xfarrow/blink
0
0
Fork 0
mirror of https://github.com/xfarrow/blink synced 2025-06-27 09:03:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update api_controller.js

Browse Source
This commit is contained in:
xfarrow
2023-10-19 11:55:53 +02:00
parent bc54c35916
commit 7229af05f7
1 changed files with 29 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
backend/apis/nodejs/api_controller.js
View File

@ -281,24 +281,35 @@ async function addOrganizationAdmin(req, res){
return res.status(400).json({ error : "Invalid request"}); return res.status(400).json({ error : "Invalid request"});
} }
// Check whether I am admin try {
if(await isPersonOrganizationAdmin(req.jwt.person_id, req.body.organization_id)){ // Here we do not actually need a transaction. Two different queries,
try { // one who checks if the user is admin and one to add the user would've
// We suppose that the database has Foreign Key constraints // been sufficient and non-exploitable, but still it'd have been a
await knex('OrganizationAdministrator') // TOC/TOU weakness (https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use)
.insert({ knex.transaction(async (trx) => {
id_person: req.body.person_id, // Check if the current user is a organization's administrator
id_organization: req.body.organization_id const result = await trx('OrganizationAdministrator')
}); .where('id_person', req.jwt.person_id)
return res.status(200).json({success : true}); .where('id_organization', req.body.organization_id)
} .select('*')
catch (error) { .first();
console.error('Error while adding organization admin: ' + error);
res.status(500).json({error : "Internal server error"}); if(!result){
} return res.status(401).json({error : "Forbidden"});
} }
else {
return res.status(401).json({ error : "Forbidden"}); // We suppose that the database has Foreign Key constraints
await knex('OrganizationAdministrator')
.insert({
id_person: req.body.person_id,
id_organization: req.body.organization_id
});
return res.status(200).json({success : true});
});
}
catch (error) {
console.error('Error while adding organization admin: ' + error);
res.status(500).json({error : "Internal server error"});
} }
} }