patched deletion bug and other access bugs

2024-09-11 22:07:08 +03:00 · 2021-10-13 13:10:03 -07:00 · 2021-10-13 13:10:03 -07:00 · d4d12229d5
commit d4d12229d5
parent f00d477353
6 changed files with 36 additions and 14 deletions
--- a/common/messages.js
+++ b/common/messages.js
@ -47,6 +47,7 @@ export const error = {

  //File delete
  SERVER_REMOVE_DATA_NO_IDS: "The file to delete was not specified",
+  SERVER_REMOVE_DATA_NOT_ALLOWED: "You are not the owner of those files",

  //Save copy
  SERVER_SAVE_COPY_NO_CIDS: "The file to save was not specified",
@ -91,6 +92,7 @@ export const error = {
    "We're having difficulty locating that collection. It may have already been deleted",
  SERVER_DELETE_SLATE_FAILED:
    "We're having trouble deleting that collection right now, please try again later",
+  SERVER_DELETE_SLATE_NOT_ALLOWED: "You are not the owner of that slate",

  //Get slate
  SERVER_GET_SERIALIZED_SLATE_SLATE_NOT_FOUND:
@ -118,6 +120,7 @@ export const error = {
  SERVER_UPDATE_SLATE_NAME_TAKEN:
    "You already have a collection with that name. Collection names must be unique",
  SERVER_UPDATE_SLATE_FAILED: "We are having trouble updating that collection right now",
+  SERVER_UPDATE_SLATE_NOT_ALLOWED: "You are not the owner of that slate",

  //Create user
  SERVER_CREATE_USER_NOT_ALLOWED: "You can only create users while on slate.host",
--- a/common/user-behaviors.js
+++ b/common/user-behaviors.js
@ -165,7 +165,7 @@ export const deleteFiles = async (fileIds = [], noAlert) => {
      return false;
    }

-    Events.dispatchMessage({ message: "Files successfully deleted!", status: "INFO" });
+    Events.dispatchMessage({ message: "Successfully deleted!", status: "INFO" });

    return response;
  }
--- a/node_common/data/methods/update-file-by-id.js
+++ b/node_common/data/methods/update-file-by-id.js
@ -28,6 +28,10 @@ export default async ({ id, data }) => {

      let updatedFile = Serializers.getUpdatedFile(currentFile, updateObject);

+      if (currentFile.ownerId !== updatedFile.ownerId) {
+        return null;
+      }
+
      const response = await DB.from("files").where("id", id).update(updatedFile).returning("*");
      const index = response ? response.pop() : null;
      return JSON.parse(JSON.stringify(index));
--- a/pages/api/data/delete.js
+++ b/pages/api/data/delete.js
@ -79,7 +79,14 @@ export default async (req, res) => {
  }

  // NOTE(martina): get the cids of the corresponding coverImages that are to be deleted
-  const objects = await Data.getFilesByIds({ ids });
+  let objects = await Data.getFilesByIds({ ids });
+  objects = objects.filter((file) => file.ownerId === id);
+
+  if (!objects.length) {
+    return res.status(400).send({ decorator: "SERVER_REMOVE_DATA_NOT_ALLOWED", error: true });
+  }
+  ids = objects.map((file) => file.id);
+
  const files = Arrays.filterFiles(objects);
  let cids = Arrays.mapToCids(files);
  let coverImageCids = [];
@ -134,6 +141,18 @@ export default async (req, res) => {
    }
  }

+  await Data.deleteFilesByIds({ ownerId: id, ids });
+
+  SearchManager.updateFile(files, "REMOVE");
+
+  ViewerManager.hydratePartial(id, { slates: true, library: true });
+
+  res.status(200).send({
+    decorator: "SERVER_REMOVE_DATA",
+    success: true,
+    bucketItems: objects,
+  });
+
  if (entities.length) {
    for (let entity of entities) {
      try {
@ -153,16 +172,4 @@ export default async (req, res) => {
      }
    }
  }
-
-  await Data.deleteFilesByIds({ ownerId: id, ids });
-
-  SearchManager.updateFile(files, "REMOVE");
-
-  ViewerManager.hydratePartial(id, { slates: true, library: true });
-
-  return res.status(200).send({
-    decorator: "SERVER_REMOVE_DATA",
-    success: true,
-    bucketItems: items,
-  });
 };
--- a/pages/api/slates/delete.js
+++ b/pages/api/slates/delete.js
@ -20,6 +20,10 @@ export default async (req, res) => {
    return res.status(500).send({ decorator: "SERVER_DELETE_SLATE_SLATE_NOT_FOUND", error: true });
  }

+  if (slate.ownerId !== id) {
+    return res.status(400).send({ decorator: "SERVER_DELETE_SLATE_NOT_ALLOWED", error: true });
+  }
+
  const deleteResponse = await Data.deleteSlateById({ id: slate.id });

  if (!deleteResponse) {
--- a/pages/api/slates/update.js
+++ b/pages/api/slates/update.js
@ -30,6 +30,10 @@ export default async (req, res) => {
    return res.status(500).send({ decorator: "SERVER_UPDATE_SLATE_NOT_FOUND", error: true });
  }

+  if (slate.ownerId !== id) {
+    return res.status(400).send({ decorator: "SERVER_UPDATE_SLATE_NOT_ALLOWED", error: true });
+  }
+
  if (typeof updates.isPublic !== "undefined" && slate.isPublic !== updates.isPublic) {
    let privacyResponse = await Data.updateSlatePrivacy({
      ownerId: id,