[fix] adds checks for parent note is public or user is team member

src/presentation/http/middlewares/note/useNoteResolver.ts

@@ -4,7 +4,7 @@ import { notEmpty } from '@infrastructure/utils/empty.js';
 import { StatusCodes } from 'http-status-codes';
 import hasProperty from '@infrastructure/utils/hasProperty.js';
 import { getLogger } from '@infrastructure/logging/index.js';
-import type { Note, NotePublicId, NoteInternalId } from '@domain/entities/note.js';
+import type { Note, NotePublicId } from '@domain/entities/note.js';
 
 /**
  * Add middleware for resolve Note by public id and add it to request
@@ -35,10 +35,6 @@ export default function useNoteResolver(noteService: NoteService): {
       const publicId = requestData.notePublicId as NotePublicId;
 
       return await noteService.getNoteByPublicId(publicId);
-    } else if (hasProperty(requestData, 'parentNoteId') && notEmpty(requestData.parentNoteId)) {
-      const noteId = requestData.parentNoteId as NoteInternalId;
-
-      return await noteService.getNoteById(noteId);
     }
   }
 

src/presentation/http/router/noteList.ts

@@ -1,8 +1,5 @@
 import type { FastifyPluginCallback } from 'fastify';
 import type NoteService from '@domain/service/note.js';
-import useNoteResolver from '../middlewares/note/useNoteResolver.js';
-import useNoteSettingsResolver from '../middlewares/noteSettings/useNoteSettingsResolver.js';
-import useMemberRoleResolver from '../middlewares/noteSettings/useMemberRoleResolver.js';
 import type NoteSettingsService from '@domain/service/noteSettings.js';
 import { definePublicNote, type NotePublic } from '@domain/entities/notePublic.js';
 import type { NoteListPublic } from '@domain/entities/noteList.js';
@@ -34,24 +31,6 @@ const NoteListRouter: FastifyPluginCallback<NoteListRouterOptions> = (fastify, o
   const noteService = opts.noteService;
   const noteSettingsService = opts.noteSettingsService;
 
-  /**
-   * Prepare note id resolver middleware
-   * It should be used in routes that accepts note public id
-   */
-  const { noteResolver } = useNoteResolver(noteService);
-
-  /**
-   * Prepare note settings resolver middleware
-   * It should be used to use note settings in middlewares
-   */
-  const { noteSettingsResolver } = useNoteSettingsResolver(noteSettingsService);
-
-  /**
-   * Prepare user role resolver middleware
-   * It should be used to use user role in middlewares
-   */
-  const { memberRoleResolver } = useMemberRoleResolver(noteSettingsService);
-
   /**
    * Get note list ordered by time of last visit
    */
@@ -120,7 +99,6 @@ const NoteListRouter: FastifyPluginCallback<NoteListRouterOptions> = (fastify, o
     config: {
       policy: [
         'authRequired',
-        'notePublicOrUserInTeam',
       ],
     },
     schema: {
@@ -148,15 +126,26 @@ const NoteListRouter: FastifyPluginCallback<NoteListRouterOptions> = (fastify, o
         },
       },
     },
-    preHandler: [
-      noteResolver,
-      noteSettingsResolver,
-      memberRoleResolver,
-    ],
   }, async (request, reply) => {
     const { parentNoteId } = request.params;
+    const userId = request.userId as number;
     const { page } = request.query;
 
+    /**
+     * Fetching note settings from noteSetting service
+     */
+    const noteSettings = await noteSettingsService.getNoteSettingsByNoteId(parentNoteId);
+
+    if (!noteSettings.isPublic) {
+      const isTeamMember = noteSettings.team?.find(team => team.userId === userId);
+
+      /**
+       * Checks if the user is a member of the team
+       */
+      if (!isTeamMember) {
+        return reply.forbidden();
+      }
+    }
     const noteList = await noteService.getNoteListByParentNote(parentNoteId, page);
     /**
      * Wrapping Notelist for public use

src/repository/storage/postgres/orm/sequelize/teams.ts

@@ -192,7 +192,7 @@ export default class TeamsSequelizeStorage {
 
     return await this.model.findAll({
       where: { noteId },
-      attributes: ['id', 'role'],
+      attributes: ['id', 'role', 'userId'],
       include: {
         model: this.userModel,
         as: 'user',