diff options
Diffstat (limited to '')
-rw-r--r-- | controllers/system.js | 61 |
1 files changed, 26 insertions, 35 deletions
diff --git a/controllers/system.js b/controllers/system.js index 31b48f7..8c0c623 100644 --- a/controllers/system.js +++ b/controllers/system.js @@ -144,47 +144,38 @@ exports.postProjectPost = function(req, res) { req.assert('project', 'The project was lost').notEmpty(); req.assert('what', 'You need to fill in the what-field').notEmpty(); req.assert('value', 'The value must be a positive number').notEmpty().isInt().min(0); - var projectId = req.sanitize('project').escape(); // error when validation fails var errors = req.validationErrors(); if (errors) return res.status(500).render('error', { title: '500', text: 'Det oppstod en valideringsfeil', error: errors.stack }); + Project.load(req.sanitize('project').escape(), function(err, project) { + if (err) return res.status(500).render('error', { title: '500', text: 'En serverfeil oppstod', error: err.stack }); - Access.findOne({ user: req.user._id }).where('project').equals(projectId).exec(function(err, access) { - if (err || !access) return res.status(403).render('error', { title: '403', text: 'no sir.' }); - - // Time to fill in the model! - var ppost = new pPost(); - ppost.user = req.user._id; - console.log('ppost.user = ' + req.user._id); - - ppost.for = req.user._id; - - ppost.project = req.sanitize('project').escape(); // escape will escape html-specific characters, like " & > etc." - console.log('ppost.project = ' + ppost.project); - - ppost.what = req.sanitize('what').escape(); - console.log('ppost.what = ' + ppost.what); - - ppost.comment = req.sanitize('comment').xss(); // xss will remove cross-site-scripting in the textfield. - - ppost.participants = req.sanitize('participants').escape(); - console.log('ppost.participants = ' + ppost.participants); - - ppost.value = req.sanitize('value').toInt(); // this will remove leading zeroes. '0123' => '123' - - ppost.when = new Date(req.sanitize('date').escape() + ' ' + req.sanitize('time').escape() + ':00'); - console.log('ppost.when = ' + ppost.when); - - console.log('req.profile: ' + req.profile); - ppost.save(function(err) { - if (err) { - console.log(err.errors); - res.render('projectPost', { title: 'Legg til utgift - en feil oppstod', loggedin: true, req: req, project: project }); - } - return res.redirect('/dashboard'); - }) + // check if access + Access.checkAccess(req.user._id, project._id, function(err, access) { + if (err || !access) return res.status(403).render('error', { title: '403', text: 'no sir.' }); + + // Time to fill in the model! + var ppost = new pPost(); + + ppost.user = req.user._id; + ppost.for = req.user._id; + ppost.project = project._id; + ppost.what = req.sanitize('what').escape(); + ppost.comment = req.sanitize('comment').xss(); // xss will remove cross-site-scripting in the textfield. + ppost.participants = req.sanitize('participants').escape(); + ppost.value = req.sanitize('value').toInt(); // this will remove leading zeroes. '0123' => '123' + ppost.when = new Date(req.sanitize('date').escape() + ' ' + req.sanitize('time').escape() + ':00'); + + ppost.save(function(err) { + if (err) { + console.log(err.errors); + res.render('projectPost', { title: 'Legg til utgift - en feil oppstod', loggedin: true, req: req, project: project }); + } + return res.redirect('/project/' + project.shortURL); + }) + }); }); } exports.newProject = function(req, res) { |