From dfaf61803525cd019ef6c534893d96d5a43711e2 Mon Sep 17 00:00:00 2001 From: Erik Date: Tue, 25 Aug 2020 16:18:02 +0200 Subject: [PATCH 1/3] fix: allow a developer to delete his own versions --- .../routes/v1/apps/handlers/deleteAppVersion.js | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/server/src/routes/v1/apps/handlers/deleteAppVersion.js b/server/src/routes/v1/apps/handlers/deleteAppVersion.js index 0a7bd6315..2a74f3319 100644 --- a/server/src/routes/v1/apps/handlers/deleteAppVersion.js +++ b/server/src/routes/v1/apps/handlers/deleteAppVersion.js @@ -1,11 +1,17 @@ const Boom = require('@hapi/boom') +const debug = require('debug')( + 'apphub:server:routes:handlers:v1:deleteAppVersion' +) const { getCurrentUserFromRequest, currentUserIsManager, } = require('../../../../security') -const { getAppDeveloperId, deleteAppVersion } = require('../../../../data') +const { + deleteAppVersion, + getOrganisationAppsByUserId, +} = require('../../../../data') const { deleteFile } = require('../../../../utils') @@ -32,11 +38,15 @@ module.exports = { const { appId, versionId } = request.params const currentUser = await getCurrentUserFromRequest(request, db) - const appDeveloperId = await getAppDeveloperId(appId, db) const isManager = currentUserIsManager(request) + const userApps = await getOrganisationAppsByUserId(currentUser.id, db) + const userCanDeleteVersion = + isManager || userApps.map(app => app.app_id).indexOf(appId) !== -1 - if (isManager || appDeveloperId === currentUser.id) { + debug('isManager:', isManager) + debug('userCanDeleteVersion:', userCanDeleteVersion) + if (isManager || userCanDeleteVersion) { //can edit app const transaction = await db.transaction() From be87503c44e2104622cb1d5e7c52c5c16aa8f9f9 Mon Sep 17 00:00:00 2001 From: Erik Date: Tue, 25 Aug 2020 16:29:38 +0200 Subject: [PATCH 2/3] fix: allow devs to upload media to own apps --- .../v1/apps/handlers/uploadImageToApp.js | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/server/src/routes/v1/apps/handlers/uploadImageToApp.js b/server/src/routes/v1/apps/handlers/uploadImageToApp.js index 5dbfb4c7f..9ac7cdeec 100644 --- a/server/src/routes/v1/apps/handlers/uploadImageToApp.js +++ b/server/src/routes/v1/apps/handlers/uploadImageToApp.js @@ -1,3 +1,7 @@ +const debug = require('debug')( + 'apphub:server:routes:handlers:v1:uploadImageToApp' +) + const { MediaType } = require('../../../../enums') const { saveFile } = require('../../../../utils') @@ -6,7 +10,7 @@ const { currentUserIsManager, } = require('../../../../security') -const { addAppMedia, getAppDeveloperId } = require('../../../../data') +const { addAppMedia, getOrganisationAppsByUserId } = require('../../../../data') module.exports = { method: 'POST', @@ -36,17 +40,19 @@ module.exports = { request.logger.info('In handler %s', request.path) const knex = h.context.db + const appId = request.params.appId const currentUser = await getCurrentUserFromRequest(request, knex) - const appDeveloperId = await getAppDeveloperId( - request.params.appId, - knex - ) + const isManager = currentUserIsManager(request) + + const userApps = await getOrganisationAppsByUserId(currentUser.id, knex) + const canUploadMedia = + isManager || userApps.map(app => app.app_id).indexOf(appId) !== -1 - if ( - !currentUserIsManager(request) && - appDeveloperId !== currentUser.id - ) { + debug('isManager:', isManager) + debug('canUploadMedia:', canUploadMedia) + + if (!canUploadMedia) { return h .response({ message: `You don't have access to edit that app` }) .code(401) @@ -59,8 +65,6 @@ module.exports = { let imageId = null - const appId = request.params.appId - const { id } = await addAppMedia( { userId: currentUser.id, From 5987bd0e41548001933f450cedc8d0d8db345958 Mon Sep 17 00:00:00 2001 From: Erik Date: Tue, 25 Aug 2020 16:31:58 +0200 Subject: [PATCH 3/3] fix: allow devs to delete images on own apps --- .../src/routes/v1/apps/handlers/deleteImage.js | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/server/src/routes/v1/apps/handlers/deleteImage.js b/server/src/routes/v1/apps/handlers/deleteImage.js index e11afcb82..e2e5203ee 100644 --- a/server/src/routes/v1/apps/handlers/deleteImage.js +++ b/server/src/routes/v1/apps/handlers/deleteImage.js @@ -1,11 +1,16 @@ const Boom = require('@hapi/boom') +const debug = require('debug')('apphub:server:routes:handlers:v1:deleteImage') + const { getCurrentUserFromRequest, currentUserIsManager, } = require('../../../../security') -const { getAppDeveloperId, deleteAppMedia } = require('../../../../data') +const { + deleteAppMedia, + getOrganisationAppsByUserId, +} = require('../../../../data') const { deleteFile } = require('../../../../utils') @@ -32,11 +37,16 @@ module.exports = { const { appMediaId, appId } = request.params const currentUser = await getCurrentUserFromRequest(request, db) - const appDeveloperId = await getAppDeveloperId(appId, db) - const isManager = currentUserIsManager(request) - if (isManager || appDeveloperId === currentUser.id) { + const userApps = await getOrganisationAppsByUserId(currentUser.id, db) + const canDeleteImage = + isManager || userApps.map(app => app.app_id).indexOf(appId) !== -1 + + debug('isManager:', isManager) + debug('canDeleteImage:', canDeleteImage) + + if (canDeleteImage) { //can edit app const transaction = await db.transaction()