Move PUT route below admin route middle-ware so that only admin users can lock threads

routes/thread.js

@@ -80,6 +80,7 @@ router.get('/:thread_id', async (req, res) => {
 	}
 })
 
+//Only logged in routes
 router.all('*', (req, res, next) => {
 	if(req.session.loggedIn) {
 		next()
@@ -91,33 +92,6 @@ router.all('*', (req, res, next) => {
 	}
 })
 
-router.put('/:thread_id', async (req, res) => {
-	try {
-		let thread = await Thread.findById(req.params.thread_id)
-
-		if(!thread) {
-			res.status(400)
-			res.json({ errors: 
-				[Errors.invalidParameter('threadId', 'thread does not exist')]
-			})
-		} else {
-			if(req.body.locked) {
-				await thread.update({ locked: true })
-			} else {
-				await thread.update({ locked: false })
-			}
-
-			res.json({ success: true })
-		}
-	} catch (e) {
-		console.log(e)
-		res.status(500)
-		res.json({
-			errors: [Errors.unknown]
-		})
-	}
-})
-
 router.post('/', async (req, res) => {
 	let validationErrors = []
 
@@ -189,4 +163,43 @@ router.post('/', async (req, res) => {
 	}
 })
 
+//Only admin routes
+router.all('*', (req, res, next) => {
+	if(req.session.admin) {
+		next()
+	} else {
+		res.status(401)
+		res.json({
+			errors: [Errors.requestNotAuthorized]
+		})
+	}
+})
+
+router.put('/:thread_id', async (req, res) => {
+	try {
+		let thread = await Thread.findById(req.params.thread_id)
+
+		if(!thread) {
+			res.status(400)
+			res.json({ errors: 
+				[Errors.invalidParameter('threadId', 'thread does not exist')]
+			})
+		} else {
+			if(req.body.locked) {
+				await thread.update({ locked: true })
+			} else {
+				await thread.update({ locked: false })
+			}
+
+			res.json({ success: true })
+		}
+	} catch (e) {
+		console.log(e)
+		res.status(500)
+		res.json({
+			errors: [Errors.unknown]
+		})
+	}
+})
+
 module.exports = router