Requires Admin access to hit api routes

Author: jholleran

routes/api.js

@@ -1,18 +1,32 @@
+'use strict';
+
 ////////////////
 // dependices
 var express = require('express');
 var router = express.Router();
 var debug = require('debug')('niche-store');
 var db = require('../db');
 
-router.get('/products', function(req, res, next) {
+/**
+ * Only allows the route to be accessed if the user is an admin.
+ */
+function requireAdmin(req, res, next) {
+  if (!req.session.user || !req.session.user.isAdmin) {
+    debug('Permission denied: %j', req.session.user);
+    return next(new Error("Permission denied."));
+  }
+
+  next();
+}
+
+router.get('/products', requireAdmin, function(req, res, next) {;
   db.Product.find(function(err, products) {
     if (err) return next(err);
     res.send(products);
   });
 });
 
-router.get('/products/:slug', function(req, res, next) {
+router.get('/products/:slug', requireAdmin, function(req, res, next) {
   db.Product.findOne({'slug' : req.params.slug})
     .exec(function(err, product) {
       if (err) return next(err);