Add server side ownership enforcement for profile editing

2020-11-06 20:12:46 +11:00
parent c0cd79f48b
commit 9ab61924dc
4 changed files with 66 additions and 6 deletions
--- a/api/src/lib/owner.js
+++ b/api/src/lib/owner.js
@@ -0,0 +1,31 @@
+import { AuthenticationError, ForbiddenError, parseJWT } from '@redwoodjs/api'
+import { db } from 'src/lib/db'
+
+export const requireOwnership = async ({ id, userName } = {}) => {
+  if (!context.currentUser) {
+    throw new AuthenticationError("You don't have permission to do that.")
+  }
+  if(!id && !userName) {
+    throw new ForbiddenError("You don't have access to do that.")
+  }
+
+  const netlifyUserId = context.currentUser?.sub
+  if(id && id !== netlifyUserId) {
+    throw new ForbiddenError("You don't own this resource.")
+  }
+
+  if(context.currentUser.roles?.includes('admin')) {
+    return
+  }
+
+  const user = await db.user.findOne({
+    where: { userName },
+  })
+
+  console.log(user, 'USER')
+  if(!user) {
+    throw new ForbiddenError("You don't own this resource.")
+  }
+
+
+}