fix: add question in group check + extra create question errors service

2025-04-19 10:58:49 +02:00 · 2025-04-19 10:58:49 +02:00 · 566bb5a5fb
commit 566bb5a5fb
parent 78b65f148e
4 changed files with 47 additions and 6 deletions
--- a/backend/src/middleware/auth/checks/question-checks.ts
+++ b/backend/src/middleware/auth/checks/question-checks.ts
@ -6,6 +6,7 @@ import {getLearningObjectId, getQuestionId} from "../../../controllers/questions
 import {fetchQuestion} from "../../../services/questions";
 import {FALLBACK_SEQ_NUM} from "../../../config";
 import {fetchAnswer} from "../../../services/answers";
+import {mapToUsername} from "../../../interfaces/user";

 export const onlyAllowAuthor = authorize(
    (auth: AuthenticationInfo, req: AuthenticatedRequest) => req.body.author === auth.username
@ -46,3 +47,26 @@ export const onlyAllowAuthorRequestAnswer = authorize(
        return answer.author.username == auth.username;
    }
 );
+
+export const onlyAllowIfHasAccessToQuestion = authorize(
+    async (auth, req) => {
+        const hruid = req.params.hruid;
+        const version = req.params.version;
+        const language = req.query.lang as string;
+        const seq = req.params.seq;
+        requireFields({ hruid });
+
+        const learningObjectId = getLearningObjectId(hruid, version, language);
+        const questionId = getQuestionId(learningObjectId, seq);
+
+        const question = await fetchQuestion(questionId);
+        const group = question.inGroup;
+
+        if (auth.accountType === "teacher") {
+            const cls = group.assignment.within; // TODO check if contains full objects
+            return cls.teachers.map(mapToUsername).includes(auth.username);
+        } else { // user is student
+            return group.members.map(mapToUsername).includes(auth.username);
+        }
+    }
+);
--- a/backend/src/routes/answers.ts
+++ b/backend/src/routes/answers.ts
@ -1,7 +1,11 @@
 import express from 'express';
 import { createAnswerHandler, deleteAnswerHandler, getAnswerHandler, getAllAnswersHandler, updateAnswerHandler } from '../controllers/answers.js';
 import {adminOnly, authenticatedOnly, teachersOnly} from "../middleware/auth/checks/auth-checks";
-import {onlyAllowAuthor, onlyAllowAuthorRequestAnswer} from "../middleware/auth/checks/question-checks";
+import {
+    onlyAllowAuthor,
+    onlyAllowAuthorRequestAnswer,
+    onlyAllowIfHasAccessToQuestion
+} from "../middleware/auth/checks/question-checks";


 const router = express.Router({ mergeParams: true });
@ -10,7 +14,7 @@ router.get('/', adminOnly, getAllAnswersHandler);

 router.post('/', teachersOnly, onlyAllowAuthor, createAnswerHandler);

-router.get('/:seqAnswer', authenticatedOnly, getAnswerHandler);
+router.get('/:seqAnswer', onlyAllowIfHasAccessToQuestion, getAnswerHandler);

 router.delete('/:seqAnswer', teachersOnly, onlyAllowAuthorRequestAnswer, deleteAnswerHandler);

--- a/backend/src/routes/questions.ts
+++ b/backend/src/routes/questions.ts
@ -3,7 +3,11 @@ import { createQuestionHandler, deleteQuestionHandler, getAllQuestionsHandler, g
 import answerRoutes from './answers.js';
 import {adminOnly, authenticatedOnly, studentsOnly} from "../middleware/auth/checks/auth-checks";
 import {updateAnswerHandler} from "../controllers/answers";
-import {onlyAllowAuthor, onlyAllowAuthorRequest} from "../middleware/auth/checks/question-checks";
+import {
+    onlyAllowAuthor,
+    onlyAllowAuthorRequest,
+    onlyAllowIfHasAccessToQuestion
+} from "../middleware/auth/checks/question-checks";

 const router = express.Router({ mergeParams: true });

@ -15,7 +19,7 @@ router.get('/', adminOnly, getAllQuestionsHandler);
 router.post('/', studentsOnly, onlyAllowAuthor, createQuestionHandler);

 // Information about a question with id
-router.get('/:seq', authenticatedOnly, getQuestionHandler); // TODO every body in group + teachers?
+router.get('/:seq', onlyAllowIfHasAccessToQuestion, getQuestionHandler);

 router.delete('/:seq', studentsOnly, onlyAllowAuthorRequest, deleteQuestionHandler);

--- a/backend/src/services/questions.ts
+++ b/backend/src/services/questions.ts
@ -12,6 +12,7 @@ import { AssignmentDTO } from '@dwengo-1/common/interfaces/assignment';
 import { fetchStudent } from './students.js';
 import { NotFoundException } from '../exceptions/not-found-exception';
 import { FALLBACK_VERSION_NUM } from '../config.js';
+import {ConflictException} from "../exceptions/conflict-exception";

 export async function getQuestionsAboutLearningObjectInAssignment(
    loId: LearningObjectIdentifier,
@ -88,12 +89,20 @@ export async function createQuestion(loId: LearningObjectIdentifier, questionDat

    const clazz = await getClassRepository().findById((questionData.inGroup.assignment as AssignmentDTO).within);
    const assignment = mapToAssignment(questionData.inGroup.assignment as AssignmentDTO, clazz!);
-    const inGroup = await getGroupRepository().findByAssignmentAndGroupNumber(assignment, questionData.inGroup.groupNumber);
+    const group = await getGroupRepository().findByAssignmentAndGroupNumber(assignment, questionData.inGroup.groupNumber);
+
+    if (!group){
+        throw new NotFoundException("Group with id and assignment not found");
+    }
+
+    if (! group.members.contains(author)) {
+        throw new ConflictException("Author is not part of this group");
+    }

    const question = await questionRepository.createQuestion({
        loId,
        author,
-        inGroup: inGroup!,
+        inGroup: group!,
        content,
    });