From 6fe20dc2fed920a81eebf85e0b7f7e4575457d35 Mon Sep 17 00:00:00 2001 From: Adriaan Jacquet Date: Tue, 22 Apr 2025 14:21:25 +0200 Subject: [PATCH] fix: verboden om PUT request naar group te sturen met studenten die niet tot klas behoren --- backend/src/controllers/groups.ts | 6 +++++- backend/src/services/groups.ts | 27 ++++++++++++++++++++------- 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/backend/src/controllers/groups.ts b/backend/src/controllers/groups.ts index 53bc96ec..2f755e21 100644 --- a/backend/src/controllers/groups.ts +++ b/backend/src/controllers/groups.ts @@ -35,7 +35,11 @@ export async function putGroupHandler(req: Request, res: Response): Promise>); + // only members field can be changed + const members = req.body.members; + requireFields({ members }); + + const group = await putGroup(classId, assignmentId, groupId, { members } as Partial); res.json({ group }); } diff --git a/backend/src/services/groups.ts b/backend/src/services/groups.ts index 1a957772..1b98b4f3 100644 --- a/backend/src/services/groups.ts +++ b/backend/src/services/groups.ts @@ -11,6 +11,14 @@ import { putObject } from './service-helper.js'; import { fetchStudents } from './students.js'; import { fetchClass } from './classes.js'; import { BadRequestException } from '../exceptions/bad-request-exception.js'; +import { Student } from '../entities/users/student.entity.js'; +import { Class } from '../entities/classes/class.entity.js'; + +async function assertMembersInClass(members: Student[], cls: Class): Promise { + if (!members.every(student => cls.students.contains(student))) { + throw new BadRequestException("Student does not belong to class"); + } +} export async function fetchGroup(classId: string, assignmentNumber: number, groupNumber: number): Promise { const assignment = await fetchAssignment(classId, assignmentNumber); @@ -34,11 +42,19 @@ export async function putGroup( classId: string, assignmentNumber: number, groupNumber: number, - groupData: Partial> + groupData: Partial, ): Promise { const group = await fetchGroup(classId, assignmentNumber, groupNumber); - await putObject(group, groupData, getGroupRepository()); + const memberUsernames = groupData.members as string[]; + const members = await fetchStudents(memberUsernames); + + const cls = await fetchClass(classId); + await assertMembersInClass(members, cls); + + const groupRepository = getGroupRepository(); + groupRepository.assign(group, { members } as Partial>); + await groupRepository.getEntityManager().persistAndFlush(group); return mapToGroupDTO(group, group.assignment.within); } @@ -62,14 +78,11 @@ export async function getExistingGroupFromGroupDTO(groupData: GroupDTO): Promise } export async function createGroup(groupData: GroupDTO, classid: string, assignmentNumber: number): Promise { - const cls = await fetchClass(classid); - const memberUsernames = (groupData.members as string[]) || []; const members = await fetchStudents(memberUsernames); - if (!members.every(student => cls.students.contains(student))) { - throw new BadRequestException("It is not allowed to add a student to a group when the student is not part of the class"); - } + const cls = await fetchClass(classid); + await assertMembersInClass(members, cls) const assignment = await fetchAssignment(classid, assignmentNumber);