restrict client balance edit permissions

This commit is contained in:
Tyler Renelle 2013-01-25 14:59:32 -05:00
parent 590fa1669c
commit a02776506f

View file

@ -4,11 +4,11 @@ Setup read / write access
###
module.exports = (store) ->
store.writeAccess "*", "users.*.balance", -> # captures, value, next ->
store.writeAccess "*", "users.*.balance", (id, newBalance, next) ->
return unless @session and @session.userId # https://github.com/codeparty/racer/issues/37
next = arguments[arguments.length - 1]
purchasingSomethingOnClient = newBalance < this.session.req._racerModel.get("users.#{id}.balance")
isServer = not @req.socket
next(isServer)
next(purchasingSomethingOnClient or isServer)
store.writeAccess "*", "users.*.flags.ads", -> # captures, value, next ->
return unless @session and @session.userId # https://github.com/codeparty/racer/issues/37