feat: class permissies geupdate

2025-04-22 15:37:22 +02:00 · 2025-04-22 15:37:22 +02:00 · 7c41c8e615
commit 7c41c8e615
parent 9102268be1
1 changed files with 8 additions and 9 deletions
--- a/backend/src/routes/classes.ts
+++ b/backend/src/routes/classes.ts
@ -19,31 +19,30 @@ import {onlyAllowIfInClass} from "../middleware/auth/checks/class-auth-checks";

 const router = express.Router();

-// Root endpoint used to search objects
 router.get('/', adminOnly, getAllClassesHandler);

 router.post('/', teachersOnly, createClassHandler);

-// Information about an class with id 'id'
 router.get('/:id', onlyAllowIfInClass, getClassHandler);

-router.put('/:id', putClassHandler);
+router.put('/:id', teachersOnly, onlyAllowIfInClass, putClassHandler);

-router.delete('/:id', deleteClassHandler);
+router.delete('/:id', teachersOnly, onlyAllowIfInClass, deleteClassHandler);

 router.get('/:id/teacher-invitations', teachersOnly, onlyAllowIfInClass, getTeacherInvitationsHandler);

 router.get('/:id/students', onlyAllowIfInClass, getClassStudentsHandler);

-router.post('/:id/students', addClassStudentHandler);
+router.post('/:id/students', teachersOnly, onlyAllowIfInClass, addClassStudentHandler);

-router.delete('/:id/students/:username', deleteClassStudentHandler);
+router.delete('/:id/students/:username', teachersOnly, onlyAllowIfInClass, deleteClassStudentHandler);

-router.get('/:id/teachers', getClassTeachersHandler);
+router.get('/:id/teachers', onlyAllowIfInClass, getClassTeachersHandler);

-router.post('/:id/teachers', addClassTeacherHandler);
+// De combinatie van deze POST en DELETE endpoints kan lethal zijn
+router.post('/:id/teachers', teachersOnly, onlyAllowIfInClass, addClassTeacherHandler);

-router.delete('/:id/teachers/:username', deleteClassTeacherHandler);
+router.delete('/:id/teachers/:username', teachersOnly, onlyAllowIfInClass, deleteClassTeacherHandler);

 router.use('/:classid/assignments', assignmentRouter);