tdpeuter/2025SELab2-project-Dwengo
tdpeuter/2025SELab2-project-Dwengo
Archived
1
Fork 0
Code Issues Releases 4 Packages 2 Wiki Activity

fix: authorizatie in submissions gefixt

Browse source
This commit is contained in:
Adriaan Jacquet 2025-05-18 10:33:13 +02:00
parent 57ddc3d608
commit 6d62d8f586
2 changed files with 19 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

17
backend/src/middleware/auth/checks/submission-checks.ts
View file

@ -7,6 +7,9 @@ import { authorize } from './auth-checks.js';
import { FALLBACK_LANG } from '../../../config.js';
import { mapToUsername } from '../../../interfaces/user.js';
import { AccountType } from '@dwengo-1/common/util/account-types';
import { fetchClass } from '../../../services/classes.js';
import { fetchGroup } from '../../../services/groups.js';
import { requireFields } from '../../../controllers/error-helper.js';
export const onlyAllowSubmitter = authorize(
(auth: AuthenticationInfo, req: AuthenticatedRequest) => (req.body as { submitter: string }).submitter === auth.username
@ -26,3 +29,17 @@ export const onlyAllowIfHasAccessToSubmission = authorize(async (auth: Authentic
return submission.onBehalfOf.members.map(mapToUsername).includes(auth.username);
});
export const onlyAllowIfHasAccessToSubmissionFromParams = authorize(async (auth: AuthenticationInfo, req: AuthenticatedRequest) => {
const { classId, assignmentId, groupId } = req.params;
requireFields({ classId, assignmentId, groupId });
if (auth.accountType === AccountType.Teacher) {
const cls = await fetchClass(classId);
return cls.teachers.map(mapToUsername).includes(auth.username);
}
const group = await fetchGroup(classId, +assignmentId, +groupId);
return group.members.map(mapToUsername).includes(auth.username);
});

4
backend/src/routes/submissions.ts
View file

@ -1,10 +1,10 @@
import express from 'express';
import { createSubmissionHandler, deleteSubmissionHandler, getSubmissionHandler, getSubmissionsHandler } from '../controllers/submissions.js';
import { onlyAllowIfHasAccessToSubmission, onlyAllowSubmitter } from '../middleware/auth/checks/submission-checks.js';
import { onlyAllowIfHasAccessToSubmission, onlyAllowIfHasAccessToSubmissionFromParams, onlyAllowSubmitter } from '../middleware/auth/checks/submission-checks.js';
import { adminOnly, studentsOnly } from '../middleware/auth/checks/auth-checks.js';
const router = express.Router({ mergeParams: true });
router.get('/', adminOnly, getSubmissionsHandler);
router.get('/', onlyAllowIfHasAccessToSubmissionFromParams, getSubmissionsHandler);
router.post('/', studentsOnly, onlyAllowSubmitter, createSubmissionHandler);