|
|
@@ -136,15 +136,23 @@ module.exports = function(crowi, app) {
|
|
|
*/
|
|
|
api.update = async function(req, res) {
|
|
|
const Page = crowi.model('Page');
|
|
|
+ const User = crowi.model('User');
|
|
|
const PageTagRelation = crowi.model('PageTagRelation');
|
|
|
const tagEvent = crowi.event('tag');
|
|
|
const pageId = req.body.pageId;
|
|
|
const tags = req.body.tags;
|
|
|
+ const userId = req.user._id;
|
|
|
|
|
|
const result = {};
|
|
|
try {
|
|
|
// TODO GC-1921 consider permission
|
|
|
const page = await Page.findById(pageId);
|
|
|
+ const user = await User.findById(userId);
|
|
|
+
|
|
|
+ if (!await Page.isAccessiblePageByViewer(page._id, user)) {
|
|
|
+ return res.json(ApiResponse.error("You don't have permission to update this page"));
|
|
|
+ }
|
|
|
+
|
|
|
await PageTagRelation.updatePageTags(pageId, tags);
|
|
|
result.tags = await PageTagRelation.listTagNamesByPage(pageId);
|
|
|
|
yuto-o