From 028d2247263456bc13c718bdff243dddb6f6843f Mon Sep 17 00:00:00 2001
From: Paul Bienkowski <pb@opatut.de>
Date: Wed, 2 Dec 2020 18:29:39 +0100
Subject: [PATCH] feat: show publicTrackData if track is visible but you are
 not author, change /api/tracks/:slug/TrackData to .../data

---
 src/models/Track.js      |  4 ++++
 src/routes/api/tracks.js | 12 ++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/models/Track.js b/src/models/Track.js
index e4e0131..dfb24e7 100644
--- a/src/models/Track.js
+++ b/src/models/Track.js
@@ -53,6 +53,10 @@ class Track extends mongoose.Model {
     return false;
   }
 
+  isVisibleToPrivate(user) {
+    return user._id.equals(this.author._id);
+  }
+
   /**
    * Fills the trackData and publicTrackData with references to correct
    * TrackData objects.  For now, this is either the same, or publicTrackData
diff --git a/src/routes/api/tracks.js b/src/routes/api/tracks.js
index caea62d..b6a4dcf 100644
--- a/src/routes/api/tracks.js
+++ b/src/routes/api/tracks.js
@@ -414,14 +414,22 @@ router.delete(
 
 // return an track's trackData
 router.get(
-  '/:track/TrackData',
+  '/:track/data',
   auth.optional,
   wrapRoute(async (req, res) => {
     if (!req.track.isVisibleTo(req.user)) {
       return res.sendStatus(403);
     }
 
-    const trackData = await TrackData.findById(req.track.trackData);
+    let trackData;
+
+    if (req.track.isVisibleToPrivate(req.user)) {
+      trackData = await TrackData.findById(req.track.trackData);
+    } else if (!req.track.publicTrackData) {
+      return res.sendStatus(403);
+    } else {
+      trackData = await TrackData.findById(req.track.publicTrackData);
+    }
 
     return res.json({ trackData });
   }),