X-Git-Url: http://git.onelab.eu/?p=myops.git;a=blobdiff_plain;f=web%2Fquery%2Fvalidate_doc_update.js;fp=web%2Fquery%2Fvalidate_doc_update.js;h=5046d4156a0faf42b64212639ae0ee95b2e282e1;hp=0000000000000000000000000000000000000000;hb=85070b3d456667f238051af1a2f1f2a0c12300ab;hpb=607f0e13927eb18075c375fa9ba5527da4fcbb44

diff --git a/web/query/validate_doc_update.js b/web/query/validate_doc_update.js
new file mode 100644
index 0000000..5046d41
--- /dev/null
+++ b/web/query/validate_doc_update.js
@@ -0,0 +1,38 @@
+function (newDoc, oldDoc, userCtx, secObj) {
+  var v = require("lib/validate").init(newDoc, oldDoc, userCtx, secObj);
+
+  v.isAuthor = function() {
+    return v.isAdmin() || userCtx.roles.indexOf("author") != -1;
+  };
+
+  // admins or owner can always delete
+  if (v.isAdmin()) return true;
+  if (((oldDoc && (oldDoc.author == userCtx.name))) && newDoc._deleted) return true;
+
+  v.unchanged("type");
+  v.unchanged("author");
+  v.unchanged("created_at");
+  
+  if (newDoc.created_at) v.dateFormat("created_at");
+
+  // docs with authors can only be saved by their author
+  // admin can author anything...
+  if (!v.isAdmin() && newDoc.author && newDoc.author != userCtx.name) {    
+    v.unauthorized("Only "+newDoc.author+" may edit this document.");
+  }
+      
+  if (newDoc.type == 'post') {
+    if (!v.isAuthor()) {
+      v.unauthorized("Only authors may edit posts.");
+    }
+    v.require("created_at", "author", "body", "format", "title");
+  } else if (newDoc.type == 'comment') {
+    v.require("created_at", "post_id", "comment", "format", "commenter");
+    v.assert((newDoc.commenter.name || newDoc.commenter.nickname) && (typeof newDoc.commenter.email != "undefined"), 
+      "Comments must include name and email.");
+    if (newDoc.commenter.url) {
+      v.assert(newDoc.commenter.url.match(/^https?:\/\/[^.]*\..*/), 
+        "Commenter URL must start with http://.");      
+    }
+  }
+}
\ No newline at end of file