fix(api/slates): verify if the user sending the request is the slate's owner

2024-09-11 22:07:08 +03:00 · 2021-10-13 17:02:12 +01:00 · 2021-10-13 17:02:12 +01:00 · bd23fec9c4
commit bd23fec9c4
parent baebf96481
3 changed files with 14 additions and 0 deletions
--- a/pages/api/slates/delete.js
+++ b/pages/api/slates/delete.js
@ -20,6 +20,10 @@ export default async (req, res) => {
    return res.status(500).send({ decorator: "SERVER_DELETE_SLATE_SLATE_NOT_FOUND", error: true });
  }

+  if (slate.ownerId !== id) {
+    return res.status(403).send({ decorator: "SERVER_DELETE_SLATE_SLATE_NOT_FOUND", error: true });
+  }
+
  const deleteResponse = await Data.deleteSlateById({ id: slate.id });

  if (!deleteResponse) {
--- a/pages/api/slates/remove-file.js
+++ b/pages/api/slates/remove-file.js
@ -36,6 +36,12 @@ export default async (req, res) => {
    });
  }

+  if (slate.ownerId !== id) {
+    return res
+      .status(403)
+      .send({ decorator: "SERVER_REMOVE_FROM_SLATE_SLATE_NOT_FOUND", error: true });
+  }
+
  let response = await Data.deleteSlateFiles({ slateId: slate.id, ids: fileIds });

  if (!response || response.error) {
--- a/pages/api/slates/update.js
+++ b/pages/api/slates/update.js
@ -30,6 +30,10 @@ export default async (req, res) => {
    return res.status(500).send({ decorator: "SERVER_UPDATE_SLATE_NOT_FOUND", error: true });
  }

+  if (slate.ownerId !== id) {
+    return res.status(403).send({ decorator: "SERVER_UPDATE_SLATE_NOT_FOUND", error: true });
+  }
+
  if (updates.body && updates.body.length > 2000) {
    return res.status(400).send({ decorator: "SERVER_UPDATE_SLATE_MAX_BODY_LENGTH", error: true });
  }