swissmakers_gmbh/swiss-datashare
12
0
Fork 0
mirror of https://github.com/swissmakers/swiss-datashare.git synced 2026-04-17 12:43:13 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: add rule to check if user is owner of share

Browse Source
This commit is contained in:
Elias Schneider
2022-10-10 23:34:03 +02:00
parent e818a29442
commit 2c47b2a284
6 changed files with 47 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
backend/src/share/guard/shareOwner.guard.ts Normal file
View File

@@ -0,0 +1,33 @@
import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
import { Reflector } from "@nestjs/core";
import { User } from "@prisma/client";
import { Request } from "express";
import { ExtractJwt } from "passport-jwt";
import { PrismaService } from "src/prisma/prisma.service";
import { ShareService } from "src/share/share.service";
@Injectable()
export class ShareOwnerGuard implements CanActivate {
constructor(
private prisma: PrismaService
) {}
async canActivate(context: ExecutionContext) {
const request: Request = context.switchToHttp().getRequest();
const shareId = Object.prototype.hasOwnProperty.call(
request.params,
"shareId"
)
? request.params.shareId
: request.params.id;
const share = await this.prisma.share.findUnique({
where: { id: shareId },
include: { security: true },
});
return share.creatorId == (request.user as User).id;
}
}

9
backend/src/share/share.controller.ts
View File

@@ -16,6 +16,7 @@ import { MyShareDTO } from "./dto/myShare.dto";
import { ShareDTO } from "./dto/share.dto";
import { ShareMetaDataDTO } from "./dto/shareMetaData.dto";
import { SharePasswordDto } from "./dto/sharePassword.dto";
import { ShareOwnerGuard } from "./guard/shareOwner.guard";
import { ShareSecurityGuard } from "./guard/shareSecurity.guard";
import { ShareService } from "./share.service";
@@ -50,14 +51,14 @@ export class ShareController {
}
@Delete(":id")
@UseGuards(JwtGuard)
async remove(@Param("id") id: string, @GetUser() user: User) {
await this.shareService.remove(id, user.id);
@UseGuards(JwtGuard, ShareOwnerGuard)
async remove(@Param("id") id: string) {
await this.shareService.remove(id);
}
@Post(":id/complete")
@HttpCode(202)
@UseGuards(JwtGuard)
@UseGuards(JwtGuard, ShareOwnerGuard)
async complete(@Param("id") id: string) {
return new ShareDTO().from(await this.shareService.complete(id));
}

4
backend/src/share/share.service.ts
View File

@@ -132,15 +132,13 @@ export class ShareService {
return share;
}
async remove(shareId: string, userId: string) {
async remove(shareId: string) {
const share = await this.prisma.share.findUnique({
where: { id: shareId },
});
if (!share) throw new NotFoundException("Share not found");
if (share.creatorId != userId) throw new ForbiddenException();
await this.prisma.share.delete({ where: { id: shareId } });
}