tdpeuter/2025SELab2-project-Dwengo
tdpeuter/2025SELab2-project-Dwengo
1
Fork 0
Code Issues Releases 4 Packages 2 Wiki Activity

fix: verboden om PUT request naar group te sturen met studenten die niet tot klas behoren

Browse source
This commit is contained in:
Adriaan Jacquet 2025-04-22 14:21:25 +02:00
parent f1e9e3a8d6
commit 6fe20dc2fe
2 changed files with 25 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

6
backend/src/controllers/groups.ts
View file

@ -35,7 +35,11 @@ export async function putGroupHandler(req: Request, res: Response): Promise<void
const groupId = parseInt(req.params.groupid);
checkGroupFields(classId, assignmentId, groupId);
const group = await putGroup(classId, assignmentId, groupId, req.body as Partial<EntityDTO<Group>>);
// only members field can be changed
const members = req.body.members;
requireFields({ members });
const group = await putGroup(classId, assignmentId, groupId, { members } as Partial<GroupDTO>);
res.json({ group });
}

27
backend/src/services/groups.ts
View file

@ -11,6 +11,14 @@ import { putObject } from './service-helper.js';
import { fetchStudents } from './students.js';
import { fetchClass } from './classes.js';
import { BadRequestException } from '../exceptions/bad-request-exception.js';
import { Student } from '../entities/users/student.entity.js';
import { Class } from '../entities/classes/class.entity.js';
async function assertMembersInClass(members: Student[], cls: Class): Promise<void> {
if (!members.every(student => cls.students.contains(student))) {
throw new BadRequestException("Student does not belong to class");
}
}
export async function fetchGroup(classId: string, assignmentNumber: number, groupNumber: number): Promise<Group> {
const assignment = await fetchAssignment(classId, assignmentNumber);
@ -34,11 +42,19 @@ export async function putGroup(
classId: string,
assignmentNumber: number,
groupNumber: number,
groupData: Partial<EntityDTO<Group>>
groupData: Partial<GroupDTO>,
): Promise<GroupDTO> {
const group = await fetchGroup(classId, assignmentNumber, groupNumber);
await putObject<Group>(group, groupData, getGroupRepository());
const memberUsernames = groupData.members as string[];
const members = await fetchStudents(memberUsernames);
const cls = await fetchClass(classId);
await assertMembersInClass(members, cls);
const groupRepository = getGroupRepository();
groupRepository.assign(group, { members } as Partial<EntityDTO<Group>>);
await groupRepository.getEntityManager().persistAndFlush(group);
return mapToGroupDTO(group, group.assignment.within);
}
@ -62,14 +78,11 @@ export async function getExistingGroupFromGroupDTO(groupData: GroupDTO): Promise
}
export async function createGroup(groupData: GroupDTO, classid: string, assignmentNumber: number): Promise<GroupDTO> {
const cls = await fetchClass(classid);
const memberUsernames = (groupData.members as string[]) || [];
const members = await fetchStudents(memberUsernames);
if (!members.every(student => cls.students.contains(student))) {
throw new BadRequestException("It is not allowed to add a student to a group when the student is not part of the class");
}
const cls = await fetchClass(classid);
await assertMembersInClass(members, cls)
const assignment = await fetchAssignment(classid, assignmentNumber);