update

2025-06-27 09:03:02 +02:00 · 2024-02-15 16:23:47 +01:00
parent 9053ea6c5f
commit 1891ee2067
2 changed files with 31 additions and 18 deletions
--- a/backend/apis/nodejs/api_controller.js
+++ b/backend/apis/nodejs/api_controller.js
@ -289,6 +289,7 @@ async function createOrganization(req, res){
 * PUT Request
 * Updates an Organization's details
 *
 * Required field(s): none.
 */
 async function updateOrganization(req, res){
@ -364,7 +365,7 @@ async function updateOrganization(req, res){
      return res.status(200).json({ success : "true"});
    }
    else{
-      return res.status(404).json({error : "Company either not found or not sufficient permissions"});
+      return res.status(404).json({error : "Organization either not found or not sufficient permissions"});
    }
  } 
  catch (error) {
@ -416,6 +417,7 @@ async function deleteOrganization(req, res){
 * 
 * Creates a Post belonging to an organization
 *
 * Required field(s): organization_id, content
 * @returns the inserted Post 
 */
 async function createOrganizationPost(req, res){
@ -457,6 +459,9 @@ async function createOrganizationPost(req, res){
 * GET Request
 * 
 * Obtains an organization by its identifier.
 * 
 * Required field(s): none.
 * 
 * @returns the organization.
 */
 async function getOrganization(req, res){
@ -479,30 +484,36 @@ async function getOrganization(req, res){
  }
 }
-// DELETE
+/**
 * DELETE Request
 * 
 * Deletes a Post belonging to an Organization, only if
 * the logged user is an administrator of that Organization.
 * 
 * Required field(s): none.
 */
 async function deleteOrganizationPost(req, res){
  const organizationPostIdToDelete = req.params.id;
  try{
-    knex.transaction(async (trx) => {
+    const isOrganizationAdmin = await knex('OrganizationPost')
-      // Check if user is allowed to delete the post (they must have created it)
+      .join('OrganizationAdministrator', 'OrganizationPost.organization_id', 'OrganizationAdministrator.id_organization')
-      const isOrganizationAdmin = await trx('OrganizationPost')
+      .where('OrganizationPost.id', organizationPostIdToDelete)
-        .join('OrganizationAdministrator', 'OrganizationPost.organization_id', 'OrganizationAdministrator.id_organization')
+      .where('OrganizationAdministrator.id_person', req.jwt.person_id)
-        .where('OrganizationPost.id', organizationPostIdToDelete)
+      .select('*')
-        .where('OrganizationAdministrator.id_person', req.jwt.person_id)
+      .first();
-        .select('*')
+
-        .first();
+      // Unexploitable TOC/TOU
-  
+      if(isOrganizationAdmin){
-      if (isOrganizationAdmin) {
+        await knex('OrganizationPost')
        await trx('OrganizationPost')
          .where('id', organizationPostIdToDelete)
          .del();
-        await trx.commit();
+        return res.status(200).json({success : true});
-        return res.status(200).json({success: true});
+      }
-      } 
+      else{
      else {
        return res.status(401).json({error : "Forbidden"});
      }
    });
  }
  catch (error) {
    console.log(error);
--- a/tutorials/1_promises.js
+++ b/tutorials/1_promises.js
@ -7,6 +7,8 @@
    callbacks:
    resolve(value) — if the job is finished successfully, with result value.
    reject(error) — if an error has occurred, error is the error object.
    Remember that Promises are not intrensically asyncronous
 */
 let promise = new Promise(function(resolve, reject) {
    setTimeout(() => resolve("done"), 500);