Expand authorization validation for Project CRUD operations

hackforla · Mar 31, 2020 · 0241a87 · 0241a87
1 parent beb16a7
commit 0241a87
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 157 deletions.
diff --git a/app/controllers/playground.controller.js b/app/controllers/playground.controller.js
diff --git a/app/controllers/project.controller.js b/app/controllers/project.controller.js
@@ -24,6 +24,10 @@ const getById = async (req, res) => {
 
 const post = async (req, res) => {
   try {
+    if (!isAuthorizedUser(req) && !isAdmin(req)) {
+      res.status(403).send("You can only create your own projects.");
+    }
+
     const response = await projectService.post(req.body);
     res.status(201).json(response);
   } catch (err) {
@@ -33,9 +37,10 @@ const post = async (req, res) => {
 
 const put = async (req, res) => {
   try {
-    if (req.user.id !== req.body.loginId) {
+    if (!isAuthorizedUser(req) && !isAdmin(req)) {
       res.status(403).send("You can only make changes to your own projects.");
     }
+
     await projectService.put(req.body);
     res.sendStatus(200);
   } catch (err) {
@@ -45,13 +50,27 @@ const put = async (req, res) => {
 
 const del = async (req, res) => {
   try {
+    if (!isAuthorizedUser(req) && !isAdmin(req)) {
+      res.status(403).send("You can only delete your own projects.");
+    }
+
     await projectService.del(req.user.id, req.params.id);
     res.sendStatus(200);
   } catch (err) {
     res.status(500).send(err);
   }
 };
 
+// HELPER FUNCTIONS:
+const isAdmin = req => (req.user.isAdmin ? true : false);
+
+const isAuthorizedUser = req => {
+  const loginIdOfCurrentUser = req.user.id;
+  const loginIdInRequestBody = req.body.loginId;
+
+  return loginIdOfCurrentUser === loginIdInRequestBody ? true : false;
+};
+
 module.exports = {
   getAll,
   getById,

diff --git a/app/routes/index.js b/app/routes/index.js
@@ -4,7 +4,6 @@ const calculationRoutes = require("./calculation.routes");
 const ruleRoutes = require("./rule.routes");
 const accountRoutes = require("./account.routes");
 const faqRoutes = require("./faq.routes");
-const playgroundRoutes = require("./playground.routes");
 const projectRoutes = require("./project.routes");
 
 module.exports = router;
@@ -14,15 +13,3 @@ router.use("/calculations", calculationRoutes);
 router.use("/projects", projectRoutes);
 router.use("/rules", ruleRoutes);
 router.use("/faq", faqRoutes);
-
-router.use("/playground", playgroundRoutes);
-
-// router.use(authChecker);
-
-//function authChecker(req, res, next) {
-//  if (req.session.auth || req.path === "/auth") {
-//    next();
-//  } else {
-//    res.redirect("/auth");
-//  }
-//}
diff --git a/app/routes/playground.routes.js b/app/routes/playground.routes.js
diff --git a/app/routes/project.routes.js b/app/routes/project.routes.js
@@ -8,4 +8,4 @@ router.get("/:id", jwtSession.validateUser, projectController.getById);
 router.get("/", jwtSession.validateUser, projectController.getAll);
 router.post("/", jwtSession.validateUser, projectController.post);
 router.put("/:id", jwtSession.validateUser, projectController.put);
-router.delete("/", jwtSession.validateUser, projectController.del);
+router.delete("/:id", jwtSession.validateUser, projectController.del);
diff --git a/app/services/auth.service.js b/app/services/auth.service.js
diff --git a/app/services/playground.service.js b/app/services/playground.service.js