diff --git a/backend/src/middleware/auth/checks/user-auth-checks.ts b/backend/src/middleware/auth/checks/user-auth-checks.ts index f66f6682..27228369 100644 --- a/backend/src/middleware/auth/checks/user-auth-checks.ts +++ b/backend/src/middleware/auth/checks/user-auth-checks.ts @@ -5,4 +5,4 @@ import { AuthenticatedRequest } from '../authenticated-request.js'; /** * Only allow the user whose username is in the path parameter "username" to access the endpoint. */ -export const onlyAllowUserHimself = authorize((auth: AuthenticationInfo, req: AuthenticatedRequest) => req.params.username === auth.username); +export const preventImpersonation = authorize((auth: AuthenticationInfo, req: AuthenticatedRequest) => req.params.username === auth.username); diff --git a/backend/src/routes/student-join-requests.ts b/backend/src/routes/student-join-requests.ts index 35198d0c..a49984c7 100644 --- a/backend/src/routes/student-join-requests.ts +++ b/backend/src/routes/student-join-requests.ts @@ -5,16 +5,16 @@ import { getStudentRequestHandler, getStudentRequestsHandler, } from '../controllers/students.js'; -import { onlyAllowUserHimself } from '../middleware/auth/checks/user-auth-checks.js'; +import { preventImpersonation } from '../middleware/auth/checks/user-auth-checks.js'; import { onlyAllowStudentHimselfAndTeachersOfClass } from '../middleware/auth/checks/class-auth-checks.js'; // Under /:username/joinRequests/ const router = express.Router({ mergeParams: true }); -router.get('/', onlyAllowUserHimself, getStudentRequestsHandler); +router.get('/', preventImpersonation, getStudentRequestsHandler); -router.post('/', onlyAllowUserHimself, createStudentRequestHandler); +router.post('/', preventImpersonation, createStudentRequestHandler); router.get('/:classId', onlyAllowStudentHimselfAndTeachersOfClass, getStudentRequestHandler); diff --git a/backend/src/routes/students.ts b/backend/src/routes/students.ts index f40ce939..9ecf4688 100644 --- a/backend/src/routes/students.ts +++ b/backend/src/routes/students.ts @@ -11,7 +11,7 @@ import { getStudentSubmissionsHandler, } from '../controllers/students.js'; import joinRequestRouter from './student-join-requests.js'; -import { onlyAllowUserHimself } from '../middleware/auth/checks/user-auth-checks.js'; +import { preventImpersonation } from '../middleware/auth/checks/user-auth-checks.js'; import { adminOnly } from '../middleware/auth/checks/auth-checks.js'; const router = express.Router(); @@ -23,25 +23,25 @@ router.get('/', adminOnly, getAllStudentsHandler); // Can only be used by an administrator. router.post('/', adminOnly, createStudentHandler); -router.delete('/:username', onlyAllowUserHimself, deleteStudentHandler); +router.delete('/:username', preventImpersonation, deleteStudentHandler); // Information about a student's profile -router.get('/:username', onlyAllowUserHimself, getStudentHandler); +router.get('/:username', preventImpersonation, getStudentHandler); // The list of classes a student is in -router.get('/:username/classes', onlyAllowUserHimself, getStudentClassesHandler); +router.get('/:username/classes', preventImpersonation, getStudentClassesHandler); // The list of submissions a student has made -router.get('/:username/submissions', onlyAllowUserHimself, getStudentSubmissionsHandler); +router.get('/:username/submissions', preventImpersonation, getStudentSubmissionsHandler); // The list of assignments a student has -router.get('/:username/assignments', onlyAllowUserHimself, getStudentAssignmentsHandler); +router.get('/:username/assignments', preventImpersonation, getStudentAssignmentsHandler); // The list of groups a student is in -router.get('/:username/groups', onlyAllowUserHimself, getStudentGroupsHandler); +router.get('/:username/groups', preventImpersonation, getStudentGroupsHandler); // A list of questions a user has created -router.get('/:username/questions', onlyAllowUserHimself, getStudentQuestionsHandler); +router.get('/:username/questions', preventImpersonation, getStudentQuestionsHandler); router.use('/:username/joinRequests', joinRequestRouter); diff --git a/backend/src/routes/teacher-invitations.ts b/backend/src/routes/teacher-invitations.ts index 0855c6a6..90117088 100644 --- a/backend/src/routes/teacher-invitations.ts +++ b/backend/src/routes/teacher-invitations.ts @@ -6,7 +6,7 @@ import { getInvitationHandler, updateInvitationHandler, } from '../controllers/teacher-invitations.js'; -import { onlyAllowUserHimself } from '../middleware/auth/checks/user-auth-checks.js'; +import { preventImpersonation } from '../middleware/auth/checks/user-auth-checks.js'; import { onlyAllowReceiverBody, onlyAllowSender, @@ -16,7 +16,7 @@ import { const router = express.Router({ mergeParams: true }); -router.get('/:username', onlyAllowUserHimself, getAllInvitationsHandler); +router.get('/:username', preventImpersonation, getAllInvitationsHandler); router.get('/:sender/:receiver/:classId', onlyAllowSenderOrReceiver, getInvitationHandler); diff --git a/backend/src/routes/teachers.ts b/backend/src/routes/teachers.ts index 26ec77be..9c12ad13 100644 --- a/backend/src/routes/teachers.ts +++ b/backend/src/routes/teachers.ts @@ -12,7 +12,7 @@ import { } from '../controllers/teachers.js'; import invitationRouter from './teacher-invitations.js'; import { adminOnly } from '../middleware/auth/checks/auth-checks.js'; -import { onlyAllowUserHimself } from '../middleware/auth/checks/user-auth-checks.js'; +import { preventImpersonation } from '../middleware/auth/checks/user-auth-checks.js'; import { onlyAllowTeacherOfClass } from '../middleware/auth/checks/class-auth-checks.js'; const router = express.Router(); @@ -21,15 +21,15 @@ router.get('/', adminOnly, getAllTeachersHandler); router.post('/', adminOnly, createTeacherHandler); -router.get('/:username', onlyAllowUserHimself, getTeacherHandler); +router.get('/:username', preventImpersonation, getTeacherHandler); -router.delete('/:username', onlyAllowUserHimself, deleteTeacherHandler); +router.delete('/:username', preventImpersonation, deleteTeacherHandler); -router.get('/:username/classes', onlyAllowUserHimself, getTeacherClassHandler); +router.get('/:username/classes', preventImpersonation, getTeacherClassHandler); -router.get('/:username/students', onlyAllowUserHimself, getTeacherStudentHandler); +router.get('/:username/students', preventImpersonation, getTeacherStudentHandler); -router.get('/:username/questions', onlyAllowUserHimself, getTeacherQuestionHandler); +router.get('/:username/questions', preventImpersonation, getTeacherQuestionHandler); router.get('/:username/joinRequests/:classId', onlyAllowTeacherOfClass, getStudentJoinRequestHandler);