create organization_model

2024-02-23 11:49:10 +01:00 · 2024-02-23 11:49:10 +01:00 · dadaa374bb
parent 7bd6889768
commit dadaa374bb
3 changed files with 106 additions and 39 deletions
--- a/backend/apis/nodejs/src/models/organization_model.js
+++ b/backend/apis/nodejs/src/models/organization_model.js
@ -18,15 +18,15 @@ const knex = require('../utils/knex_config');
 * @param {*} name
 * @param {*} location
 * @param {*} description
- * @param {*} is_hiring
+ * @param {*} isHiring
 * @returns
 */
-function organization (name, location, description, is_hiring) {
+function organization (name, location, description, isHiring) {
  const organization = {
    name,
    location,
    description,
-    is_hiring
+    isHiring
  };
  return organization;
 }
@ -99,7 +99,7 @@ async function updateOrganizationIfAdministrator (organization, organizationId,
  // //   name: req.body.name,
  // //   location: req.body.location,
  // //   description: req.body.description,
-  // //   is_hiring: req.body.is_hiring
+  // //   is_hiring: req.body.isHiring
  // // });

  const numberOfUpdatedRows = await knex('Organization')
--- a/backend/apis/nodejs/src/models/organization_post_model.js
+++ b/backend/apis/nodejs/src/models/organization_post_model.js
@ -0,0 +1,92 @@
+/*
+    This code is part of Blink
+    licensed under GPLv3
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED,  INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+    THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+    IN THE SOFTWARE.
+*/
+
+const knex = require('../utils/knex_config');
+
+/**
+ * Create OrganizationPost object
+ * @param {*} organizationId
+ * @param {*} content
+ * @param {*} originalAuthor
+ */
+function organizationPost (organizationId, content, originalAuthor) {
+  const organizationPost = {
+    organization_id: organizationId,
+    content,
+    original_author: originalAuthor
+  };
+  return organizationPost;
+}
+
+/**
+ * Insert an OrganizationPost if and only if the author is
+ * one of the Organization's administrators.
+ * @param {*} organization
+ * @returns the inserted OrganizationPost
+ */
+async function insertOrganizationPost (organization) {
+  const isOrganizationAdmin = await knex('OrganizationAdministrator')
+    .where('id_person', organization.original_author)
+    .where('id_organization', organization.organization_id)
+    .select('*')
+    .first();
+
+  // Non-exploitable TOC/TOU weakness
+  // For more information https://softwareengineering.stackexchange.com/questions/451038/when-should-i-be-worried-of-time-of-check-time-of-use-vulnerabilities-during-dat
+  if (!isOrganizationAdmin) {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+
+  const organizationPost = await knex('OrganizationPost')
+    .insert({
+      organization_id: organization.organization_id,
+      content: organization.content,
+      original_author: organization.original_author
+    })
+    .returning('*');
+
+  return organizationPost[0];
+}
+
+/**
+ * Checks whether the specified Person is an Organization Administrator
+ * of the Organization the Post belongs to.
+ * @param {*} postId
+ * @param {*} personId
+ * @returns true or false
+ */
+async function isPersonPostAdministrator (postId, personId) {
+  return await knex('OrganizationPost')
+    .join('OrganizationAdministrator', 'OrganizationPost.organization_id', 'OrganizationAdministrator.id_organization')
+    .where('OrganizationPost.id', postId)
+    .where('OrganizationAdministrator.id_person', personId)
+    .select('*')
+    .first();
+}
+
+/**
+ * Deletes the specified OrganizationPost
+ * @param {*} organizationPostId
+ */
+async function deleteOrganizationPost (organizationPostId) {
+  await knex('OrganizationPost')
+    .where('id', organizationPostId)
+    .del();
+}
+
+module.exports = {
+  organizationPost,
+  insertOrganizationPost,
+  isPersonPostAdministrator,
+  deleteOrganizationPost
+};
--- a/backend/apis/nodejs/src/routes/organization_post_routes.js
+++ b/backend/apis/nodejs/src/routes/organization_post_routes.js
@ -11,7 +11,7 @@
    IN THE SOFTWARE.
 */

-const knex = require('../utils/knex_config');
+const organizationPostModel = require('../models/organization_post_model');

 /**
   * POST Request
@ -27,28 +27,14 @@ async function createOrganizationPost (req, res) {
    return res.status(400).json({ error: 'Invalid request' });
  }

+  const organization = organizationPostModel.organizationPost(
+    req.body.organization_id,
+    req.body.content,
+    req.jwt.person_id);
+
  try {
-    // Check if the current user is a organization's administrator
-    const isOrganizationAdmin = await knex('OrganizationAdministrator')
-      .where('id_person', req.jwt.person_id)
-      .where('id_organization', req.body.organization_id)
-      .select('*')
-      .first();
-
-    // Non-exploitable TOC/TOU weakness
-    // For more information https://softwareengineering.stackexchange.com/questions/451038/when-should-i-be-worried-of-time-of-check-time-of-use-vulnerabilities-during-dat
-    if (!isOrganizationAdmin) {
-      return res.status(403).json({ error: 'Forbidden' });
-    }
-
-    const organizationPost = await knex('OrganizationPost')
-      .insert({
-        organization_id: req.body.organization_id,
-        content: req.body.content,
-        original_author: req.jwt.person_id
-      })
-      .returning('*');
-    return res.status(200).json(organizationPost[0]);
+    const insertedOrganization = await organizationPostModel.insertOrganizationPost(organization);
+    return res.status(200).json(insertedOrganization);
  } catch (error) {
    console.log('Error while creating Organization Post: ' + error);
    return res.status(500).json({ error: 'Internal server error' });
@ -64,21 +50,10 @@ async function createOrganizationPost (req, res) {
 * Required field(s): none.
 */
 async function deleteOrganizationPost (req, res) {
-  const organizationPostIdToDelete = req.params.id;
-
  try {
-    const isOrganizationAdmin = await knex('OrganizationPost')
-      .join('OrganizationAdministrator', 'OrganizationPost.organization_id', 'OrganizationAdministrator.id_organization')
-      .where('OrganizationPost.id', organizationPostIdToDelete)
-      .where('OrganizationAdministrator.id_person', req.jwt.person_id)
-      .select('*')
-      .first();
-
-    // Unexploitable TOC/TOU
+    const isOrganizationAdmin = await organizationPostModel.isPersonPostAdministrator(req.params.id, req.jwt.person_id);
    if (isOrganizationAdmin) {
-      await knex('OrganizationPost')
-        .where('id', organizationPostIdToDelete)
-        .del();
+      await organizationPostModel.deleteOrganizationPost(req.params.id);
      return res.status(200).json({ success: true });
    } else {
      return res.status(401).json({ error: 'Forbidden' });