From 032169e7bc51f9301fd33fc2aa89696523f453d1 Mon Sep 17 00:00:00 2001 From: Cassie Tarakajian Date: Wed, 19 Sep 2018 16:09:12 -0400 Subject: [PATCH] add authorization to file routes --- server/controllers/file.controller.js | 33 ++++++++++++++++++++------- server/models/project.js | 4 ++-- server/server.js | 2 +- 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/server/controllers/file.controller.js b/server/controllers/file.controller.js index 1ca5bc77..5c494d99 100644 --- a/server/controllers/file.controller.js +++ b/server/controllers/file.controller.js @@ -9,8 +9,11 @@ import { deleteObjectsFromS3, getObjectKey } from './aws.controller'; // be fixed in mongoose soon // https://github.com/Automattic/mongoose/issues/4049 export function createFile(req, res) { - Project.findByIdAndUpdate( - req.params.project_id, + Project.findOneAndUpdate( + { + _id: req.params.project_id, + user: req.user._id + }, { $push: { files: req.body @@ -19,9 +22,9 @@ export function createFile(req, res) { { new: true }, (err, updatedProject) => { - if (err) { + if (err || !updatedProject) { console.log(err); - res.json({ success: false }); + res.status(403).send({ success: false, message: 'Project does not exist, or user does not match owner.' }); return; } const newFile = updatedProject.files[updatedProject.files.length - 1]; @@ -39,7 +42,9 @@ export function createFile(req, res) { } function getAllDescendantIds(files, nodeId) { - return files.find(file => file.id === nodeId).children + const parentFile = files.find(file => file.id === nodeId); + if (!parentFile) return []; + return parentFile.children .reduce((acc, childId) => ( [...acc, childId, ...getAllDescendantIds(files, childId)] ), []); @@ -75,12 +80,24 @@ function deleteChild(files, parentId, id) { export function deleteFile(req, res) { Project.findById(req.params.project_id, (err, project) => { + if (!project) { + res.status(404).send({ success: false, message: 'Project does not exist.' }); + } + if (!project.user.equals(req.user._id)) { + res.status(403).send({ success: false, message: 'Session does not match owner of project.' }); + return; + } + + // make sure file exists for project + const fileToDelete = project.files.find(file => file.id === req.params.file_id); + if (!fileToDelete) { + res.status(404).send({ success: false, message: 'File does not exist in project.' }); + return; + } + const idsToDelete = getAllDescendantIds(project.files, req.params.file_id); deleteMany(project.files, [req.params.file_id, ...idsToDelete]); project.files = deleteChild(project.files, req.query.parentId, req.params.file_id); - // project.files.id(req.params.file_id).remove(); - // const childrenArray = project.files.id(req.query.parentId).children; - // project.files.id(req.query.parentId).children = childrenArray.filter(id => id !== req.params.file_id); project.save((innerErr) => { res.json(project.files); }); diff --git a/server/models/project.js b/server/models/project.js index ac70fc5b..c1a255d8 100644 --- a/server/models/project.js +++ b/server/models/project.js @@ -11,7 +11,7 @@ const fileSchema = new Schema({ children: { type: [String], default: [] }, fileType: { type: String, default: 'file' }, isSelectedFile: { type: Boolean } -}, { timestamps: true, _id: true }); +}, { timestamps: true, _id: true, usePushEach: true }); fileSchema.virtual('id').get(function getFileId() { return this._id.toHexString(); @@ -28,7 +28,7 @@ const projectSchema = new Schema({ files: { type: [fileSchema] }, _id: { type: String, default: shortid.generate }, slug: { type: String } -}, { timestamps: true }); +}, { timestamps: true, usePushEach: true }); projectSchema.virtual('id').get(function getProjectId() { return this._id; diff --git a/server/server.js b/server/server.js index 395e37b8..a6d2c4bb 100644 --- a/server/server.js +++ b/server/server.js @@ -84,8 +84,8 @@ app.use(passport.initialize()); app.use(passport.session()); app.use('/api', requestsOfTypeJSON(), users); app.use('/api', requestsOfTypeJSON(), sessions); -app.use('/api', requestsOfTypeJSON(), projects); app.use('/api', requestsOfTypeJSON(), files); +app.use('/api', requestsOfTypeJSON(), projects); app.use('/api', requestsOfTypeJSON(), aws); app.use(assetRoutes); // this is supposed to be TEMPORARY -- until i figure out