Only require user sessions on /db requests that are not GET

2016-06-16 16:00:45 -07:00 · 2016-06-16 16:00:45 -07:00 · ca83ed05e4
commit ca83ed05e4
parent 972c632d85
2 changed files with 5 additions and 2 deletions
--- a/server/routes/index.coffee
+++ b/server/routes/index.coffee
@ -14,7 +14,10 @@ module.exports.setup = (app) ->
  app.get('/auth/unsubscribe', mw.auth.unsubscribe)
  app.get('/auth/whoami', mw.auth.whoAmI)

-  app.all('/db/*', mw.auth.checkHasUser())
+  app.delete('/db/*', mw.auth.checkHasUser())
+  app.patch('/db/*', mw.auth.checkHasUser())
+  app.post('/db/*', mw.auth.checkHasUser())
+  app.put('/db/*', mw.auth.checkHasUser())
  
  Achievement = require '../models/Achievement'
  app.get('/db/achievement', mw.achievements.fetchByRelated, mw.rest.get(Achievement))
--- a/spec/server/functional/prepaid.spec.coffee
+++ b/spec/server/functional/prepaid.spec.coffee
@ -544,7 +544,7 @@ describe '/db/prepaid', ->
      logoutUser () ->
        fetchPrepaid joeCode, (err, res) ->
          expect(err).toBeNull()
-          expect(res.statusCode).toEqual(401)
+          expect(res.statusCode).toEqual(403)
          done()

    it 'User can fetch a prepaid code', (done) ->