tdpeuter/2025SELab2-project-Dwengo
tdpeuter/2025SELab2-project-Dwengo
1
Fork 0
Code Issues Releases 4 Packages 2 Wiki Activity

fix: teacher invitations middelware en questions

Browse source
This commit is contained in:
Gabriellvl 2025-05-09 18:08:44 +02:00
parent e799705a09
commit c054eb9335
4 changed files with 18 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

11
backend/src/middleware/auth/checks/class-auth-checks.ts
View file

@ -3,6 +3,7 @@ import { AuthenticationInfo } from '../authentication-info.js';
import { AuthenticatedRequest } from '../authenticated-request.js';
import { fetchClass } from '../../../services/classes.js';
import { mapToUsername } from '../../../interfaces/user.js';
import {getAllInvitations} from "../../../services/teacher-invitations";
async function teaches(teacherUsername: string, classId: string): Promise<boolean> {
const clazz = await fetchClass(classId);
@ -44,6 +45,16 @@ export const onlyAllowIfInClass = authorize(async (auth: AuthenticationInfo, req
return clazz.students.map(mapToUsername).includes(auth.username);
});
export const onlyAllowIfInClassOrInvited = authorize(async (auth: AuthenticationInfo, req: AuthenticatedRequest) => {
const classId = req.params.classId ?? req.params.classid ?? req.params.id;
const clazz = await fetchClass(classId);
if (auth.accountType === 'teacher') {
const invitations = await getAllInvitations(auth.username, false);
return clazz.teachers.map(mapToUsername).includes(auth.username) || invitations.some(invitation => invitation.classId == classId);
}
return clazz.students.map(mapToUsername).includes(auth.username);
});
/**
* Only allows the request to pass if the 'class' property in its body is a class the current user is a member of.
*/

4
backend/src/routes/answers.ts
View file

@ -1,11 +1,11 @@
import express from 'express';
import { createAnswerHandler, deleteAnswerHandler, getAnswerHandler, getAllAnswersHandler, updateAnswerHandler } from '../controllers/answers.js';
import { adminOnly, teachersOnly } from '../middleware/auth/checks/auth-checks.js';
import {adminOnly, authenticatedOnly, teachersOnly} from '../middleware/auth/checks/auth-checks.js';
import { onlyAllowAuthor, onlyAllowAuthorRequestAnswer, onlyAllowIfHasAccessToQuestion } from '../middleware/auth/checks/question-checks.js';
const router = express.Router({ mergeParams: true });
router.get('/', adminOnly, getAllAnswersHandler);
router.get('/', authenticatedOnly, getAllAnswersHandler);
router.post('/', teachersOnly, onlyAllowAuthor, createAnswerHandler);

4
backend/src/routes/classes.ts
View file

@ -15,7 +15,7 @@ import {
} from '../controllers/classes.js';
import assignmentRouter from './assignments.js';
import { adminOnly, teachersOnly } from '../middleware/auth/checks/auth-checks.js';
import { onlyAllowIfInClass } from '../middleware/auth/checks/class-auth-checks.js';
import {onlyAllowIfInClass, onlyAllowIfInClassOrInvited} from '../middleware/auth/checks/class-auth-checks.js';
const router = express.Router();
@ -23,7 +23,7 @@ router.get('/', adminOnly, getAllClassesHandler);
router.post('/', teachersOnly, createClassHandler);
router.get('/:id', onlyAllowIfInClass, getClassHandler);
router.get('/:id', onlyAllowIfInClassOrInvited, getClassHandler);
router.put('/:id', teachersOnly, onlyAllowIfInClass, putClassHandler);

6
backend/src/routes/questions.ts
View file

@ -1,7 +1,7 @@
import express from 'express';
import { createQuestionHandler, deleteQuestionHandler, getAllQuestionsHandler, getQuestionHandler } from '../controllers/questions.js';
import answerRoutes from './answers.js';
import { adminOnly, studentsOnly } from '../middleware/auth/checks/auth-checks.js';
import {adminOnly, authenticatedOnly, studentsOnly} from '../middleware/auth/checks/auth-checks.js';
import { updateAnswerHandler } from '../controllers/answers.js';
import { onlyAllowAuthor, onlyAllowAuthorRequest, onlyAllowIfHasAccessToQuestion } from '../middleware/auth/checks/question-checks.js';
@ -10,9 +10,9 @@ const router = express.Router({ mergeParams: true });
// Query language
// Root endpoint used to search objects
router.get('/', adminOnly, getAllQuestionsHandler);
router.get('/', authenticatedOnly, getAllQuestionsHandler);
router.post('/', studentsOnly, onlyAllowAuthor, createQuestionHandler);
router.post('/', studentsOnly, onlyAllowAuthor, createQuestionHandler); // TODO part of group
// Information about a question with id
router.get('/:seq', onlyAllowIfHasAccessToQuestion, getQuestionHandler);