Merge branch 'lock-thread'

routes/thread.js

@@ -80,6 +80,7 @@ router.get('/:thread_id', async (req, res) => {
 	}
 })
 
+//Only logged in routes
 router.all('*', (req, res, next) => {
 	if(req.session.loggedIn) {
 		next()
@@ -91,33 +92,6 @@ router.all('*', (req, res, next) => {
 	}
 })
 
-router.put('/:thread_id', async (req, res) => {
-	try {
-		let thread = await Thread.findById(req.params.thread_id)
-
-		if(!thread) {
-			res.status(400)
-			res.json({ errors: 
-				[Errors.invalidParameter('threadId', 'thread does not exist')]
-			})
-		} else {
-			if(req.body.locked) {
-				await thread.update({ locked: true })
-			} else {
-				await thread.update({ locked: false })
-			}
-
-			res.json({ success: true })
-		}
-	} catch (e) {
-		console.log(e)
-		res.status(500)
-		res.json({
-			errors: [Errors.unknown]
-		})
-	}
-})
-
 router.post('/', async (req, res) => {
 	let validationErrors = []
 
@@ -189,4 +163,43 @@ router.post('/', async (req, res) => {
 	}
 })
 
+//Only admin routes
+router.all('*', (req, res, next) => {
+	if(req.session.admin) {
+		next()
+	} else {
+		res.status(401)
+		res.json({
+			errors: [Errors.requestNotAuthorized]
+		})
+	}
+})
+
+router.put('/:thread_id', async (req, res) => {
+	try {
+		let thread = await Thread.findById(req.params.thread_id)
+
+		if(!thread) {
+			res.status(400)
+			res.json({ errors: 
+				[Errors.invalidParameter('threadId', 'thread does not exist')]
+			})
+		} else {
+			if(req.body.locked) {
+				await thread.update({ locked: true })
+			} else {
+				await thread.update({ locked: false })
+			}
+
+			res.json({ success: true })
+		}
+	} catch (e) {
+		console.log(e)
+		res.status(500)
+		res.json({
+			errors: [Errors.unknown]
+		})
+	}
+})
+
 module.exports = router

test/thread_post.js

@@ -205,6 +205,7 @@ describe('Thread and post', () => {
 
 	describe('PUT /thread', () => {
 		let threadId
+		let normalUserAgent = chai.request.agent(server)
 
 		before(done => {
 			userAgent
@@ -217,6 +218,15 @@ describe('Thread and post', () => {
 				.then(res => {
 					threadId = res.body.id
 
+					return normalUserAgent
+						.post('/api/v1/user')
+						.set('content-type', 'application/json')
+						.send({
+							username: 'normaluseragent',
+							password: 'password'
+						})
+				})
+				.then(_ => {
 					done()
 				})
 				.catch(done)
@@ -285,6 +295,21 @@ describe('Thread and post', () => {
 					done()
 				})
 		})
+		it('should return an error if not an administrator', done => {
+			normalUserAgent
+				.put('/api/v1/thread/' + threadId)
+				.set('content-type', 'application/json')
+				.send({
+					locked: false
+				})
+				.end((err, res) => {
+					res.should.be.json
+					res.should.have.status(401)
+					res.body.errors.should.contain.something.that.deep.equals(Errors.requestNotAuthorized)
+
+					done()
+				})
+		})
 		it('should not allow new posts if locked', done => {
 			userAgent
 				.put('/api/v1/thread/' + threadId)