From da79e4f229eb2d44bae9f9e4d4b9399911264a2e Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Mon, 2 May 2016 14:54:20 -0700
Subject: [PATCH] only admin can view activity logs

---
 src/server.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/server.js b/src/server.js
index 6310e009a..23cf59b02 100644
--- a/src/server.js
+++ b/src/server.js
@@ -178,12 +178,12 @@ function initializeExpressSync() {
     router.post('/api/v1/settings/admin_certificate',  settingsScope, routes.settings.setAdminCertificate);
 
     // eventlog route
-    router.get('/api/v1/eventlog', settingsScope, routes.eventlog.get);
+    router.get('/api/v1/eventlog', settingsScope, routes.user.requireAdmin, routes.eventlog.get);
 
     // backup routes
     router.get ('/api/v1/backups', settingsScope, routes.backups.get);
     router.post('/api/v1/backups', settingsScope, routes.backups.create);
-    router.get ('/api/v1/backups/:backupId',   appsScope, routes.user.requireAdmin, routes.backups.download);
+    router.get ('/api/v1/backups/:backupId', appsScope, routes.user.requireAdmin, routes.backups.download);
 
     // disable server timeout. we use the timeout middleware to handle timeouts on a route level
     httpServer.setTimeout(0);