feat(backend): Endpoints voor studenten beschermd
This commit is contained in:
Gerald Schmittinger
parent
bc60c18938
commit
6cb8a1b98f
7 changed files with 93 additions and 52 deletions
22
backend/src/middleware/auth/checks/class-auth-checks.ts
Normal file
22
backend/src/middleware/auth/checks/class-auth-checks.ts
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
import {authorize} from "./auth-checks";
|
||||
import {AuthenticationInfo} from "../authentication-info";
|
||||
import {AuthenticatedRequest} from "../authenticated-request";
|
||||
import {getClassesByTeacher} from "../../../services/teachers";
|
||||
|
||||
/**
|
||||
* To be used on a request with path parameters username and classId.
|
||||
* Only allows requests whose username parameter is equal to the username of the user who is logged in and requests
|
||||
* whose classId parameter references a class the logged-in user is a teacher of.
|
||||
*/
|
||||
export const onlyAllowStudentHimselfAndTeachersOfClass = authorize(
|
||||
async (auth: AuthenticationInfo, req: AuthenticatedRequest) => {
|
||||
if (req.params.username === auth.username) {
|
||||
return true;
|
||||
} else if (auth.accountType === "teacher") {
|
||||
const classes: string[] = (await getClassesByTeacher(auth.username, false)) as string[];
|
||||
return req.params.classId in classes;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
);
|
||||
Loading…
Add table
Add a link
Reference in a new issue