update createOrganizationPost

backend/apis/nodejs/api_controller.js

@@ -289,7 +289,6 @@ async function createOrganization(req, res){
  * PUT Request
  * Updates an Organization's details
  *
- * @returns 
  */
 async function updateOrganization(req, res){
 
@@ -317,34 +316,34 @@ async function updateOrganization(req, res){
 
   try {
 
-    // const isOrganizationAdmin = await knex('OrganizationAdministrator')
+    // // const isOrganizationAdmin = await knex('OrganizationAdministrator')
-    // .where('id_person', req.jwt.person_id)
+    // // .where('id_person', req.jwt.person_id)
-    // .where('id_organization', req.params.id)
+    // // .where('id_organization', req.params.id)
-    // .select('*')
+    // // .select('*')
-    // .first();
+    // // .first();
 
-    // // This introduces a Time of check Time of use weakeness
+    // // // This introduces a Time of check Time of use weakeness
-    // // which could'have been fixed by either
+    // // // which could'have been fixed by either
-    // // 1) Using "whereExists", thanks to the "it's easier to ask for
+    // // // 1) Using "whereExists", thanks to the "it's easier to ask for
-    // // forgiveness than for permission" padarigm. Or,
+    // // // forgiveness than for permission" padarigm. Or,
-    // // 2) Using a serializable transaction.
+    // // // 2) Using a serializable transaction.
-    // //
+    // // //
-    // // The undersigned chose not to follow these approaches because
+    // // // The undersigned chose not to follow these approaches because
-    // // this does not introduces any serious vulnerability. In this
+    // // // this does not introduces any serious vulnerability. In this
-    // // way it seems more readable.
+    // // // way it seems more readable.
 
-    // if(!isOrganizationAdmin){
+    // // if(!isOrganizationAdmin){
-    //   return res.status(403).json({error : "Forbidden"});
+    // //   return res.status(403).json({error : "Forbidden"});
-    // }
+    // // }
 
-    // await knex('Organization')
+    // // await knex('Organization')
-    // .where('id', req.params.id)
+    // // .where('id', req.params.id)
-    // .update({
+    // // .update({
-    //   name: req.body.name,
+    // //   name: req.body.name,
-    //   location: req.body.location,
+    // //   location: req.body.location,
-    //   description: req.body.description,
+    // //   description: req.body.description,
-    //   is_hiring: req.body.is_hiring
+    // //   is_hiring: req.body.is_hiring
-    // });
+    // // });
 
     const updatedRows = await knex('Organization')
     .where('id', req.params.id)
@@ -374,6 +373,7 @@ async function updateOrganization(req, res){
   }
 }
 
+// TODO CHECK CORRECTNESS !!
 // DELETE
 async function deleteOrganization(req, res){
   const organizationIdToDelete = req.params.id;
@@ -411,7 +411,13 @@ async function deleteOrganization(req, res){
   }
 }
 
-// POST
+/**
+ * POST Request
+ * 
+ * Creates a Post belonging to an organization
+ *
+ * @returns the inserted Post 
+ */
 async function createOrganizationPost(req, res){
   
   // Ensure that the required fields are present before proceeding
@@ -420,14 +426,14 @@ async function createOrganizationPost(req, res){
   }
 
   try {
-    knex.transaction(async (trx) => {
     // Check if the current user is a organization's administrator
-      const isOrganizationAdmin = await trx('OrganizationAdministrator')
+    const isOrganizationAdmin = await knex('OrganizationAdministrator')
     .where('id_person', req.jwt.person_id)
     .where('id_organization', req.body.organization_id)
     .select('*')
     .first();
     
+    // Non-exploitable TOC/TOU weakness
     if(!isOrganizationAdmin){
       return res.status(403).json({error : "Forbidden"});
     }
@@ -439,9 +445,7 @@ async function createOrganizationPost(req, res){
       original_author: req.jwt.person_id
     })
     .returning('*');
-      
     return res.status(200).json(organizationPost[0]);
-    });
   } 
   catch (error) {
     console.log(error);