feat(backend): Bescherming van leerobject-manipulatie endpoints.

Ook delete route voor leerobjecten toegevoegd.
2025-05-12 14:57:54 +02:00 · 2025-05-12 14:57:54 +02:00 · 20c04370b5
commit 20c04370b5
parent a7f90aace3
4 changed files with 50 additions and 4 deletions
--- a/backend/src/routes/learning-objects.ts
+++ b/backend/src/routes/learning-objects.ts
@ -4,12 +4,15 @@ import {
    getAttachment,
    getLearningObject,
    getLearningObjectHTML,
+    handleDeleteLearningObject,
    handlePostLearningObject
 } from '../controllers/learning-objects.js';

 import submissionRoutes from './submissions.js';
 import questionRoutes from './questions.js';
 import fileUpload from "express-fileupload";
+import { teachersOnly } from '../middleware/auth/auth.js';
+import { onlyAdminsForLearningObject } from '../middleware/auth/checks/learning-object-auth-checks.js';

 const router = express.Router();

@ -25,7 +28,7 @@ const router = express.Router();
 // Example 2: http://localhost:3000/learningObject?full=true&hruid=un_artificiele_intelligentie
 router.get('/', getAllLearningObjects);

-router.post('/', fileUpload({useTempFiles: true}), handlePostLearningObject)
+router.post('/', teachersOnly, fileUpload({useTempFiles: true}), handlePostLearningObject)

 // Parameter: hruid of learning object
 // Query: language
@ -33,6 +36,12 @@ router.post('/', fileUpload({useTempFiles: true}), handlePostLearningObject)
 // Example: http://localhost:3000/learningObject/un_ai7
 router.get('/:hruid', getLearningObject);

+// Parameter: hruid of learning object
+// Query: language
+// Route to delete a learning object based on its hruid.
+// Example: http://localhost:3000/learningObject/un_ai7?language=nl&version=1
+router.delete('/:hruid', onlyAdminsForLearningObject, handleDeleteLearningObject)
+
 router.use('/:hruid/submissions', submissionRoutes);

 router.use('/:hruid/:version/questions', questionRoutes);