xfarrow/blink
0
0
Fork 0
mirror of https://github.com/xfarrow/blink synced 2025-06-27 09:03:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

update createOrganizationPost

Browse Source
This commit is contained in:
xfarrow
2024-02-15 16:03:42 +01:00
parent feafda9837
commit 73f2b4db89
1 changed files with 52 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
backend/apis/nodejs/api_controller.js
View File

@@ -289,7 +289,6 @@ async function createOrganization(req, res){
* PUT Request
* Updates an Organization's details
*
* @returns
*/
async function updateOrganization(req, res){
@@ -317,34 +316,34 @@ async function updateOrganization(req, res){
try {
// const isOrganizationAdmin = await knex('OrganizationAdministrator')
// .where('id_person', req.jwt.person_id)
// .where('id_organization', req.params.id)
// .select('*')
// .first();
// // const isOrganizationAdmin = await knex('OrganizationAdministrator')
// // .where('id_person', req.jwt.person_id)
// // .where('id_organization', req.params.id)
// // .select('*')
// // .first();
// // This introduces a Time of check Time of use weakeness
// // which could'have been fixed by either
// // 1) Using "whereExists", thanks to the "it's easier to ask for
// // forgiveness than for permission" padarigm. Or,
// // 2) Using a serializable transaction.
// //
// // The undersigned chose not to follow these approaches because
// // this does not introduces any serious vulnerability. In this
// // way it seems more readable.
// // // This introduces a Time of check Time of use weakeness
// // // which could'have been fixed by either
// // // 1) Using "whereExists", thanks to the "it's easier to ask for
// // // forgiveness than for permission" padarigm. Or,
// // // 2) Using a serializable transaction.
// // //
// // // The undersigned chose not to follow these approaches because
// // // this does not introduces any serious vulnerability. In this
// // // way it seems more readable.
// if(!isOrganizationAdmin){
// return res.status(403).json({error : "Forbidden"});
// }
// // if(!isOrganizationAdmin){
// // return res.status(403).json({error : "Forbidden"});
// // }
// await knex('Organization')
// .where('id', req.params.id)
// .update({
// name: req.body.name,
// location: req.body.location,
// description: req.body.description,
// is_hiring: req.body.is_hiring
// });
// // await knex('Organization')
// // .where('id', req.params.id)
// // .update({
// // name: req.body.name,
// // location: req.body.location,
// // description: req.body.description,
// // is_hiring: req.body.is_hiring
// // });
const updatedRows = await knex('Organization')
.where('id', req.params.id)
@@ -374,6 +373,7 @@ async function updateOrganization(req, res){
}
}
// TODO CHECK CORRECTNESS !!
// DELETE
async function deleteOrganization(req, res){
const organizationIdToDelete = req.params.id;
@@ -411,7 +411,13 @@ async function deleteOrganization(req, res){
}
}
// POST
/**
* POST Request
*
* Creates a Post belonging to an organization
*
* @returns the inserted Post
*/
async function createOrganizationPost(req, res){
// Ensure that the required fields are present before proceeding
@@ -420,14 +426,14 @@ async function createOrganizationPost(req, res){
}
try {
knex.transaction(async (trx) => {
// Check if the current user is a organization's administrator
const isOrganizationAdmin = await trx('OrganizationAdministrator')
const isOrganizationAdmin = await knex('OrganizationAdministrator')
.where('id_person', req.jwt.person_id)
.where('id_organization', req.body.organization_id)
.select('*')
.first();
// Non-exploitable TOC/TOU weakness
if(!isOrganizationAdmin){
return res.status(403).json({error : "Forbidden"});
}
@@ -439,9 +445,7 @@ async function createOrganizationPost(req, res){
original_author: req.jwt.person_id
})
.returning('*');
return res.status(200).json(organizationPost[0]);
});
}
catch (error) {
console.log(error);