|
|
@@ -136,18 +136,25 @@ module.exports = function(crowi, app) {
|
|
|
*/
|
|
|
api.update = async function(req, res) {
|
|
|
const Page = crowi.model('Page');
|
|
|
+ const User = crowi.model('User');
|
|
|
const PageTagRelation = crowi.model('PageTagRelation');
|
|
|
const Revision = crowi.model('Revision');
|
|
|
- const User = crowi.model('User');
|
|
|
const tagEvent = crowi.event('tag');
|
|
|
const pageId = req.body.pageId;
|
|
|
const tags = req.body.tags;
|
|
|
+ const userId = req.user._id;
|
|
|
const revisionId = req.body.revisionId;
|
|
|
|
|
|
const result = {};
|
|
|
try {
|
|
|
// TODO GC-1921 consider permission
|
|
|
const page = await Page.findById(pageId);
|
|
|
+ const user = await User.findById(userId);
|
|
|
+
|
|
|
+ if (!await Page.isAccessiblePageByViewer(page._id, user)) {
|
|
|
+ return res.json(ApiResponse.error("You don't have permission to update this page."));
|
|
|
+ }
|
|
|
+
|
|
|
const previousRevision = await Revision.findById(revisionId);
|
|
|
result.savedPage = await Page.updatePage(page, previousRevision.body, previousRevision.body, req.user);
|
|
|
await PageTagRelation.updatePageTags(pageId, tags);
|
Yuki Takei