Fix profile edit page access control. Currently anyone logged in acce…

…ss edit page for anyone else - Fixed now
Clubs-Council-IIITH · Dec 10, 2024 · e91ab0e · e91ab0e
1 parent 199e49c
commit e91ab0e
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 43 deletions.
diff --git a/src/app/profile/[id]/edit/page.jsx b/src/app/profile/[id]/edit/page.jsx
@@ -1,8 +1,9 @@
 import { redirect, notFound } from "next/navigation";
 
 import { getClient } from "gql/client";
-import { GET_USER_PROFILE } from "gql/queries/users";
+import { GET_USER } from "gql/queries/auth";
 import { GET_MEMBERSHIPS } from "gql/queries/clubs";
+import { GET_USER_PROFILE } from "gql/queries/users";
 
 import { Container } from "@mui/material";
 
@@ -15,49 +16,47 @@ export const metadata = {
 export default async function EditProfile({ params }) {
   const { id } = params;
 
-  try {
-    // get target user
-    const { data: { userProfile, userMeta } = {} } = await getClient().query(
-      GET_USER_PROFILE,
-      {
-        userInput: {
-          uid: id,
-        },
+  // get currently logged in user
+  const {
+    data: { userMeta: currentUserMeta, userProfile: currentUserProfile } = {},
+  } = await getClient().query(GET_USER, { userInput: null });
+  const currentUser = { ...currentUserMeta, ...currentUserProfile };
+
+  // get target user
+  const { data: { userProfile, userMeta } = {} } = await getClient().query(
+    GET_USER_PROFILE,
+    {
+      userInput: {
+        uid: id,
       },
-    );
-    const user = { ...userMeta, ...userProfile };
-
-
-    // get memberships if user is a person
-    let memberships = [];
-    const {
-      data: { memberRoles },
-    } = await getClient().query(GET_MEMBERSHIPS, {
-      uid: id,
-    });
-
-    // get list of memberRoles.roles along with member.cid
-    memberships = memberRoles.reduce(
-      (cv, m) => cv.concat(m.roles.map((r) => ({ ...r, cid: m.cid }))),
-      [],
-    );
-
-    if ((memberships?.length === 0 && currentUser?.uid !== user.uid) || userProfile === null || userMeta === null) {
-      notFound();
-    }
-    // console.log(user);
-
-    // if user is a club, redirect to club edit page
-    if (user.role === "club") {
-      redirect(`/manage/clubs/${user.uid}/edit`);
     }
-
-    return (
-      <Container>
-        <UserForm defaultValues={user} action="save" />
-      </Container>
-    );
-  } catch (error) {
+  );
+  const user = { ...userMeta, ...userProfile };
+
+  if (
+    userProfile === null ||
+    userMeta === null ||
+    (currentUser?.uid !== user?.uid && currentUser?.role !== "cc") ||
+    ["club", "cc"].includes(user?.role)
+  )
     redirect("/404");
+
+  // get memberships of the user
+  const {
+    data: { memberRoles },
+  } = await getClient().query(GET_MEMBERSHIPS, {
+    uid: id,
+  });
+  if (memberRoles?.length === 0) notFound();
+
+  // if user is a club, redirect to club edit page
+  if (user.role === "club") {
+    redirect(`/manage/clubs/${user.uid}/edit`);
   }
+
+  return (
+    <Container>
+      <UserForm defaultValues={user} action="save" />
+    </Container>
+  );
 }
diff --git a/src/app/profile/[id]/page.jsx b/src/app/profile/[id]/page.jsx
@@ -96,7 +96,7 @@ export default async function Profile({ params }) {
         1. if current user is CC, or
         2. if current user is viewing their own profile and is not a club
       */}
-      {user?.role !== "club" &&
+      {!["club", "cc"].includes(user?.role) &&
       (currentUser?.role === "cc" ||
         (memberships?.length !== 0 && currentUser?.uid === user?.uid)) ? (
         <ActionPalette right={[EditUser]} />