xfarrow
/
blink
mirror of https://github.com/xfarrow/blink
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updateOrganization update

This commit is contained in:
xfarrow 2024-02-16 21:43:10 +01:00
parent 91eb4d4b56
commit 9e4e268212
1 changed files with 20 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
backend/apis/nodejs/api_controller.js
View File

@ -374,37 +374,33 @@ async function updateOrganization(req, res){
}
}
// TODO CHECK CORRECTNESS !!
// DELETE
/**
* DELETE Request
*
* Deletes the specified organization if the logged user is
* one of its administrator
*/
async function deleteOrganization(req, res){
const organizationIdToDelete = req.params.id;
try {
// Here we do not actually need a transaction. Two different queries,
// one who checks if the user is admin and one to delete the organization would've
// been sufficient and non-exploitable, but still it'd have been a
// TOC/TOU weakness (https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).
// Whether a good practice or not is matter of debate.
// There are other points in the code using the same technique to address the same
// problem
knex.transaction(async (trx) => {
// Check if the current user is a organization's administrator
const isOrganizationAdmin = await trx('OrganizationAdministrator')
.where('id_person', req.jwt.person_id)
.where('id_organization', req.body.organization_id)
.select('*')
.first();
if(!isOrganizationAdmin){
return res.status(403).json({error : "Forbidden"});
}
const isOrganizationAdmin = await knex('OrganizationAdministrator')
.where('id_person', req.jwt.person_id)
.where('id_organization', organizationIdToDelete)
.select('*')
.first();
await knex('Organization')
.where({ id: organizationIdToDelete })
.del();
// Potential TOCTOU weakeness not to be worried about
if(!isOrganizationAdmin){
return res.status(403).json({error : "Forbidden"});
}
return res.status(200).json({success: true});
});
await knex('Organization')
.where({ id: organizationIdToDelete })
.del();
return res.status(200).json({success: true});
}
catch (error) {
console.error(error);