From e91ab0e2379f0ecafc12eb2c30f9bb066eefb045 Mon Sep 17 00:00:00 2001 From: Bhav Beri Date: Tue, 10 Dec 2024 23:21:45 +0530 Subject: [PATCH] Fix profile edit page access control. Currently anyone logged in access edit page for anyone else - Fixed now --- src/app/profile/[id]/edit/page.jsx | 83 +++++++++++++++--------------- src/app/profile/[id]/page.jsx | 2 +- 2 files changed, 42 insertions(+), 43 deletions(-) diff --git a/src/app/profile/[id]/edit/page.jsx b/src/app/profile/[id]/edit/page.jsx index b262a6a7..bc3661b5 100644 --- a/src/app/profile/[id]/edit/page.jsx +++ b/src/app/profile/[id]/edit/page.jsx @@ -1,8 +1,9 @@ import { redirect, notFound } from "next/navigation"; import { getClient } from "gql/client"; -import { GET_USER_PROFILE } from "gql/queries/users"; +import { GET_USER } from "gql/queries/auth"; import { GET_MEMBERSHIPS } from "gql/queries/clubs"; +import { GET_USER_PROFILE } from "gql/queries/users"; import { Container } from "@mui/material"; @@ -15,49 +16,47 @@ export const metadata = { export default async function EditProfile({ params }) { const { id } = params; - try { - // get target user - const { data: { userProfile, userMeta } = {} } = await getClient().query( - GET_USER_PROFILE, - { - userInput: { - uid: id, - }, + // get currently logged in user + const { + data: { userMeta: currentUserMeta, userProfile: currentUserProfile } = {}, + } = await getClient().query(GET_USER, { userInput: null }); + const currentUser = { ...currentUserMeta, ...currentUserProfile }; + + // get target user + const { data: { userProfile, userMeta } = {} } = await getClient().query( + GET_USER_PROFILE, + { + userInput: { + uid: id, }, - ); - const user = { ...userMeta, ...userProfile }; - - - // get memberships if user is a person - let memberships = []; - const { - data: { memberRoles }, - } = await getClient().query(GET_MEMBERSHIPS, { - uid: id, - }); - - // get list of memberRoles.roles along with member.cid - memberships = memberRoles.reduce( - (cv, m) => cv.concat(m.roles.map((r) => ({ ...r, cid: m.cid }))), - [], - ); - - if ((memberships?.length === 0 && currentUser?.uid !== user.uid) || userProfile === null || userMeta === null) { - notFound(); - } - // console.log(user); - - // if user is a club, redirect to club edit page - if (user.role === "club") { - redirect(`/manage/clubs/${user.uid}/edit`); } - - return ( - - - - ); - } catch (error) { + ); + const user = { ...userMeta, ...userProfile }; + + if ( + userProfile === null || + userMeta === null || + (currentUser?.uid !== user?.uid && currentUser?.role !== "cc") || + ["club", "cc"].includes(user?.role) + ) redirect("/404"); + + // get memberships of the user + const { + data: { memberRoles }, + } = await getClient().query(GET_MEMBERSHIPS, { + uid: id, + }); + if (memberRoles?.length === 0) notFound(); + + // if user is a club, redirect to club edit page + if (user.role === "club") { + redirect(`/manage/clubs/${user.uid}/edit`); } + + return ( + + + + ); } diff --git a/src/app/profile/[id]/page.jsx b/src/app/profile/[id]/page.jsx index fa24f779..a2241915 100644 --- a/src/app/profile/[id]/page.jsx +++ b/src/app/profile/[id]/page.jsx @@ -96,7 +96,7 @@ export default async function Profile({ params }) { 1. if current user is CC, or 2. if current user is viewing their own profile and is not a club */} - {user?.role !== "club" && + {!["club", "cc"].includes(user?.role) && (currentUser?.role === "cc" || (memberships?.length !== 0 && currentUser?.uid === user?.uid)) ? (