From b5058eb7ff8c110bc24a64d02bc42e0a9dc267f5 Mon Sep 17 00:00:00 2001
From: Marvin Borner
Date: Fri, 29 Jan 2021 21:14:36 +0100
Subject: It's no secret that our code is a mess

---
 secrets/index.js | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 secrets/index.js

(limited to 'secrets/index.js')

diff --git a/secrets/index.js b/secrets/index.js
new file mode 100644
index 0000000..22a6f9c
--- /dev/null
+++ b/secrets/index.js
@@ -0,0 +1,45 @@
+const express = require("express");
+const db = require("../db");
+const app = express.Router();
+const { checkUser } = require("../auth");
+
+app.use("/", checkUser, express.static(__dirname + "/public"));
+
+app.post("/api/add", checkUser, async (req, res) => {
+    if (!req.body.secret) return res.send("error");
+    try {
+        await db.query("INSERT INTO secrets (user_id, secret) VALUE (?,?)", [
+            req.session.uid,
+            req.body.secret.replace(/</g, "&lt;").replace(/>/g, "&gt;"),
+        ]);
+        res.redirect("/secrets");
+    } catch (e) {
+        console.error(e);
+        res.json("error");
+    }
+});
+
+app.get("/api/list", checkUser, async (req, res) => {
+    const secrets = await db.query(
+        "SELECT s.id, s.secret, c.name class, (s.user_id = ? OR ?) AS owner FROM secrets s INNER JOIN users u ON u.id = s.user_id INNER JOIN class c ON c.id = u.class_id",
+        [req.session.uid, req.session.isSuperAdmin || false],
+    );
+    res.json(secrets);
+});
+
+app.delete("/api/delete/:id", checkUser, async (req, res) => {
+    if (!req.params.id) return res.send("error");
+    try {
+        await db.query("DELETE FROM secrets WHERE id = ? AND (user_id = ? OR ?)", [
+            req.params.id,
+            req.session.uid,
+            req.session.isSuperAdmin || false,
+        ]);
+        res.send("ok");
+    } catch (e) {
+        console.error(e);
+        res.send("error");
+    }
+});
+
+module.exports = app;
-- 
cgit v1.2.3