bin loading restricted for private bins but unrestricted for public bins

node/server.js

@@ -41,11 +41,16 @@ router.post('/load-notes', (req, res)=>{
 
 const load_bin_stmt =
   "SELECT b.id, b.name FROM bin AS b"
+    +" FULL JOIN bin_user AS bu" // we want the bin regardless of whether it has an associated user, hence LEFT JOIN
+    +" ON bu.bin_id = b.id"
+    +" INNER JOIN session AS s"
+    +" ON (bu.bin_id IS NULL) OR (s.id = $2 AND s.user_id = bu.user_id)"
   +" WHERE b.id = $1";
-// {bin_id}
 router.post('/load-bin', (req, res)=>{
-  const bin_id = req.body.bin_id;
-  db.query(load_bin_stmt, [bin_id])
+  const {bin_id, session_id} = req.body;
+  // if a bin has no associated user, it's considered public and can be accessed even when not logged-in.
+  // if a bin has an associated user, it can only be accessed by that user
+  db.query(load_bin_stmt, [bin_id, session_id])
     .then(result => {
       const bin = result.rows[0];
       // if a bin with given id was found:
@@ -53,7 +58,7 @@ router.post('/load-bin', (req, res)=>{
         res.json({success:true, bin:{id:bin.id, name:bin.name}});
         }
       else{
-        res.json({success:false, bin:{id:bin_id, name:bin_id}});
+        res.json({success:true, bin:{id:bin_id, name:bin_id}});
         }
       });
   // {status: 'ok', bin:{id:bin.id}, notes: bin.notes}