From bb29c90e183fd8e69888c09659ff70a9f807a41d Mon Sep 17 00:00:00 2001 From: Tadjaur Date: Fri, 20 Dec 2024 07:18:29 +0100 Subject: [PATCH] Enforce returning only publick field to not owner --- .../src/modules/feed/controllers/getPublicFeed.ts | 2 +- .../modules/feed/controllers/getUserPacksFeed.ts | 8 +++++++- .../modules/feed/controllers/getUserTripsFeed.ts | 7 ++++++- server/src/modules/feed/model/feed.ts | 13 +++++++------ server/src/modules/feed/models.ts | 3 ++- server/src/modules/feed/services/getFeedService.ts | 5 +++-- .../services/favorite/getUserFavoritesService.ts | 6 ++++-- 7 files changed, 30 insertions(+), 14 deletions(-) diff --git a/server/src/modules/feed/controllers/getPublicFeed.ts b/server/src/modules/feed/controllers/getPublicFeed.ts index 85804f831..01608174f 100644 --- a/server/src/modules/feed/controllers/getPublicFeed.ts +++ b/server/src/modules/feed/controllers/getPublicFeed.ts @@ -19,7 +19,7 @@ export function getPublicFeedRoute() { const { queryBy, searchTerm, excludeType, pagination } = opts.input; const { data, totalCount, currentPagination } = await getFeedService( queryBy, - { searchTerm, isPublic: true }, + { searchTerm, isPublic: true, authenticatedUserId: opts.ctx.user.id }, excludeType, pagination, ); diff --git a/server/src/modules/feed/controllers/getUserPacksFeed.ts b/server/src/modules/feed/controllers/getUserPacksFeed.ts index d419690be..3fd94a873 100644 --- a/server/src/modules/feed/controllers/getUserPacksFeed.ts +++ b/server/src/modules/feed/controllers/getUserPacksFeed.ts @@ -23,7 +23,13 @@ export function getUserPacksFeedRoute() { opts.input; const { data, totalCount, currentPagination } = await getFeedService( queryBy, - { searchTerm, ownerId, isPublic, itemId }, + { + searchTerm, + ownerId, + isPublic, + itemId, + authenticatedUserId: opts.ctx.user.id, + }, 'trips', pagination, ); diff --git a/server/src/modules/feed/controllers/getUserTripsFeed.ts b/server/src/modules/feed/controllers/getUserTripsFeed.ts index 2751840de..5e8643f70 100644 --- a/server/src/modules/feed/controllers/getUserTripsFeed.ts +++ b/server/src/modules/feed/controllers/getUserTripsFeed.ts @@ -25,7 +25,12 @@ export function getUserTripsFeedRoute() { const { queryBy, searchTerm, ownerId, pagination, isPublic } = opts.input; const { data, totalCount, currentPagination } = await getFeedService( queryBy, - { searchTerm, ownerId, isPublic }, + { + searchTerm, + ownerId, + isPublic, + authenticatedUserId: opts.ctx.user.id, + }, 'packs', pagination, ); diff --git a/server/src/modules/feed/model/feed.ts b/server/src/modules/feed/model/feed.ts index 5540901e2..17052b27c 100644 --- a/server/src/modules/feed/model/feed.ts +++ b/server/src/modules/feed/model/feed.ts @@ -251,18 +251,19 @@ export class Feed { modifiers: Modifiers, table: typeof trip | typeof pack, ) { + const { authenticatedUserId, isPublic, ownerId, searchTerm } = modifiers; const conditions = []; - if (modifiers.isPublic !== undefined) { - conditions.push(eq(table.is_public, modifiers.isPublic)); + if (!authenticatedUserId || isPublic || authenticatedUserId !== ownerId) { + conditions.push(eq(table.is_public, true)); } - if (modifiers.ownerId) { - conditions.push(eq(table.owner_id, modifiers.ownerId)); + if (ownerId) { + conditions.push(eq(table.owner_id, ownerId)); } - if (modifiers.searchTerm) { - conditions.push(like(table.name, `%${modifiers.searchTerm}%`)); + if (searchTerm) { + conditions.push(like(table.name, `%${searchTerm}%`)); } return conditions.length > 0 ? and(...conditions) : undefined; diff --git a/server/src/modules/feed/models.ts b/server/src/modules/feed/models.ts index daa1c5b27..66337ed26 100644 --- a/server/src/modules/feed/models.ts +++ b/server/src/modules/feed/models.ts @@ -1,6 +1,7 @@ export interface Modifiers { isPublic?: boolean; - ownerId?: string; + ownerId: string; + authenticatedUserId: string; searchTerm?: string; itemId?: string; includeUserFavoritesOnly?: boolean; diff --git a/server/src/modules/feed/services/getFeedService.ts b/server/src/modules/feed/services/getFeedService.ts index 073c87831..a3737fb7a 100644 --- a/server/src/modules/feed/services/getFeedService.ts +++ b/server/src/modules/feed/services/getFeedService.ts @@ -2,16 +2,17 @@ import { PaginationParams } from '../../../helpers/pagination'; import { Feed } from '../model'; -import { Modifiers } from '../models'; +import { FeedQueryBy, Modifiers } from '../models'; /** * Retrieves public trips based on the given query parameter. * @param {PrismaClient} prisma - Prisma client. + * @param {string} authenticatedUserId - The authenticated user's ID. * @param {string} queryBy - The query parameter to sort the trips. * @return {Promise} The public trips. */ export const getFeedService = async ( - queryBy: string, + queryBy: FeedQueryBy, modifiers?: Modifiers, excludeType?: 'trips' | 'packs', pagination?: PaginationParams, diff --git a/server/src/services/favorite/getUserFavoritesService.ts b/server/src/services/favorite/getUserFavoritesService.ts index 81fa13e94..09af70383 100644 --- a/server/src/services/favorite/getUserFavoritesService.ts +++ b/server/src/services/favorite/getUserFavoritesService.ts @@ -1,6 +1,7 @@ import { Feed } from '../../modules/feed/model'; import { User } from '../../drizzle/methods/User'; import { PaginationParams } from 'src/helpers/pagination'; +import { Modifiers } from 'src/modules/feed/models'; /** * Retrieves the favorite packs associated with a specific user. @@ -10,10 +11,10 @@ import { PaginationParams } from 'src/helpers/pagination'; */ export const getUserFavoritesService = async ( userId: string, - options?: { searchTerm?: string; isPublic?: boolean }, + options?: Modifiers, pagination?: PaginationParams, ) => { - const { searchTerm, isPublic } = options || {}; + const { searchTerm, isPublic, authenticatedUserId } = options || {}; const userClass = new User(); const feedClass = new Feed(); const user = (await userClass.findUser({ @@ -32,6 +33,7 @@ export const getUserFavoritesService = async ( searchTerm, isPublic, ownerId: userId, + authenticatedUserId, }, 'trips', pagination,