Check if user owns the task to update (#1129)

worknenjoy · Aug 29, 2024 · 5ca9e8b · 5ca9e8b
1 parent 7662340
commit 5ca9e8b
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 1 deletion.
diff --git a/modules/app/controllers/task.js b/modules/app/controllers/task.js
@@ -47,6 +47,7 @@ exports.fetchTask = (req, res) => {
 }
 
 exports.updateTask = (req, res) => {
+  req.body.userId = req.user.id
   Tasks.taskUpdate(req.body)
     .then(data => {
       res.send(data)

diff --git a/modules/app/routes/tasks.js b/modules/app/routes/tasks.js
@@ -8,7 +8,6 @@ router.get('/fetch/:id', controllers.fetchTask)
 router.get('/:id/sync/:field', controllers.syncTask)
 router.post('/:id/invite/', controllers.inviteUserToTask)
 router.post('/:id/funding/', controllers.inviteToFundingTask)
-router.put('/update', controllers.updateTask)
 router.post('/:id/report', controllers.reportTask)
 router.post('/:id/claim', controllers.requestClaimTask)
 router.get('/list', controllers.listTasks)
@@ -18,6 +17,7 @@ router.post('/:id/message/', controllers.messageInterestedToTask)
 router.post('/:id/message/author', controllers.messageAuthor)
 router.post('/:id/offer/:offerId/message', controllers.messageOffer)
 router.post('/create', controllers.createTask)
+router.put('/update', controllers.updateTask)
 router.post('/payments', controllers.paymentTask)
 router.delete('/delete/:id', controllers.deleteTaskById)
 router.get('/delete/:taskId/:userId', controllers.deleteTaskFromReport)

diff --git a/modules/tasks/taskUpdate.js b/modules/tasks/taskUpdate.js
@@ -107,6 +107,7 @@ module.exports = Promise.method(async function taskUpdate (taskParameters) {
     .update(taskParameters, {
       where: {
         id: taskParameters.id,
+        userId: taskParameters.userId,
       },
       individualHooks: true,
       include: [models.User, models.Order, models.Offer, models.Member]