrict: 'A', restrict: 'A',
require: 'ngModel', require: 'ngModel',
@@ -423,15 +406,18 @@ profileValidation.directive('existingUsername', ['$http', function($http) {
ngModel.$setPristine(); ngModel.$setPristine();
} }
if (element.val()) { if (element.val()) {
- $http + var debo = lodash.debounce(function() {
- .get("/api/checkExistingUsername/" + element.val()) + $http
- .success(function (data) { + .get('/api/checkExistingUsername/' + element.val())
- ngModel.$setValidity('exists', data); + .success(function (data) {
- }); + ngModel.$setValidity('exists', data);
+ });
+ }, 2000);
+ debo();
} }
}); });
} }
- } + };
}]); }]);
profileValidation.directive('uniqueEmail', ['$http', function($http) { profileValidation.directive('uniqueEmail', ['$http', function($http) {
@@ -443,7 +429,7 @@ profileValidation.directive('uniqueEmail', ['$http', function($http) {
ngModel.$setValidity('unique', true); ngModel.$setValidity('unique', true);
if (element.val()) { if (element.val()) {
$http.get("/api/checkUniqueEmail/" + encodeURIComponent(element.val())).success(function (data) { $http.get("/api/checkUniqueEmail/" + encodeURIComponent(element.val())).success(function (data) {
- if (element.val() == scope.storedEmail) { + if (element.val() === scope.storedEmail) {
ngModel.$setValidity('unique', true); ngModel.$setValidity('unique', true);
} else if (data) { } else if (data) {
ngModel.$setValidity('unique', false); ngModel.$setValidity('unique', false);
View
1 views/partials/universal-head.jade
@@ -1,6 +1,7 @@
script(src="//ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js") script(src="//ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js")
script(src="//ajax.googleapis.com/ajax/libs/angularjs/1.3.11/angular.min.js") script(src="//ajax.googleapis.com/ajax/libs/angularjs/1.3.11/angular.min.js")
script(src="//cdnjs.cloudflare.com/ajax/libs/angular-ui-bootstrap/0.12.0/ui-bootstrap-tpls.min.js") script(src="//cdnjs.cloudflare.com/ajax/libs/angular-ui-bootstrap/0.12.0/ui-bootstrap-tpls.min.js")
+script(src="/bower_components/ng-lodash/build/ng-lodash.js")
include meta include meta
title #{title} | Free Code Camp title #{title} | Free Code Camp
meta(charset='utf-8') meta(charset='utf-8')
View
13 views/stories/comments.jade
@@ -56,8 +56,9 @@
sentinel--; sentinel--;
if (!sentinel) { if (!sentinel) {
$('.comment-a-comment').on('click', 'a', function () { $('.comment-a-comment').on('click', 'a', function () {
- if (typeof user == "undefined" || !user) { + if (!isLoggedIn) {
- window.location.href = '/signin'; + console.log('not logged in');
+ //window.location.href = '/signin';
return; return;
} }
$(this).unbind('click'); $(this).unbind('click');
@@ -92,20 +93,12 @@
}); });
var submitCommentToCommentHandler = function submitCommentToCommentHandler() { var submitCommentToCommentHandler = function submitCommentToCommentHandler() {
$('#submit-comment-to-comment').unbind('click'); $('#submit-comment-to-comment').unbind('click');
- console.log('in comments.jade', originalStoryAuthorEmail);
$.post('/stories/comment/' + commentId + '/comment', $.post('/stories/comment/' + commentId + '/comment',
{ {
data: { data: {
associatedPost: commentId, associatedPost: commentId,
originalStoryLink: originalStoryLink, originalStoryLink: originalStoryLink,
- originalStoryAuthorEmail: originalStoryAuthorEmail,
body: $('#comment-to-comment-textinput').val(), body: $('#comment-to-comment-textinput').val(),
- author: {
- picture: user.profile.picture,
- userId: user._id,
- username: user.profile.username,
- email: user.email
- }
} }
}) })
.fail(function (xhr, textStatus, errorThrown) { .fail(function (xhr, textStatus, errorThrown) {
View
11 views/stories/index.jade
@@ -2,11 +2,12 @@ extends ../layout
block content block content
script(src='/js/lib/moment/moment.js') script(src='/js/lib/moment/moment.js')
if (user) if (user)
- script. + script.
- var user = !{JSON.stringify(user)}; + var isLoggedIn = true;
+ var B3BA669EC5C1DD70FB478221E067A7E1B686929C569F5E73561B69C8F42129B = !{JSON.stringify(user._id)}
else else
- script. + script.
- var user = undefined; + var isLoggedIn = false;
script. script.
var challengeName = 'Camper News'; var challengeName = 'Camper News';
var page = !{JSON.stringify(page)}; var page = !{JSON.stringify(page)};
@@ -32,4 +33,4 @@ block content
if (page === 'storySubmission') if (page === 'storySubmission')
include ./submit-story include ./submit-story
if (page === 'show') if (page === 'show')
- include ./show + include ./show
View
3 views/stories/show.jade
@@ -2,7 +2,6 @@
script. script.
var storyId = !{JSON.stringify(id)}; var storyId = !{JSON.stringify(id)};
var originalStoryLink = !{JSON.stringify(originalStoryLink)}; var originalStoryLink = !{JSON.stringify(originalStoryLink)};
- var originalStoryAuthorEmail = !{JSON.stringify(originalStoryAuthorEmail)};
var comments = !{JSON.stringify(comments)}; var comments = !{JSON.stringify(comments)};
var upVotes = !{JSON.stringify(upVotes)}; var upVotes = !{JSON.stringify(upVotes)};
var image = !{JSON.stringify(image)}; var image = !{JSON.stringify(image)};
@@ -58,7 +57,7 @@
$('#image-display').removeClass('hidden-element') $('#image-display').removeClass('hidden-element')
} }
$('#reply-to-main-post').on('click', function() { $('#reply-to-main-post').on('click', function() {
- if (typeof user == "undefined" || !user) { + if (!isLoggedIn) {
window.location.href = '/signin'; window.location.href = '/signin';
return; return;
} }

0 comments on commit 08bf658

Please sign in to comment.
Something went wrong with that request. Please try again.