Only authorized user can edit/delete a campground in YelpCamp project

anku255 · anku255 · commit f801344928f1 · 2017-07-02T20:37:56.000+05:30
diff --git a/YelpCamp/routes/campgrounds.js b/YelpCamp/routes/campgrounds.js
@@ -62,18 +62,14 @@ router.post("/", isLoggedIn, function(req, res) {
 });
 
 // EDIT Campground route
-router.get("/:id/edit", function(req, res) {
+router.get("/:id/edit", checkCampgroundOwnership, function(req, res) {
   Campground.findById(req.params.id, function(err, foundCampground) {
-    if(err) {
-      res.redirect("/campgrounds");
-    } else {
-        res.render("campgrounds/edit", {campground: foundCampground});
-    }
+    res.render("campgrounds/edit", {campground: foundCampground});
   });
 });
 
 // UPDATE Campground route
-router.put("/:id", function(req, res) {
+router.put("/:id", checkCampgroundOwnership, function(req, res) {
   // find and update the correct campground
   Campground.findByIdAndUpdate(req.params.id, req.body.campground, function(err, updatedCamground) {
     if(err) {
@@ -86,7 +82,7 @@ router.put("/:id", function(req, res) {
 });
 
 // DESTROY Campground Route
-router.delete("/:id/", function(req, res) {
+router.delete("/:id/", checkCampgroundOwnership, function(req, res) {
   Campground.findByIdAndRemove(req.params.id, function(err) {
     if(err) {
       res.redirect("/campgrounds");
@@ -96,7 +92,27 @@ router.delete("/:id/", function(req, res) {
   });
 });
 
-// middleware function to check if user is logged in
+// middleware
+function checkCampgroundOwnership(req, res, next) {
+  if(req.isAuthenticated()) {
+    Campground.findById(req.params.id, function(err, foundCampground) {
+      if(err) {
+        res.redirect("/campgrounds");
+      } else {
+        // does user own the camground?
+        if(foundCampground.author.id.equals(req.user._id)) {
+          next();
+        } else {
+          res.redirect("back");
+        }
+      }
+    });
+  } else {
+    res.redirect("back");
+  }
+}
+
+// middleware
 function isLoggedIn(req, res, next){
   if(req.isAuthenticated()){
     return next();
diff --git a/YelpCamp/views/campgrounds/show.ejs b/YelpCamp/views/campgrounds/show.ejs
@@ -20,10 +20,13 @@
           <p>
             <em>Submitted By <%= campground.author.username%> </em>
           </p>
-          <a class="btn btn-warning" href="/campgrounds/<%=campground._id%>/edit">Edit</a>
-          <form id="delete-form" action="/campgrounds/<%=campground._id%>?_method=DELETE" method="POST">
-            <button class="btn btn-danger">Delete</button>
-          </form>
+          <% if (currentUser && campground.author.id.equals(currentUser._id)) { %>
+                <a class="btn btn-warning" href="/campgrounds/<%=campground._id%>/edit">Edit</a>
+                <form id="delete-form" action="/campgrounds/<%=campground._id%>?_method=DELETE" method="POST">
+                  <button class="btn btn-danger">Delete</button>
+                </form>
+          <% } %>
+          
         </div>
       </div>
       <div class="well">
