From c054eb9335a7dddce42e2ef51cff063a808b04ce Mon Sep 17 00:00:00 2001 From: Gabriellvl Date: Fri, 9 May 2025 18:08:44 +0200 Subject: [PATCH] fix: teacher invitations middelware en questions --- .../src/middleware/auth/checks/class-auth-checks.ts | 11 +++++++++++ backend/src/routes/answers.ts | 4 ++-- backend/src/routes/classes.ts | 4 ++-- backend/src/routes/questions.ts | 6 +++--- 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/backend/src/middleware/auth/checks/class-auth-checks.ts b/backend/src/middleware/auth/checks/class-auth-checks.ts index 7093b0d1..e85aaf3b 100644 --- a/backend/src/middleware/auth/checks/class-auth-checks.ts +++ b/backend/src/middleware/auth/checks/class-auth-checks.ts @@ -3,6 +3,7 @@ import { AuthenticationInfo } from '../authentication-info.js'; import { AuthenticatedRequest } from '../authenticated-request.js'; import { fetchClass } from '../../../services/classes.js'; import { mapToUsername } from '../../../interfaces/user.js'; +import {getAllInvitations} from "../../../services/teacher-invitations"; async function teaches(teacherUsername: string, classId: string): Promise { const clazz = await fetchClass(classId); @@ -44,6 +45,16 @@ export const onlyAllowIfInClass = authorize(async (auth: AuthenticationInfo, req return clazz.students.map(mapToUsername).includes(auth.username); }); +export const onlyAllowIfInClassOrInvited = authorize(async (auth: AuthenticationInfo, req: AuthenticatedRequest) => { + const classId = req.params.classId ?? req.params.classid ?? req.params.id; + const clazz = await fetchClass(classId); + if (auth.accountType === 'teacher') { + const invitations = await getAllInvitations(auth.username, false); + return clazz.teachers.map(mapToUsername).includes(auth.username) || invitations.some(invitation => invitation.classId == classId); + } + return clazz.students.map(mapToUsername).includes(auth.username); +}); + /** * Only allows the request to pass if the 'class' property in its body is a class the current user is a member of. */ diff --git a/backend/src/routes/answers.ts b/backend/src/routes/answers.ts index e0cf5b17..0944095f 100644 --- a/backend/src/routes/answers.ts +++ b/backend/src/routes/answers.ts @@ -1,11 +1,11 @@ import express from 'express'; import { createAnswerHandler, deleteAnswerHandler, getAnswerHandler, getAllAnswersHandler, updateAnswerHandler } from '../controllers/answers.js'; -import { adminOnly, teachersOnly } from '../middleware/auth/checks/auth-checks.js'; +import {adminOnly, authenticatedOnly, teachersOnly} from '../middleware/auth/checks/auth-checks.js'; import { onlyAllowAuthor, onlyAllowAuthorRequestAnswer, onlyAllowIfHasAccessToQuestion } from '../middleware/auth/checks/question-checks.js'; const router = express.Router({ mergeParams: true }); -router.get('/', adminOnly, getAllAnswersHandler); +router.get('/', authenticatedOnly, getAllAnswersHandler); router.post('/', teachersOnly, onlyAllowAuthor, createAnswerHandler); diff --git a/backend/src/routes/classes.ts b/backend/src/routes/classes.ts index 4b272971..7602abd5 100644 --- a/backend/src/routes/classes.ts +++ b/backend/src/routes/classes.ts @@ -15,7 +15,7 @@ import { } from '../controllers/classes.js'; import assignmentRouter from './assignments.js'; import { adminOnly, teachersOnly } from '../middleware/auth/checks/auth-checks.js'; -import { onlyAllowIfInClass } from '../middleware/auth/checks/class-auth-checks.js'; +import {onlyAllowIfInClass, onlyAllowIfInClassOrInvited} from '../middleware/auth/checks/class-auth-checks.js'; const router = express.Router(); @@ -23,7 +23,7 @@ router.get('/', adminOnly, getAllClassesHandler); router.post('/', teachersOnly, createClassHandler); -router.get('/:id', onlyAllowIfInClass, getClassHandler); +router.get('/:id', onlyAllowIfInClassOrInvited, getClassHandler); router.put('/:id', teachersOnly, onlyAllowIfInClass, putClassHandler); diff --git a/backend/src/routes/questions.ts b/backend/src/routes/questions.ts index 76ec4eaa..c4ffa442 100644 --- a/backend/src/routes/questions.ts +++ b/backend/src/routes/questions.ts @@ -1,7 +1,7 @@ import express from 'express'; import { createQuestionHandler, deleteQuestionHandler, getAllQuestionsHandler, getQuestionHandler } from '../controllers/questions.js'; import answerRoutes from './answers.js'; -import { adminOnly, studentsOnly } from '../middleware/auth/checks/auth-checks.js'; +import {adminOnly, authenticatedOnly, studentsOnly} from '../middleware/auth/checks/auth-checks.js'; import { updateAnswerHandler } from '../controllers/answers.js'; import { onlyAllowAuthor, onlyAllowAuthorRequest, onlyAllowIfHasAccessToQuestion } from '../middleware/auth/checks/question-checks.js'; @@ -10,9 +10,9 @@ const router = express.Router({ mergeParams: true }); // Query language // Root endpoint used to search objects -router.get('/', adminOnly, getAllQuestionsHandler); +router.get('/', authenticatedOnly, getAllQuestionsHandler); -router.post('/', studentsOnly, onlyAllowAuthor, createQuestionHandler); +router.post('/', studentsOnly, onlyAllowAuthor, createQuestionHandler); // TODO part of group // Information about a question with id router.get('/:seq', onlyAllowIfHasAccessToQuestion, getQuestionHandler);