add authorization to file routes

This commit is contained in:
Cassie Tarakajian 2018-09-19 16:09:12 -04:00
parent 51116bf0d0
commit 032169e7bc
3 changed files with 28 additions and 11 deletions

View file

@ -9,8 +9,11 @@ import { deleteObjectsFromS3, getObjectKey } from './aws.controller';
// be fixed in mongoose soon
// https://github.com/Automattic/mongoose/issues/4049
export function createFile(req, res) {
Project.findByIdAndUpdate(
req.params.project_id,
Project.findOneAndUpdate(
{
_id: req.params.project_id,
user: req.user._id
},
{
$push: {
files: req.body
@ -19,9 +22,9 @@ export function createFile(req, res) {
{
new: true
}, (err, updatedProject) => {
if (err) {
if (err || !updatedProject) {
console.log(err);
res.json({ success: false });
res.status(403).send({ success: false, message: 'Project does not exist, or user does not match owner.' });
return;
}
const newFile = updatedProject.files[updatedProject.files.length - 1];
@ -39,7 +42,9 @@ export function createFile(req, res) {
}
function getAllDescendantIds(files, nodeId) {
return files.find(file => file.id === nodeId).children
const parentFile = files.find(file => file.id === nodeId);
if (!parentFile) return [];
return parentFile.children
.reduce((acc, childId) => (
[...acc, childId, ...getAllDescendantIds(files, childId)]
), []);
@ -75,12 +80,24 @@ function deleteChild(files, parentId, id) {
export function deleteFile(req, res) {
Project.findById(req.params.project_id, (err, project) => {
if (!project) {
res.status(404).send({ success: false, message: 'Project does not exist.' });
}
if (!project.user.equals(req.user._id)) {
res.status(403).send({ success: false, message: 'Session does not match owner of project.' });
return;
}
// make sure file exists for project
const fileToDelete = project.files.find(file => file.id === req.params.file_id);
if (!fileToDelete) {
res.status(404).send({ success: false, message: 'File does not exist in project.' });
return;
}
const idsToDelete = getAllDescendantIds(project.files, req.params.file_id);
deleteMany(project.files, [req.params.file_id, ...idsToDelete]);
project.files = deleteChild(project.files, req.query.parentId, req.params.file_id);
// project.files.id(req.params.file_id).remove();
// const childrenArray = project.files.id(req.query.parentId).children;
// project.files.id(req.query.parentId).children = childrenArray.filter(id => id !== req.params.file_id);
project.save((innerErr) => {
res.json(project.files);
});

View file

@ -11,7 +11,7 @@ const fileSchema = new Schema({
children: { type: [String], default: [] },
fileType: { type: String, default: 'file' },
isSelectedFile: { type: Boolean }
}, { timestamps: true, _id: true });
}, { timestamps: true, _id: true, usePushEach: true });
fileSchema.virtual('id').get(function getFileId() {
return this._id.toHexString();
@ -28,7 +28,7 @@ const projectSchema = new Schema({
files: { type: [fileSchema] },
_id: { type: String, default: shortid.generate },
slug: { type: String }
}, { timestamps: true });
}, { timestamps: true, usePushEach: true });
projectSchema.virtual('id').get(function getProjectId() {
return this._id;

View file

@ -84,8 +84,8 @@ app.use(passport.initialize());
app.use(passport.session());
app.use('/api', requestsOfTypeJSON(), users);
app.use('/api', requestsOfTypeJSON(), sessions);
app.use('/api', requestsOfTypeJSON(), projects);
app.use('/api', requestsOfTypeJSON(), files);
app.use('/api', requestsOfTypeJSON(), projects);
app.use('/api', requestsOfTypeJSON(), aws);
app.use(assetRoutes);
// this is supposed to be TEMPORARY -- until i figure out