feat(backend): Endpoints van assignments en groepen beschermd.

2025-04-08 16:58:14 +02:00 · 2025-04-08 16:58:14 +02:00 · bc2cd145ab
commit bc2cd145ab
parent a1ce8a209c
11 changed files with 111 additions and 38 deletions
--- a/backend/src/routes/assignments.ts
+++ b/backend/src/routes/assignments.ts
@ -6,20 +6,23 @@ import {
    getAssignmentsSubmissionsHandler,
 } from '../controllers/assignments.js';
 import groupRouter from './groups.js';
+import {adminOnly, teachersOnly} from "../middleware/auth/checks/auth-checks";
+import {onlyAllowOwnClassInBody} from "../middleware/auth/checks/class-auth-checks";
+import {onlyAllowIfHasAccessToAssignment} from "../middleware/auth/checks/assignment-auth-checks";

 const router = express.Router({ mergeParams: true });

 // Root endpoint used to search objects
-router.get('/', getAllAssignmentsHandler);
+router.get('/', adminOnly, getAllAssignmentsHandler);

-router.post('/', createAssignmentHandler);
+router.post('/', teachersOnly, onlyAllowOwnClassInBody, createAssignmentHandler);

 // Information about an assignment with id 'id'
-router.get('/:id', getAssignmentHandler);
+router.get('/:id', onlyAllowIfHasAccessToAssignment, getAssignmentHandler);

-router.get('/:id/submissions', getAssignmentsSubmissionsHandler);
+router.get('/:id/submissions', onlyAllowIfHasAccessToAssignment, getAssignmentsSubmissionsHandler);

-router.get('/:id/questions', (_req, res) => {
+router.get('/:id/questions', onlyAllowIfHasAccessToAssignment, (_req, res) => {
    res.json({
        questions: ['0'],
    });
--- a/backend/src/routes/classes.ts
+++ b/backend/src/routes/classes.ts
@ -8,7 +8,7 @@ import {
 } from '../controllers/classes.js';
 import assignmentRouter from './assignments.js';
 import {adminOnly, teachersOnly} from "../middleware/auth/checks/auth-checks";
-import {onlyAllowIfInClass, onlyAllowIfTeacherInClass} from "../middleware/auth/checks/class-auth-checks";
+import {onlyAllowIfInClass} from "../middleware/auth/checks/class-auth-checks";

 const router = express.Router();

@ -20,7 +20,7 @@ router.post('/', teachersOnly, createClassHandler);
 // Information about an class with id 'id'
 router.get('/:id', onlyAllowIfInClass, getClassHandler);

-router.get('/:id/teacher-invitations', onlyAllowIfTeacherInClass, getTeacherInvitationsHandler);
+router.get('/:id/teacher-invitations', teachersOnly, onlyAllowIfInClass, getTeacherInvitationsHandler);

 router.get('/:id/students', onlyAllowIfInClass, getClassStudentsHandler);

--- a/backend/src/routes/groups.ts
+++ b/backend/src/routes/groups.ts
@ -1,5 +1,6 @@
 import express from 'express';
 import { createGroupHandler, getAllGroupsHandler, getGroupHandler, getGroupSubmissionsHandler } from '../controllers/groups.js';
+import {onlyAllowIfHasAccessToGroup} from "../middleware/auth/checks/group-auth-checker";

 const router = express.Router({ mergeParams: true });

@ -9,12 +10,12 @@ router.get('/', getAllGroupsHandler);
 router.post('/', createGroupHandler);

 // Information about a group (members, ... [TODO DOC])
-router.get('/:groupid', getGroupHandler);
+router.get('/:groupid', onlyAllowIfHasAccessToGroup, getGroupHandler);

-router.get('/:groupid/submissions', getGroupSubmissionsHandler);
+router.get('/:groupid/submissions', onlyAllowIfHasAccessToGroup, getGroupSubmissionsHandler);

 // The list of questions a group has made
-router.get('/:id/questions', (_req, res) => {
+router.get('/:groupid/questions', onlyAllowIfHasAccessToGroup, (_req, res) => {
    res.json({
        questions: ['0'],
    });
--- a/backend/src/routes/students.ts
+++ b/backend/src/routes/students.ts
@ -20,7 +20,7 @@ const router = express.Router();
 router.get('/', adminOnly, getAllStudentsHandler);

 // Users will be created automatically when some resource is created for them. Therefore, this endpoint
-// can only be used by an administrator.
+// Can only be used by an administrator.
 router.post('/', adminOnly, createStudentHandler);

 router.delete('/:username', onlyAllowUserHimself, deleteStudentHandler);