diff --git a/lib/middleware/response-json-api.js b/lib/middleware/response-json-api.js index 59bb974..f41a1dc 100644 --- a/lib/middleware/response-json-api.js +++ b/lib/middleware/response-json-api.js @@ -144,7 +144,6 @@ module.exports = function (options) { res.body.links = { self: `${baseUrl}${req.url}` }; - next(); } else { let baseSelfLink; const linksQueries = res.body.linksQueries; @@ -248,7 +247,7 @@ module.exports = function (options) { res.body.meta.channel = req.identity.channel.id; } if (req.identity.platform) { - res.body.meta.platform = req.identity.platform.platformType; + res.body.meta.platform = req.identity.platform.id; } } diff --git a/lib/services/identity/controllers/identity-item-controller.js b/lib/services/identity/controllers/identity-item-controller.js index 2fe5373..f5e168b 100644 --- a/lib/services/identity/controllers/identity-item-controller.js +++ b/lib/services/identity/controllers/identity-item-controller.js @@ -14,6 +14,10 @@ class IdentityItemController extends Controller { } get(req, res, next) { + if (this.type === 'viewer' && !this.isAdminRequest(req) && req.params.id !== req.identity.viewer.id) { + return next(Boom.unauthorized('Viewer specified in JWT does not match requested viewer.')); + } + const type = this.type; const id = req.params.id; const args = {type, id}; @@ -23,6 +27,11 @@ class IdentityItemController extends Controller { if (type !== 'channel') { args.channel = channel.id; } + + if (req.query.include) { + args.include = req.query.include.split(','); + } + return this.bus.query({role: 'store', cmd: 'get', type}, args); }) .then(resource => { diff --git a/lib/services/identity/controllers/viewer-relationship-controller.js b/lib/services/identity/controllers/viewer-relationship-controller.js index c8d4d38..776589a 100644 --- a/lib/services/identity/controllers/viewer-relationship-controller.js +++ b/lib/services/identity/controllers/viewer-relationship-controller.js @@ -7,14 +7,19 @@ const objectSort = require('object-property-natural-sort'); const utils = require('../../../utils'); const Controller = require('../../../controllers/controller'); -class ViewerRelationshipController { +class ViewerRelationshipController extends Controller { constructor(options) { + super(); this.bus = options.bus; this.type = 'viewer'; this.relationship = options.relationship; } get(req, res, next) { + if (!this.isAdminRequest(req) && req.params.id !== req.identity.viewer.id) { + return next(Boom.unauthorized('Viewer specified in JWT does not match requested viewer.')); + } + const relationshipKey = this.relationship; const args = { @@ -100,12 +105,13 @@ class ViewerRelationshipController { post(req, res, next) { const args = { id: req.params.id, - type: this.type + type: this.type, + channel: req.identity.channel.id }; req.body = utils.arrayify(req.body); req.body.forEach((resource, index) => { - if (resource.type !== 'video' || resource.type !== 'collection') { + if (resource.type !== 'video' && resource.type !== 'collection') { return next(Boom.forbidden(`Resource number ${index}, id ${resource.id}, type ${resource.type} is not of type video or collection.`)); } }); @@ -116,18 +122,18 @@ class ViewerRelationshipController { viewer.relationships[this.relationship].data = viewer.relationships[this.relationship].data || []; viewer.relationships[this.relationship].data = utils.arrayify(viewer.relationships[this.relationship].data); - // Union the current with the new to get unique entries - viewer.relationships[this.relationship].data = _.union(viewer.relationships[this.relationship].data, req.body); + viewer.relationships[this.relationship].data.concat(req.body); + viewer.relationships[this.relationship].data = _.uniqWith(viewer.relationships[this.relationship].data, _.isEqual); if (viewer.relationships[this.relationship].data.length === 1) { viewer.relationships[this.relationship].data = viewer.relationships[this.relationship].data[0]; } - return this.bus.query({role: 'store', cmd: 'set', type: this.type}, viewer); + return this.bus.sendCommand({role: 'store', cmd: 'set', type: this.type}, viewer); }) - .then(viewer => { - res.body = viewer.relationships[this.relationship]; - res.status(200); + .then(() => { + res.sendStatus(202); + return null; }) .catch(next); } @@ -165,6 +171,8 @@ class ViewerRelationshipController { .then(viewer => { res.body = viewer.relationships[this.relationship]; res.status(200); + next(); + return null; }) .catch(next); } diff --git a/lib/services/identity/index.js b/lib/services/identity/index.js index 8cfb54f..6d73962 100644 --- a/lib/services/identity/index.js +++ b/lib/services/identity/index.js @@ -79,7 +79,7 @@ module.exports = function (bus, options) { router.all( `/${type}s/:id`, middleware['request-authorize']({bus, audience: { - get: ['admin'], + get: ['admin', 'platform'], patch: ['admin'], delete: ['admin'] }}), diff --git a/spec/middleware/response-json-api-spec.js b/spec/middleware/response-json-api-spec.js index 72a4695..3f06e8a 100644 --- a/spec/middleware/response-json-api-spec.js +++ b/spec/middleware/response-json-api-spec.js @@ -153,7 +153,7 @@ describe('Middleware Response JSON API', function () { }); it('adds a meta block', function () { - expect(res.body.meta).toEqual({channel: 'channel-id', platform: 'APPLE_TV'}); + expect(res.body.meta).toEqual({channel: 'channel-id', platform: 'platform-id'}); }); }); @@ -275,7 +275,7 @@ describe('Middleware Response JSON API', function () { }); it('adds a meta block', function () { - expect(res.body.meta).toEqual({channel: 'channel-id', platform: 'APPLE_TV'}); + expect(res.body.meta).toEqual({channel: 'channel-id', platform: 'platform-id'}); }); });