tdpeuter/2025SELab2-project-Dwengo
tdpeuter/2025SELab2-project-Dwengo
1
Fork 0
Code Issues Releases 4 Packages 2 Wiki Activity

feat(backend): Endpoints van klassen en leerkrachten beschermd.

Browse source
This commit is contained in:
Gerald Schmittinger 2025-04-08 15:45:20 +02:00
parent 9339eca9cf
commit 2252326234
3 changed files with 31 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
backend/src/controllers/auth.ts
View file

@ -41,7 +41,7 @@ export function handleGetFrontendAuthConfig(_req: Request, res: Response): void
res.json(getFrontendAuthConfig()); res.json(getFrontendAuthConfig());
} }
export async function handleHello(req: AuthenticatedRequest) { export async function handleHello(req: AuthenticatedRequest): Promise<void> {
const auth: AuthenticationInfo = req.auth!; const auth: AuthenticationInfo = req.auth!;
if (auth.accountType === "teacher") { if (auth.accountType === "teacher") {
await createTeacher({ await createTeacher({

23
backend/src/middleware/auth/checks/class-auth-checks.ts
View file

@ -33,3 +33,26 @@ export const onlyAllowTeacherOfClass = authorize(
async (auth: AuthenticationInfo, req: AuthenticatedRequest) => async (auth: AuthenticationInfo, req: AuthenticatedRequest) =>
req.params.username === auth.username && teaches(auth.username, req.params.classId), req.params.username === auth.username && teaches(auth.username, req.params.classId),
); );
/**
* Only let the request pass through if the class id in it refers to a class the current user is in (as a student
* or teacher)
*/
function createOnlyAllowIfInClass(onlyTeacher: boolean) {
return authorize(
async (auth: AuthenticationInfo, req: AuthenticatedRequest) => {
const classId = req.params.classId ?? req.params.classid ?? req.params.id;
const clazz = await getClass(classId);
if (clazz == null) {
return false;
} else if (onlyTeacher || auth.accountType === "teacher") {
return auth.username in clazz.teachers;
} else {
return auth.username in clazz.students;
}
}
);
}
export const onlyAllowIfInClass = createOnlyAllowIfInClass(false);
export const onlyAllowIfTeacherInClass = createOnlyAllowIfInClass(true);

12
backend/src/routes/classes.ts
View file

@ -7,20 +7,22 @@ import {
getTeacherInvitationsHandler, getTeacherInvitationsHandler,
} from '../controllers/classes.js'; } from '../controllers/classes.js';
import assignmentRouter from './assignments.js'; import assignmentRouter from './assignments.js';
import {adminOnly, teachersOnly} from "../middleware/auth/checks/auth-checks";
import {onlyAllowIfInClass, onlyAllowIfTeacherInClass} from "../middleware/auth/checks/class-auth-checks";
const router = express.Router(); const router = express.Router();
// Root endpoint used to search objects // Root endpoint used to search objects
router.get('/', getAllClassesHandler); router.get('/', adminOnly, getAllClassesHandler);
router.post('/', createClassHandler); router.post('/', teachersOnly, createClassHandler);
// Information about an class with id 'id' // Information about an class with id 'id'
router.get('/:id', getClassHandler); router.get('/:id', onlyAllowIfInClass, getClassHandler);
router.get('/:id/teacher-invitations', getTeacherInvitationsHandler); router.get('/:id/teacher-invitations', onlyAllowIfTeacherInClass, getTeacherInvitationsHandler);
router.get('/:id/students', getClassStudentsHandler); router.get('/:id/students', onlyAllowIfInClass, getClassStudentsHandler);
router.use('/:classid/assignments', assignmentRouter); router.use('/:classid/assignments', assignmentRouter);