From dadaa374bbd57a859abc9510a0c3e6f7c8d97f4c Mon Sep 17 00:00:00 2001 From: Alessandro Ferro <49845537+xfarrow@users.noreply.github.com> Date: Fri, 23 Feb 2024 11:49:10 +0100 Subject: [PATCH] create organization_model --- .../nodejs/src/models/organization_model.js | 8 +- .../src/models/organization_post_model.js | 92 +++++++++++++++++++ .../src/routes/organization_post_routes.js | 45 ++------- 3 files changed, 106 insertions(+), 39 deletions(-) create mode 100644 backend/apis/nodejs/src/models/organization_post_model.js diff --git a/backend/apis/nodejs/src/models/organization_model.js b/backend/apis/nodejs/src/models/organization_model.js index d92defc..d369622 100644 --- a/backend/apis/nodejs/src/models/organization_model.js +++ b/backend/apis/nodejs/src/models/organization_model.js @@ -18,15 +18,15 @@ const knex = require('../utils/knex_config'); * @param {*} name * @param {*} location * @param {*} description - * @param {*} is_hiring + * @param {*} isHiring * @returns */ -function organization (name, location, description, is_hiring) { +function organization (name, location, description, isHiring) { const organization = { name, location, description, - is_hiring + isHiring }; return organization; } @@ -99,7 +99,7 @@ async function updateOrganizationIfAdministrator (organization, organizationId, // // name: req.body.name, // // location: req.body.location, // // description: req.body.description, - // // is_hiring: req.body.is_hiring + // // is_hiring: req.body.isHiring // // }); const numberOfUpdatedRows = await knex('Organization') diff --git a/backend/apis/nodejs/src/models/organization_post_model.js b/backend/apis/nodejs/src/models/organization_post_model.js new file mode 100644 index 0000000..f442032 --- /dev/null +++ b/backend/apis/nodejs/src/models/organization_post_model.js @@ -0,0 +1,92 @@ +/* + This code is part of Blink + licensed under GPLv3 + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + IN THE SOFTWARE. +*/ + +const knex = require('../utils/knex_config'); + +/** + * Create OrganizationPost object + * @param {*} organizationId + * @param {*} content + * @param {*} originalAuthor + */ +function organizationPost (organizationId, content, originalAuthor) { + const organizationPost = { + organization_id: organizationId, + content, + original_author: originalAuthor + }; + return organizationPost; +} + +/** + * Insert an OrganizationPost if and only if the author is + * one of the Organization's administrators. + * @param {*} organization + * @returns the inserted OrganizationPost + */ +async function insertOrganizationPost (organization) { + const isOrganizationAdmin = await knex('OrganizationAdministrator') + .where('id_person', organization.original_author) + .where('id_organization', organization.organization_id) + .select('*') + .first(); + + // Non-exploitable TOC/TOU weakness + // For more information https://softwareengineering.stackexchange.com/questions/451038/when-should-i-be-worried-of-time-of-check-time-of-use-vulnerabilities-during-dat + if (!isOrganizationAdmin) { + return res.status(403).json({ error: 'Forbidden' }); + } + + const organizationPost = await knex('OrganizationPost') + .insert({ + organization_id: organization.organization_id, + content: organization.content, + original_author: organization.original_author + }) + .returning('*'); + + return organizationPost[0]; +} + +/** + * Checks whether the specified Person is an Organization Administrator + * of the Organization the Post belongs to. + * @param {*} postId + * @param {*} personId + * @returns true or false + */ +async function isPersonPostAdministrator (postId, personId) { + return await knex('OrganizationPost') + .join('OrganizationAdministrator', 'OrganizationPost.organization_id', 'OrganizationAdministrator.id_organization') + .where('OrganizationPost.id', postId) + .where('OrganizationAdministrator.id_person', personId) + .select('*') + .first(); +} + +/** + * Deletes the specified OrganizationPost + * @param {*} organizationPostId + */ +async function deleteOrganizationPost (organizationPostId) { + await knex('OrganizationPost') + .where('id', organizationPostId) + .del(); +} + +module.exports = { + organizationPost, + insertOrganizationPost, + isPersonPostAdministrator, + deleteOrganizationPost +}; diff --git a/backend/apis/nodejs/src/routes/organization_post_routes.js b/backend/apis/nodejs/src/routes/organization_post_routes.js index 3efca8a..9266c0a 100644 --- a/backend/apis/nodejs/src/routes/organization_post_routes.js +++ b/backend/apis/nodejs/src/routes/organization_post_routes.js @@ -11,7 +11,7 @@ IN THE SOFTWARE. */ -const knex = require('../utils/knex_config'); +const organizationPostModel = require('../models/organization_post_model'); /** * POST Request @@ -27,28 +27,14 @@ async function createOrganizationPost (req, res) { return res.status(400).json({ error: 'Invalid request' }); } + const organization = organizationPostModel.organizationPost( + req.body.organization_id, + req.body.content, + req.jwt.person_id); + try { - // Check if the current user is a organization's administrator - const isOrganizationAdmin = await knex('OrganizationAdministrator') - .where('id_person', req.jwt.person_id) - .where('id_organization', req.body.organization_id) - .select('*') - .first(); - - // Non-exploitable TOC/TOU weakness - // For more information https://softwareengineering.stackexchange.com/questions/451038/when-should-i-be-worried-of-time-of-check-time-of-use-vulnerabilities-during-dat - if (!isOrganizationAdmin) { - return res.status(403).json({ error: 'Forbidden' }); - } - - const organizationPost = await knex('OrganizationPost') - .insert({ - organization_id: req.body.organization_id, - content: req.body.content, - original_author: req.jwt.person_id - }) - .returning('*'); - return res.status(200).json(organizationPost[0]); + const insertedOrganization = await organizationPostModel.insertOrganizationPost(organization); + return res.status(200).json(insertedOrganization); } catch (error) { console.log('Error while creating Organization Post: ' + error); return res.status(500).json({ error: 'Internal server error' }); @@ -64,21 +50,10 @@ async function createOrganizationPost (req, res) { * Required field(s): none. */ async function deleteOrganizationPost (req, res) { - const organizationPostIdToDelete = req.params.id; - try { - const isOrganizationAdmin = await knex('OrganizationPost') - .join('OrganizationAdministrator', 'OrganizationPost.organization_id', 'OrganizationAdministrator.id_organization') - .where('OrganizationPost.id', organizationPostIdToDelete) - .where('OrganizationAdministrator.id_person', req.jwt.person_id) - .select('*') - .first(); - - // Unexploitable TOC/TOU + const isOrganizationAdmin = await organizationPostModel.isPersonPostAdministrator(req.params.id, req.jwt.person_id); if (isOrganizationAdmin) { - await knex('OrganizationPost') - .where('id', organizationPostIdToDelete) - .del(); + await organizationPostModel.deleteOrganizationPost(req.params.id); return res.status(200).json({ success: true }); } else { return res.status(401).json({ error: 'Forbidden' });