mirror of https://github.com/xfarrow/blink
update createOrganizationPost
This commit is contained in:
xfarrow
parent
feafda9837
commit
73f2b4db89
|
|
@ -289,7 +289,6 @@ async function createOrganization(req, res){
|
||||||
* PUT Request
|
* PUT Request
|
||||||
* Updates an Organization's details
|
* Updates an Organization's details
|
||||||
*
|
*
|
||||||
* @returns
|
|
||||||
*/
|
*/
|
||||||
async function updateOrganization(req, res){
|
async function updateOrganization(req, res){
|
||||||
|
|
||||||
|
|
@ -317,34 +316,34 @@ async function updateOrganization(req, res){
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
|
||||||
// const isOrganizationAdmin = await knex('OrganizationAdministrator')
|
// // const isOrganizationAdmin = await knex('OrganizationAdministrator')
|
||||||
// .where('id_person', req.jwt.person_id)
|
// // .where('id_person', req.jwt.person_id)
|
||||||
// .where('id_organization', req.params.id)
|
// // .where('id_organization', req.params.id)
|
||||||
// .select('*')
|
// // .select('*')
|
||||||
// .first();
|
// // .first();
|
||||||
|
|
||||||
// // This introduces a Time of check Time of use weakeness
|
// // // This introduces a Time of check Time of use weakeness
|
||||||
// // which could'have been fixed by either
|
// // // which could'have been fixed by either
|
||||||
// // 1) Using "whereExists", thanks to the "it's easier to ask for
|
// // // 1) Using "whereExists", thanks to the "it's easier to ask for
|
||||||
// // forgiveness than for permission" padarigm. Or,
|
// // // forgiveness than for permission" padarigm. Or,
|
||||||
// // 2) Using a serializable transaction.
|
// // // 2) Using a serializable transaction.
|
||||||
// //
|
// // //
|
||||||
// // The undersigned chose not to follow these approaches because
|
// // // The undersigned chose not to follow these approaches because
|
||||||
// // this does not introduces any serious vulnerability. In this
|
// // // this does not introduces any serious vulnerability. In this
|
||||||
// // way it seems more readable.
|
// // // way it seems more readable.
|
||||||
|
|
||||||
// if(!isOrganizationAdmin){
|
// // if(!isOrganizationAdmin){
|
||||||
// return res.status(403).json({error : "Forbidden"});
|
// // return res.status(403).json({error : "Forbidden"});
|
||||||
// }
|
// // }
|
||||||
|
|
||||||
// await knex('Organization')
|
// // await knex('Organization')
|
||||||
// .where('id', req.params.id)
|
// // .where('id', req.params.id)
|
||||||
// .update({
|
// // .update({
|
||||||
// name: req.body.name,
|
// // name: req.body.name,
|
||||||
// location: req.body.location,
|
// // location: req.body.location,
|
||||||
// description: req.body.description,
|
// // description: req.body.description,
|
||||||
// is_hiring: req.body.is_hiring
|
// // is_hiring: req.body.is_hiring
|
||||||
// });
|
// // });
|
||||||
|
|
||||||
const updatedRows = await knex('Organization')
|
const updatedRows = await knex('Organization')
|
||||||
.where('id', req.params.id)
|
.where('id', req.params.id)
|
||||||
|
|
@ -374,6 +373,7 @@ async function updateOrganization(req, res){
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO CHECK CORRECTNESS !!
|
||||||
// DELETE
|
// DELETE
|
||||||
async function deleteOrganization(req, res){
|
async function deleteOrganization(req, res){
|
||||||
const organizationIdToDelete = req.params.id;
|
const organizationIdToDelete = req.params.id;
|
||||||
|
|
@ -411,7 +411,13 @@ async function deleteOrganization(req, res){
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// POST
|
/**
|
||||||
|
* POST Request
|
||||||
|
*
|
||||||
|
* Creates a Post belonging to an organization
|
||||||
|
*
|
||||||
|
* @returns the inserted Post
|
||||||
|
*/
|
||||||
async function createOrganizationPost(req, res){
|
async function createOrganizationPost(req, res){
|
||||||
|
|
||||||
// Ensure that the required fields are present before proceeding
|
// Ensure that the required fields are present before proceeding
|
||||||
|
|
@ -420,28 +426,26 @@ async function createOrganizationPost(req, res){
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
knex.transaction(async (trx) => {
|
// Check if the current user is a organization's administrator
|
||||||
// Check if the current user is a organization's administrator
|
const isOrganizationAdmin = await knex('OrganizationAdministrator')
|
||||||
const isOrganizationAdmin = await trx('OrganizationAdministrator')
|
.where('id_person', req.jwt.person_id)
|
||||||
.where('id_person', req.jwt.person_id)
|
.where('id_organization', req.body.organization_id)
|
||||||
.where('id_organization', req.body.organization_id)
|
.select('*')
|
||||||
.select('*')
|
.first();
|
||||||
.first();
|
|
||||||
|
// Non-exploitable TOC/TOU weakness
|
||||||
|
if(!isOrganizationAdmin){
|
||||||
|
return res.status(403).json({error : "Forbidden"});
|
||||||
|
}
|
||||||
|
|
||||||
if(!isOrganizationAdmin){
|
const organizationPost = await knex('OrganizationPost')
|
||||||
return res.status(403).json({error : "Forbidden"});
|
.insert({
|
||||||
}
|
organization_id: req.body.organization_id,
|
||||||
|
content: req.body.content,
|
||||||
const organizationPost = await knex('OrganizationPost')
|
original_author: req.jwt.person_id
|
||||||
.insert({
|
})
|
||||||
organization_id: req.body.organization_id,
|
.returning('*');
|
||||||
content: req.body.content,
|
return res.status(200).json(organizationPost[0]);
|
||||||
original_author: req.jwt.person_id
|
|
||||||
})
|
|
||||||
.returning('*');
|
|
||||||
|
|
||||||
return res.status(200).json(organizationPost[0]);
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
catch (error) {
|
catch (error) {
|
||||||
console.log(error);
|
console.log(error);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue