Add auth into who can edit a part
This commit is contained in:
Kurt Hutten
@@ -1,31 +1,43 @@
|
||||
import { AuthenticationError, ForbiddenError, parseJWT } from '@redwoodjs/api'
|
||||
import { db } from 'src/lib/db'
|
||||
|
||||
export const requireOwnership = async ({ id, userName } = {}) => {
|
||||
export const requireOwnership = async ({ userId, userName, partId } = {}) => {
|
||||
// IMPORTANT, don't forget to await this function, as it will only block
|
||||
// unwanted db actions if it has time to look up resources in the db.
|
||||
if (!context.currentUser) {
|
||||
throw new AuthenticationError("You don't have permission to do that.")
|
||||
}
|
||||
if(!id && !userName) {
|
||||
if(!userId && !userName && !partId) {
|
||||
throw new ForbiddenError("You don't have access to do that.")
|
||||
}
|
||||
|
||||
const netlifyUserId = context.currentUser?.sub
|
||||
if(id && id !== netlifyUserId) {
|
||||
throw new ForbiddenError("You don't own this resource.")
|
||||
}
|
||||
|
||||
if(context.currentUser.roles?.includes('admin')) {
|
||||
return
|
||||
}
|
||||
|
||||
const user = await db.user.findOne({
|
||||
where: { userName },
|
||||
})
|
||||
|
||||
console.log(user, 'USER')
|
||||
if(!user) {
|
||||
const netlifyUserId = context.currentUser?.sub
|
||||
if(userId && userId !== netlifyUserId) {
|
||||
throw new ForbiddenError("You don't own this resource.")
|
||||
}
|
||||
|
||||
if(userName) {
|
||||
const user = await db.user.findOne({
|
||||
where: { userName },
|
||||
})
|
||||
|
||||
if(!user || user.id !== netlifyUserId) {
|
||||
throw new ForbiddenError("You don't own this resource.")
|
||||
}
|
||||
}
|
||||
|
||||
if(partId) {
|
||||
const user = await db.part.findOne({
|
||||
where: { id: partId },
|
||||
}).user()
|
||||
|
||||
if(!user || user.id !== netlifyUserId) {
|
||||
throw new ForbiddenError("You don't own this resource.")
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
import { db } from 'src/lib/db'
|
||||
import { foreignKeyReplacement } from 'src/services/helpers'
|
||||
import { requireAuth } from 'src/lib/auth'
|
||||
import { requireOwnership } from 'src/lib/owner'
|
||||
import { user } from 'src/services/users/users'
|
||||
|
||||
export const parts = () => {
|
||||
@@ -28,12 +30,15 @@ export const partByUserAndTitle = async ({ userName, partTitle }) => {
|
||||
}
|
||||
|
||||
export const createPart = async ({ input }) => {
|
||||
requireAuth()
|
||||
return db.part.create({
|
||||
data: foreignKeyReplacement(input),
|
||||
})
|
||||
}
|
||||
|
||||
export const updatePart = ({ id, input }) => {
|
||||
export const updatePart = async ({ id, input }) => {
|
||||
requireAuth()
|
||||
await requireOwnership({partId: id})
|
||||
return db.part.update({
|
||||
data: foreignKeyReplacement(input),
|
||||
where: { id },
|
||||
@@ -41,6 +46,7 @@ export const updatePart = ({ id, input }) => {
|
||||
}
|
||||
|
||||
export const deletePart = ({ id }) => {
|
||||
requireAuth()
|
||||
return db.part.delete({
|
||||
where: { id },
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user