From 183624e1b1d4eef54f1a38aa58c6c558cf7beb7d Mon Sep 17 00:00:00 2001 From: huytran17 Date: Mon, 20 May 2024 20:49:07 +0700 Subject: [PATCH] update user authrization --- .../src/data-access/controllers/user/user/delete-user.ts | 7 +++++++ .../src/data-access/controllers/user/user/get-user.ts | 7 +++++++ .../src/data-access/controllers/user/user/update-user.ts | 7 +++++++ .../src/data-access/controllers/user/user/upload-avatar.ts | 7 +++++++ .../data-access/controllers/user/v2/user/upload-avatar.ts | 7 +++++++ 5 files changed, 35 insertions(+) diff --git a/core/server/src/data-access/controllers/user/user/delete-user.ts b/core/server/src/data-access/controllers/user/user/delete-user.ts index 9a9b47d3..dd757f87 100644 --- a/core/server/src/data-access/controllers/user/user/delete-user.ts +++ b/core/server/src/data-access/controllers/user/user/delete-user.ts @@ -8,6 +8,7 @@ import { Request } from "express"; import { get } from "lodash"; import { HttpStatusCode } from "../../../../constants/http-status-code"; import { isEmpty } from "../../../../utils/is-empty"; +import IUser from "../../../../database/interfaces/user"; export default function makeDeleteUserController({ getUser, @@ -26,10 +27,16 @@ export default function makeDeleteUserController({ }; try { + const { _id: user_id } = get(httpRequest, "context.user", {}); + const { _id } = ( get(httpRequest, "context.validated", {}) ); + if (user_id !== _id) { + throw new Error("Access denied"); + } + const exists = await getUser({ _id }); if (isEmpty(exists)) { diff --git a/core/server/src/data-access/controllers/user/user/get-user.ts b/core/server/src/data-access/controllers/user/user/get-user.ts index b905779f..c0aa6c07 100644 --- a/core/server/src/data-access/controllers/user/user/get-user.ts +++ b/core/server/src/data-access/controllers/user/user/get-user.ts @@ -3,6 +3,7 @@ import { GetUser, IGetUserPayload } from "../../../../use-cases/user/get-user"; import { get } from "lodash"; import { HttpStatusCode } from "../../../../constants/http-status-code"; import { isEmpty } from "../../../../utils/is-empty"; +import IUser from "../../../../database/interfaces/user"; export default function makeGetUserController({ getUser, @@ -17,10 +18,16 @@ export default function makeGetUserController({ }; try { + const { _id: user_id } = get(httpRequest, "context.user", {}); + const { _id } = ( get(httpRequest, "context.validated", {}) ); + if (user_id !== _id) { + throw new Error("Access denied"); + } + const exists = await getUser({ _id }); if (isEmpty(exists)) { diff --git a/core/server/src/data-access/controllers/user/user/update-user.ts b/core/server/src/data-access/controllers/user/user/update-user.ts index 1f5df5cb..a1330b8d 100644 --- a/core/server/src/data-access/controllers/user/user/update-user.ts +++ b/core/server/src/data-access/controllers/user/user/update-user.ts @@ -6,6 +6,7 @@ import { Logger } from "winston"; import { Request } from "express"; import { get } from "lodash"; import { HttpStatusCode } from "../../../../constants/http-status-code"; +import IUser from "../../../../database/interfaces/user"; export default function makeUpdateUserController({ updateUser, @@ -22,10 +23,16 @@ export default function makeUpdateUserController({ }; try { + const { _id } = get(httpRequest, "context.user", {}); + const user_details = ( get(httpRequest, "context.validated", {}) ); + if (_id !== user_details._id) { + throw new Error("Access denied"); + } + const updated_user = await updateUser(user_details); logger.verbose(`Updated user ${updated_user.email}`); diff --git a/core/server/src/data-access/controllers/user/user/upload-avatar.ts b/core/server/src/data-access/controllers/user/user/upload-avatar.ts index a2b704f4..4dd38e59 100644 --- a/core/server/src/data-access/controllers/user/user/upload-avatar.ts +++ b/core/server/src/data-access/controllers/user/user/upload-avatar.ts @@ -5,6 +5,7 @@ import { UpdateUser } from "../../../../use-cases/user/update-user"; import { HttpStatusCode } from "../../../../constants/http-status-code"; import { isEmpty } from "../../../../utils/is-empty"; import deleteS3Object from "../../../../utils/delete-s3-object"; +import IUser from "../../../../database/interfaces/user"; export default function makeUploadUserAvatarController({ getUser, @@ -21,10 +22,16 @@ export default function makeUploadUserAvatarController({ }; try { + const { _id: user_id } = get(httpRequest, "context.user", {}); + const { _id } = ( get(httpRequest, "context.validated", {}) ); + if (user_id !== _id) { + throw new Error("Access denied"); + } + const exists = await getUser({ _id }); if (isEmpty(exists)) { diff --git a/core/server/src/data-access/controllers/user/v2/user/upload-avatar.ts b/core/server/src/data-access/controllers/user/v2/user/upload-avatar.ts index 5be094f4..b9de01ee 100644 --- a/core/server/src/data-access/controllers/user/v2/user/upload-avatar.ts +++ b/core/server/src/data-access/controllers/user/v2/user/upload-avatar.ts @@ -10,6 +10,7 @@ import { isEmpty } from "../../../../../utils/is-empty"; import getFIleUploadedPath from "../../../../../utils/get-file-uploaded-path"; import { IDiskUploadFile } from "../../../../../config/middlewares/disk-upload-file"; import deleteUploadedFile from "../../../../../utils/delete-uploaded-file"; +import IUser from "../../../../../database/interfaces/user"; export default function makeUploadUserAvatarController({ getUser, @@ -26,10 +27,16 @@ export default function makeUploadUserAvatarController({ }; try { + const { _id: user_id } = get(httpRequest, "context.user", {}); + const { _id } = ( get(httpRequest, "context.validated", {}) ); + if (user_id !== _id) { + throw new Error("Access denied"); + } + const exists = await getUser({ _id }); if (isEmpty(exists)) {