feat(backend): Endpoints van klassen en leerkrachten beschermd.

2025-04-08 15:45:20 +02:00 · 2025-04-08 15:45:20 +02:00 · 2252326234
commit 2252326234
parent 9339eca9cf
3 changed files with 31 additions and 6 deletions
--- a/backend/src/middleware/auth/checks/class-auth-checks.ts
+++ b/backend/src/middleware/auth/checks/class-auth-checks.ts
@ -33,3 +33,26 @@ export const onlyAllowTeacherOfClass = authorize(
    async (auth: AuthenticationInfo, req: AuthenticatedRequest) =>
        req.params.username === auth.username && teaches(auth.username, req.params.classId),
 );
+
+/**
+ * Only let the request pass through if the class id in it refers to a class the current user is in (as a student
+ * or teacher)
+ */
+function createOnlyAllowIfInClass(onlyTeacher: boolean) {
+    return authorize(
+        async (auth: AuthenticationInfo, req: AuthenticatedRequest) => {
+            const classId = req.params.classId ?? req.params.classid ?? req.params.id;
+            const clazz = await getClass(classId);
+            if (clazz == null) {
+                return false;
+            } else if (onlyTeacher || auth.accountType === "teacher") {
+                return auth.username in clazz.teachers;
+            } else {
+                return auth.username in clazz.students;
+            }
+        }
+    );
+}
+
+export const onlyAllowIfInClass = createOnlyAllowIfInClass(false);
+export const onlyAllowIfTeacherInClass = createOnlyAllowIfInClass(true);