fixed check is owner bug

2024-11-22 21:45:56 +03:00 · 2021-10-13 13:39:01 -07:00 · 2021-10-13 13:39:01 -07:00 · c28b532179
commit c28b532179
parent baebf96481
6 changed files with 36 additions and 14 deletions
--- a/common/messages.js
+++ b/common/messages.js
@ -47,6 +47,7 @@ export const error = {

  //File delete
  SERVER_REMOVE_DATA_NO_IDS: "The file to delete was not specified",
+  SERVER_REMOVE_DATA_NOT_ALLOWED: "You are not the owner of those files",

  //Save copy
  SERVER_SAVE_COPY_NO_CIDS: "The file to save was not specified",
@ -91,6 +92,7 @@ export const error = {
    "We're having difficulty locating that collection. It may have already been deleted",
  SERVER_DELETE_SLATE_FAILED:
    "We're having trouble deleting that collection right now, please try again later",
+  SERVER_DELETE_SLATE_NOT_ALLOWED: "You are not the owner of that slate",

  //Get slate
  SERVER_GET_SERIALIZED_SLATE_SLATE_NOT_FOUND:
@ -119,6 +121,7 @@ export const error = {
    "You already have a collection with that name. Collection names must be unique",
  SERVER_UPDATE_SLATE_FAILED: "We are having trouble updating that collection right now",
  SERVER_UPDATE_SLATE_MAX_BODY_LENGTH: "Descriptions can be a maximum of 2000 characters",
+  SERVER_UPDATE_SLATE_NOT_ALLOWED: "You are not the owner of that slate",

  //Create user
  SERVER_CREATE_USER_NOT_ALLOWED: "You can only create users while on slate.host",
--- a/common/user-behaviors.js
+++ b/common/user-behaviors.js
@ -166,7 +166,7 @@ export const deleteFiles = async (fileIds = [], noAlert) => {
      return false;
    }

-    Events.dispatchMessage({ message: "Files successfully deleted!", status: "INFO" });
+    Events.dispatchMessage({ message: "Successfully deleted!", status: "INFO" });

    return response;
  }
--- a/pages/api/data/delete.js
+++ b/pages/api/data/delete.js
@ -76,7 +76,13 @@ export default async (req, res) => {
  }

  // NOTE(martina): get the cids of the corresponding coverImages that are to be deleted
-  const objects = await Data.getFilesByIds({ ids });
+  let objects = await Data.getFilesByIds({ ids });
+  objects = objects.filter((file) => file.ownerId === id);
+
+  if (!objects.length) {
+    return res.status(400).send({ decorator: "SERVER_REMOVE_DATA_NOT_ALLOWED", error: true });
+  }
+  ids = objects.map((file) => file.id);
  const files = Arrays.filterFiles(objects);
  let cids = Arrays.mapToCids(files);
  let coverImageCids = [];
@ -131,6 +137,18 @@ export default async (req, res) => {
    }
  }

+  await Data.deleteFilesByIds({ ownerId: id, ids });
+
+  SearchManager.updateFile(files, "REMOVE");
+
+  ViewerManager.hydratePartial(id, { slates: true, library: true });
+
+  res.status(200).send({
+    decorator: "SERVER_REMOVE_DATA",
+    success: true,
+    bucketItems: items,
+  });
+
  if (entities.length) {
    for (let entity of entities) {
      try {
@ -150,16 +168,4 @@ export default async (req, res) => {
      }
    }
  }
-
-  await Data.deleteFilesByIds({ ownerId: id, ids });
-
-  SearchManager.updateFile(files, "REMOVE");
-
-  ViewerManager.hydratePartial(id, { slates: true, library: true });
-
-  return res.status(200).send({
-    decorator: "SERVER_REMOVE_DATA",
-    success: true,
-    bucketItems: items,
-  });
 };
--- a/pages/api/data/update.js
+++ b/pages/api/data/update.js
@ -14,6 +14,11 @@ export default async (req, res) => {
  }

  let updates = Array.isArray(req.body.data) ? req.body.data : [req.body.data];
+  let currentFiles = await Data.getFilesByIds({ ids: updates.map((file) => file.id) });
+  let idsToRemove = currentFiles.filter((file) => file.ownerId !== id).map((file) => file.id);
+  if (idsToRemove.length) {
+    updates = updates.filter((file) => !idsToRemove.includes(file.id));
+  }

  let responses = [];
  for (let update of updates) {
--- a/pages/api/slates/delete.js
+++ b/pages/api/slates/delete.js
@ -20,6 +20,10 @@ export default async (req, res) => {
    return res.status(500).send({ decorator: "SERVER_DELETE_SLATE_SLATE_NOT_FOUND", error: true });
  }

+  if (slate.ownerId !== id) {
+    return res.status(403).send({ decorator: "SERVER_DELETE_SLATE_NOT_ALLOWED", error: true });
+  }
+
  const deleteResponse = await Data.deleteSlateById({ id: slate.id });

  if (!deleteResponse) {
--- a/pages/api/slates/update.js
+++ b/pages/api/slates/update.js
@ -30,6 +30,10 @@ export default async (req, res) => {
    return res.status(500).send({ decorator: "SERVER_UPDATE_SLATE_NOT_FOUND", error: true });
  }

+  if (slate.ownerId !== id) {
+    return res.status(403).send({ decorator: "SERVER_UPDATE_SLATE_NOT_ALLOWED", error: true });
+  }
+
  if (updates.body && updates.body.length > 2000) {
    return res.status(400).send({ decorator: "SERVER_UPDATE_SLATE_MAX_BODY_LENGTH", error: true });
  }