From f5c6ceeb1e253a6f79b196240fab958b9c5b755f Mon Sep 17 00:00:00 2001
From: bhc <behicsakar@gmail.com>
Date: Thu, 4 Apr 2024 13:01:29 +0300
Subject: [PATCH] Add parameter validation for user update

---
 src/controllers/user.controller.ts | 10 +++++++++-
 src/routes/user.routes.ts          |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/controllers/user.controller.ts b/src/controllers/user.controller.ts
index 54706e4..978c62e 100644
--- a/src/controllers/user.controller.ts
+++ b/src/controllers/user.controller.ts
@@ -106,6 +106,7 @@ export default class UserController {
     try {
       console.log("update user");
       throwIfMissing(req.headers, ["x-appwrite-user-id", "x-appwrite-jwt"]);
+      throwIfMissing(req.params, ["id"]);
       if (!req.body || Object.keys(req.body).length === 0) {
         console.log("Request body is empty.");
         return res
@@ -115,10 +116,17 @@ export default class UserController {
 
       const sender: string = req.headers["x-appwrite-user-id"] as string;
       const jwt: string = req.headers["x-appwrite-jwt"] as string;
-
       // console.log(`sender: ${sender}`);
       // console.log(`jwt: ${jwt}`);
 
+      // Check if user is updating their own data
+      if (sender !== req.params.id) {
+        return res.status(400).json({
+          ok: false,
+          error: "You can only update your own data.",
+        });
+      }
+
       // Set data to variables
       const data: any = req.body;
 
diff --git a/src/routes/user.routes.ts b/src/routes/user.routes.ts
index adef3c9..86d6d01 100644
--- a/src/routes/user.routes.ts
+++ b/src/routes/user.routes.ts
@@ -11,7 +11,7 @@ class MessageRoutes {
 
   intializeRoutes() {
     this.router.post("/", this.controller.create);
-    this.router.patch("/", this.controller.update);
+    this.router.patch("/:id", this.controller.update);
   }
 }