h3n3/cadhub
1
0
Fork 0
Code Issues 35 Pull Requests Packages Projects Releases Wiki Activity

Add server side ownership enforcement for profile editing

Browse Source
This commit is contained in:
Kurt Hutten
2020-11-06 20:12:46 +11:00
parent c0cd79f48b
commit 9ab61924dc
4 changed files with 66 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
api/src/services/users/users.js
View File

@@ -1,35 +1,47 @@
import { db } from 'src/lib/db'
import { requireAuth } from 'src/lib/auth'
import { requireOwnership } from 'src/lib/owner'
export const users = () => {
requireAuth({ role: 'admin' })
return db.user.findMany()
}
export const user = ({ id }) => {
requireAuth()
return db.user.findOne({
where: { id },
})
}
export const userName = ({ userName }) => {
requireAuth()
return db.user.findOne({
where: { userName },
})
}
export const createUser = ({ input }) => {
requireAuth({ role: 'admin' })
createUserInsecure({input})
}
export const createUserInsecure = ({ input }) => {
return db.user.create({
data: input,
})
}
export const updateUser = ({ id, input }) => {
requireAuth()
return db.user.update({
data: input,
where: { id },
})
}
export const updateUserByUserName = ({ userName, input }) => {
export const updateUserByUserName = async ({ userName, input }) => {
requireAuth()
await requireOwnership({userName})
return db.user.update({
data: input,
where: { userName },
@@ -37,6 +49,7 @@ export const updateUserByUserName = ({ userName, input }) => {
}
export const deleteUser = ({ id }) => {
requireAuth({ role: 'admin' })
return db.user.delete({
where: { id },
})