From 73f2b4db897dfc4edac932ecf3da2a9980ac9436 Mon Sep 17 00:00:00 2001
From: xfarrow <ale99napoli@icloud.com>
Date: Thu, 15 Feb 2024 16:03:42 +0100
Subject: [PATCH] update createOrganizationPost

---
 backend/apis/nodejs/api_controller.js | 100 +++++++++++++-------------
 1 file changed, 52 insertions(+), 48 deletions(-)

diff --git a/backend/apis/nodejs/api_controller.js b/backend/apis/nodejs/api_controller.js
index 8de2596..4f4875e 100644
--- a/backend/apis/nodejs/api_controller.js
+++ b/backend/apis/nodejs/api_controller.js
@@ -289,7 +289,6 @@ async function createOrganization(req, res){
  * PUT Request
  * Updates an Organization's details
  *
- * @returns 
  */
 async function updateOrganization(req, res){
 
@@ -317,34 +316,34 @@ async function updateOrganization(req, res){
 
   try {
 
-    // const isOrganizationAdmin = await knex('OrganizationAdministrator')
-    // .where('id_person', req.jwt.person_id)
-    // .where('id_organization', req.params.id)
-    // .select('*')
-    // .first();
+    // // const isOrganizationAdmin = await knex('OrganizationAdministrator')
+    // // .where('id_person', req.jwt.person_id)
+    // // .where('id_organization', req.params.id)
+    // // .select('*')
+    // // .first();
 
-    // // This introduces a Time of check Time of use weakeness
-    // // which could'have been fixed by either
-    // // 1) Using "whereExists", thanks to the "it's easier to ask for
-    // // forgiveness than for permission" padarigm. Or,
-    // // 2) Using a serializable transaction.
-    // //
-    // // The undersigned chose not to follow these approaches because
-    // // this does not introduces any serious vulnerability. In this
-    // // way it seems more readable.
+    // // // This introduces a Time of check Time of use weakeness
+    // // // which could'have been fixed by either
+    // // // 1) Using "whereExists", thanks to the "it's easier to ask for
+    // // // forgiveness than for permission" padarigm. Or,
+    // // // 2) Using a serializable transaction.
+    // // //
+    // // // The undersigned chose not to follow these approaches because
+    // // // this does not introduces any serious vulnerability. In this
+    // // // way it seems more readable.
 
-    // if(!isOrganizationAdmin){
-    //   return res.status(403).json({error : "Forbidden"});
-    // }
+    // // if(!isOrganizationAdmin){
+    // //   return res.status(403).json({error : "Forbidden"});
+    // // }
 
-    // await knex('Organization')
-    // .where('id', req.params.id)
-    // .update({
-    //   name: req.body.name,
-    //   location: req.body.location,
-    //   description: req.body.description,
-    //   is_hiring: req.body.is_hiring
-    // });
+    // // await knex('Organization')
+    // // .where('id', req.params.id)
+    // // .update({
+    // //   name: req.body.name,
+    // //   location: req.body.location,
+    // //   description: req.body.description,
+    // //   is_hiring: req.body.is_hiring
+    // // });
 
     const updatedRows = await knex('Organization')
     .where('id', req.params.id)
@@ -374,6 +373,7 @@ async function updateOrganization(req, res){
   }
 }
 
+// TODO CHECK CORRECTNESS !!
 // DELETE
 async function deleteOrganization(req, res){
   const organizationIdToDelete = req.params.id;
@@ -411,7 +411,13 @@ async function deleteOrganization(req, res){
   }
 }
 
-// POST
+/**
+ * POST Request
+ * 
+ * Creates a Post belonging to an organization
+ *
+ * @returns the inserted Post 
+ */
 async function createOrganizationPost(req, res){
   
   // Ensure that the required fields are present before proceeding
@@ -420,28 +426,26 @@ async function createOrganizationPost(req, res){
   }
 
   try {
-    knex.transaction(async (trx) => {
-      // Check if the current user is a organization's administrator
-      const isOrganizationAdmin = await trx('OrganizationAdministrator')
-        .where('id_person', req.jwt.person_id)
-        .where('id_organization', req.body.organization_id)
-        .select('*')
-        .first();
+    // Check if the current user is a organization's administrator
+    const isOrganizationAdmin = await knex('OrganizationAdministrator')
+    .where('id_person', req.jwt.person_id)
+    .where('id_organization', req.body.organization_id)
+    .select('*')
+    .first();
+    
+    // Non-exploitable TOC/TOU weakness
+    if(!isOrganizationAdmin){
+      return res.status(403).json({error : "Forbidden"});
+    }
 
-      if(!isOrganizationAdmin){
-        return res.status(403).json({error : "Forbidden"});
-      }
-
-      const organizationPost = await knex('OrganizationPost')
-        .insert({
-          organization_id: req.body.organization_id,
-          content: req.body.content,
-          original_author: req.jwt.person_id
-        })
-        .returning('*');
-      
-      return res.status(200).json(organizationPost[0]);
-    });
+    const organizationPost = await knex('OrganizationPost')
+    .insert({
+      organization_id: req.body.organization_id,
+      content: req.body.content,
+      original_author: req.jwt.person_id
+    })
+    .returning('*');
+    return res.status(200).json(organizationPost[0]);
   } 
   catch (error) {
     console.log(error);