create organization_model

This commit is contained in:
Alessandro Ferro
2024-02-23 11:49:10 +01:00
parent 7bd6889768
commit dadaa374bb
3 changed files with 106 additions and 39 deletions

View File

@@ -18,15 +18,15 @@ const knex = require('../utils/knex_config');
* @param {*} name * @param {*} name
* @param {*} location * @param {*} location
* @param {*} description * @param {*} description
* @param {*} is_hiring * @param {*} isHiring
* @returns * @returns
*/ */
function organization (name, location, description, is_hiring) { function organization (name, location, description, isHiring) {
const organization = { const organization = {
name, name,
location, location,
description, description,
is_hiring isHiring
}; };
return organization; return organization;
} }
@@ -99,7 +99,7 @@ async function updateOrganizationIfAdministrator (organization, organizationId,
// // name: req.body.name, // // name: req.body.name,
// // location: req.body.location, // // location: req.body.location,
// // description: req.body.description, // // description: req.body.description,
// // is_hiring: req.body.is_hiring // // is_hiring: req.body.isHiring
// // }); // // });
const numberOfUpdatedRows = await knex('Organization') const numberOfUpdatedRows = await knex('Organization')

View File

@@ -0,0 +1,92 @@
/*
This code is part of Blink
licensed under GPLv3
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
*/
const knex = require('../utils/knex_config');
/**
* Create OrganizationPost object
* @param {*} organizationId
* @param {*} content
* @param {*} originalAuthor
*/
function organizationPost (organizationId, content, originalAuthor) {
const organizationPost = {
organization_id: organizationId,
content,
original_author: originalAuthor
};
return organizationPost;
}
/**
* Insert an OrganizationPost if and only if the author is
* one of the Organization's administrators.
* @param {*} organization
* @returns the inserted OrganizationPost
*/
async function insertOrganizationPost (organization) {
const isOrganizationAdmin = await knex('OrganizationAdministrator')
.where('id_person', organization.original_author)
.where('id_organization', organization.organization_id)
.select('*')
.first();
// Non-exploitable TOC/TOU weakness
// For more information https://softwareengineering.stackexchange.com/questions/451038/when-should-i-be-worried-of-time-of-check-time-of-use-vulnerabilities-during-dat
if (!isOrganizationAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
const organizationPost = await knex('OrganizationPost')
.insert({
organization_id: organization.organization_id,
content: organization.content,
original_author: organization.original_author
})
.returning('*');
return organizationPost[0];
}
/**
* Checks whether the specified Person is an Organization Administrator
* of the Organization the Post belongs to.
* @param {*} postId
* @param {*} personId
* @returns true or false
*/
async function isPersonPostAdministrator (postId, personId) {
return await knex('OrganizationPost')
.join('OrganizationAdministrator', 'OrganizationPost.organization_id', 'OrganizationAdministrator.id_organization')
.where('OrganizationPost.id', postId)
.where('OrganizationAdministrator.id_person', personId)
.select('*')
.first();
}
/**
* Deletes the specified OrganizationPost
* @param {*} organizationPostId
*/
async function deleteOrganizationPost (organizationPostId) {
await knex('OrganizationPost')
.where('id', organizationPostId)
.del();
}
module.exports = {
organizationPost,
insertOrganizationPost,
isPersonPostAdministrator,
deleteOrganizationPost
};

View File

@@ -11,7 +11,7 @@
IN THE SOFTWARE. IN THE SOFTWARE.
*/ */
const knex = require('../utils/knex_config'); const organizationPostModel = require('../models/organization_post_model');
/** /**
* POST Request * POST Request
@@ -27,28 +27,14 @@ async function createOrganizationPost (req, res) {
return res.status(400).json({ error: 'Invalid request' }); return res.status(400).json({ error: 'Invalid request' });
} }
const organization = organizationPostModel.organizationPost(
req.body.organization_id,
req.body.content,
req.jwt.person_id);
try { try {
// Check if the current user is a organization's administrator const insertedOrganization = await organizationPostModel.insertOrganizationPost(organization);
const isOrganizationAdmin = await knex('OrganizationAdministrator') return res.status(200).json(insertedOrganization);
.where('id_person', req.jwt.person_id)
.where('id_organization', req.body.organization_id)
.select('*')
.first();
// Non-exploitable TOC/TOU weakness
// For more information https://softwareengineering.stackexchange.com/questions/451038/when-should-i-be-worried-of-time-of-check-time-of-use-vulnerabilities-during-dat
if (!isOrganizationAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
const organizationPost = await knex('OrganizationPost')
.insert({
organization_id: req.body.organization_id,
content: req.body.content,
original_author: req.jwt.person_id
})
.returning('*');
return res.status(200).json(organizationPost[0]);
} catch (error) { } catch (error) {
console.log('Error while creating Organization Post: ' + error); console.log('Error while creating Organization Post: ' + error);
return res.status(500).json({ error: 'Internal server error' }); return res.status(500).json({ error: 'Internal server error' });
@@ -64,21 +50,10 @@ async function createOrganizationPost (req, res) {
* Required field(s): none. * Required field(s): none.
*/ */
async function deleteOrganizationPost (req, res) { async function deleteOrganizationPost (req, res) {
const organizationPostIdToDelete = req.params.id;
try { try {
const isOrganizationAdmin = await knex('OrganizationPost') const isOrganizationAdmin = await organizationPostModel.isPersonPostAdministrator(req.params.id, req.jwt.person_id);
.join('OrganizationAdministrator', 'OrganizationPost.organization_id', 'OrganizationAdministrator.id_organization')
.where('OrganizationPost.id', organizationPostIdToDelete)
.where('OrganizationAdministrator.id_person', req.jwt.person_id)
.select('*')
.first();
// Unexploitable TOC/TOU
if (isOrganizationAdmin) { if (isOrganizationAdmin) {
await knex('OrganizationPost') await organizationPostModel.deleteOrganizationPost(req.params.id);
.where('id', organizationPostIdToDelete)
.del();
return res.status(200).json({ success: true }); return res.status(200).json({ success: true });
} else { } else {
return res.status(401).json({ error: 'Forbidden' }); return res.status(401).json({ error: 'Forbidden' });