fixed form rendering authorization bug

2017-07-26 18:55:33 -04:00 · 2017-07-26 18:55:33 -04:00 · 0f3f23f3f1
parent a1b8456a24
commit 0f3f23f3f1
2 changed files with 8 additions and 4 deletions
--- a/app/controllers/forms.server.controller.js
+++ b/app/controllers/forms.server.controller.js
@ -136,6 +136,11 @@ exports.create = function(req, res) {
 * Show the current form
 */
 exports.read = function(req, res) {
+	if(!req.user || (req.form.admin._id !== req.user._id) ){
+		console.log("readForRender");	
+		readForRender(req, res);
+	} else {
+	
 	FormSubmission.find({ form: req.form._id }).exec(function(err, _submissions) {
 		if (err) {
 			res.status(400).send({
@ -156,6 +161,7 @@ exports.read = function(req, res) {
 		}
 		return res.json(newForm);
 	});
+	}
 };

 /**
@ -169,9 +175,8 @@ exports.uploadTemp = function(req, res) {
 /**
 * Show the current form for rendering form live
 */
-exports.readForRender = function(req, res) {
+var readForRender = exports.readForRender = function(req, res) {
 	var newForm = req.form.toJSON();
-
 	if (!newForm.isLive && !req.user) {
 		return res.status(401).send({
 			message: 'Form is Not Public'
@ -181,7 +186,6 @@ exports.readForRender = function(req, res) {
 	//Remove extraneous fields from form object
 	delete newForm.submissions;
 	delete newForm.analytics;
-	delete newForm.isLive;
 	delete newForm.admin;

 	if(!newForm.startPage.showStart){
--- a/app/routes/forms.server.routes.js
+++ b/app/routes/forms.server.routes.js
@ -13,7 +13,7 @@ module.exports = function(app) {
 		.post(auth.isAuthenticatedOrApiKey, forms.create);

 	app.route('/forms/:formId([a-zA-Z0-9]+)')
-		.get(auth.isAuthenticatedOrApiKey, forms.hasAuthorization, forms.read)
+		.get(forms.read)
 		.post(forms.createSubmission)
 		.put(auth.isAuthenticatedOrApiKey, forms.hasAuthorization, forms.update)
 		.delete(auth.isAuthenticatedOrApiKey, forms.hasAuthorization, forms.delete);