update

backend/apis/nodejs/src/models/organization_admin_model.js

@@ -26,20 +26,28 @@ async function isPersonAdmin (personId, organizationId) {
     .where('id_organization', organizationId)
     .select('*')
     .first();
-  return isPersonAdmin;
+  return !!isPersonAdmin;
 }
 
 /**
- * Add the specified Person as the Organization administrator
+ * Add the specified Person as the Organization administrator, if thr requester is already
- * @param {*} personId
+ * an administrator
+ * @param {*} personId Id of the person to add as administrator
  * @param {*} organizationId
+ * @param {*} requester Id of the person requesting the addition
  */
-async function addOrganizationAdministrator (personId, organizationId) {
+async function addOrganizationAdministrator (personId, organizationId, requester) {
-  await knex('OrganizationAdministrator')
+
+  const isPersonAdmin = await organization_admin_model.isPersonAdmin(requester, organizationId);
+  if(isPersonAdmin){
+    await knex('OrganizationAdministrator')
     .insert({
       id_person: personId,
       id_organization: organizationId
     });
+    return true;
+  }
+  return false;
 }
 
 /**

backend/apis/nodejs/src/models/organization_model.js

@@ -34,7 +34,7 @@ function organization (name, location, description, isHiring) {
 /**
  * Gets an Organization by its identifier
  * @param {*} id
- * @returns
+ * @returns the Organization
  */
 async function getOrganizationById (id) {
   const organization = await knex('Organization')
@@ -66,13 +66,13 @@ async function insertOrganization (organization, organizationAdministratorId) {
 
 /**
  * Updates an Organization specified by the OrganizationId, if and
- * only if the specified personId is one of its Administrator
+ * only if the specified requester is one of its Administrator
  * @param {*} organization
  * @param {*} organizationId
- * @param {*} personId
+ * @param {*} requester
  * @returns true if the row was updated, false otherwise
  */
-async function updateOrganizationIfAdministrator (organization, organizationId, personId) {
+async function updateOrganization (organization, organizationId, requester) {
   // // const isOrganizationAdmin = await knex('OrganizationAdministrator')
   // // .where('id_person', req.jwt.person_id)
   // // .where('id_organization', req.params.id)
@@ -107,7 +107,7 @@ async function updateOrganizationIfAdministrator (organization, organizationId,
     .whereExists(function () {
       this.select('*')
         .from('OrganizationAdministrator')
-        .where('id_person', personId)
+        .where('id_person', requester)
         .where('id_organization', organizationId);
     })
     .update(organization);
@@ -118,16 +118,16 @@ async function updateOrganizationIfAdministrator (organization, organizationId,
  * Deletes an Organization if the specified PersonId is
  * one of its administrators
  * @param {*} organizationId Id of the Organization to delete
- * @param {*} personId PersonId of the supposedly administrator
+ * @param {*} requester PersonId of the supposedly administrator
  * @returns true if the Organization was successfully deleted, false otherwise
  */
-async function deleteOrganizationIfAdmin (organizationId, personId) {
+async function deleteOrganization (organizationId, requester) {
   const numberOfDeletedRows = await knex('Organization')
     .where({ id: organizationId })
     .whereExists(function () {
       this.select('*')
         .from('OrganizationAdministrator')
-        .where('id_person', personId)
+        .where('id_person', requester)
         .where('id_organization', organizationId);
     })
     .del();
@@ -141,7 +141,6 @@ module.exports = {
   getOrganizationById,
   organization,
   insertOrganization,
-  updateOrganizationIfAdministrator,
+  updateOrganization,
-  deleteOrganizationIfAdmin,
+  deleteOrganization
-  deleteOrganizationIfAdmin
 };

backend/apis/nodejs/src/models/organization_post_model.js

@@ -44,7 +44,7 @@ async function insertOrganizationPost (organization) {
   // Non-exploitable TOC/TOU weakness
   // For more information https://softwareengineering.stackexchange.com/questions/451038/when-should-i-be-worried-of-time-of-check-time-of-use-vulnerabilities-during-dat
   if (!isOrganizationAdmin) {
-    return res.status(403).json({ error: 'Forbidden' });
+    return false;
   }
 
   const organizationPost = await knex('OrganizationPost')
@@ -75,13 +75,18 @@ async function isPersonPostAdministrator (postId, personId) {
 }
 
 /**
- * Deletes the specified OrganizationPost
+ * Deletes the specified OrganizationPost if the requester is one
- * @param {*} organizationPostId
+ * of the Administrators of the Organization the Post belongs to
+ * @param {*} postId Id of the Post to delete
+ * @param {*} requester Id of the Person requesting the deletion
  */
-async function deleteOrganizationPost (organizationPostId) {
+async function deleteOrganizationPost (postId, requester) {
-  await knex('OrganizationPost')
+  if(await isPersonPostAdministrator(postId, requester)){
-    .where('id', organizationPostId)
+    return await knex('OrganizationPost')
-    .del();
+    .where('id', postId)
+    .del() == 1;
+  }
+  return false;
 }
 
 module.exports = {

backend/apis/nodejs/src/routes/organization_admin_routes.js

@@ -28,13 +28,11 @@ async function addOrganizationAdmin (req, res) {
   }
 
   try {
-    const isPersonAdmin = await organization_admin_model.isPersonAdmin(req.jwt.person_id, req.body.organization_id);
+    const success = await organization_admin_model.addOrganizationAdministrator(req.body.person_id, req.body.organization_id, req.jwt.person_id);
-    // TOC/TOU
+    if(success){
-    if (!isPersonAdmin) {
+      return res.status(200).json({ success: true });
-      return res.status(401).json({ error: 'Forbidden' });
     }
-    await organization_admin_model.addOrganizationAdministrator(req.body.person_id, req.body.organization_id);
+    return res.status(403).json({ error: 'Forbidden' });
-    return res.status(200).json({ success: true });
   } catch (error) {
     console.error(`Error in function ${addOrganizationAdmin.name}: ${error}`);
     res.status(500).json({ error: 'Internal server error' });

backend/apis/nodejs/src/routes/organization_post_routes.js

@@ -51,13 +51,13 @@ async function createOrganizationPost (req, res) {
  */
 async function deleteOrganizationPost (req, res) {
   try {
-    const isOrganizationAdmin = await organizationPostModel.isPersonPostAdministrator(req.params.id, req.jwt.person_id);
+      const success = await organizationPostModel.deleteOrganizationPost(req.params.id, req.jwt.person_id);
-    if (isOrganizationAdmin) {
+
-      await organizationPostModel.deleteOrganizationPost(req.params.id);
+      if(success){
-      return res.status(200).json({ success: true });
+        return res.status(200).json({ success: true });
-    } else {
+      }
       return res.status(401).json({ error: 'Forbidden' });
-    }
+      
   } catch (error) {
     console.error(`Error in function ${deleteOrganizationPost.name}: ${error}`);
     res.status(500).json({ error: 'Internal server error' });

backend/apis/nodejs/src/routes/organization_routes.js

@@ -68,7 +68,7 @@ async function updateOrganization (req, res) {
   }
 
   try {
-    const isUpdateSuccessful = organization_model.updateOrganizationIfAdministrator(updateOrganization, req.params.id, req.jwt.person_id);
+    const isUpdateSuccessful = organization_model.updateOrganization(updateOrganization, req.params.id, req.jwt.person_id);
     if (isUpdateSuccessful) {
       return res.status(200).json({ success: 'true' });
     } else {
@@ -88,12 +88,11 @@ async function updateOrganization (req, res) {
  */
 async function deleteOrganization (req, res) {
   try {
-    const isDeleteSuccessful = organization_model.deleteOrganizationIfAdmin(req.params.id, req.jwt.person_id);
+    const isDeleteSuccessful = organization_model.deleteOrganization(req.params.id, req.jwt.person_id);
     if (isDeleteSuccessful) {
-      return res.status(403).json({ error: 'Forbidden' });
-    } else {
       return res.status(200).json({ success: true });
     }
+    return res.status(403).json({ error: 'Forbidden' });
   } catch (error) {
     console.error(`Error in function ${deleteOrganization.name}: ${error}`);
     return res.status(500).json({ error: 'Internal server error' });