Merge branch 'dev' into feat/endpoints-in-backend-om-eigen-leerpaden-en-leerobjecten-toe-te-voegen-aan-de-databank-#248

2025-05-16 10:57:17 +02:00 · 2025-05-16 10:57:17 +02:00 · f05994fa5e
commit f05994fa5e
parent 28ab930f3a 4d411e7d20
70 changed files with 904 additions and 357 deletions
--- a/backend/src/routes/answers.ts
+++ b/backend/src/routes/answers.ts
@ -1,16 +1,18 @@
 import express from 'express';
 import { createAnswerHandler, deleteAnswerHandler, getAnswerHandler, getAllAnswersHandler, updateAnswerHandler } from '../controllers/answers.js';
+import { authenticatedOnly, teachersOnly } from '../middleware/auth/checks/auth-checks.js';
+import { onlyAllowAuthor, onlyAllowAuthorRequestAnswer, onlyAllowIfHasAccessToQuestion } from '../middleware/auth/checks/question-checks.js';

 const router = express.Router({ mergeParams: true });

-router.get('/', getAllAnswersHandler);
+router.get('/', authenticatedOnly, getAllAnswersHandler);

-router.post('/', createAnswerHandler);
+router.post('/', teachersOnly, onlyAllowAuthor, createAnswerHandler);

-router.get('/:seqAnswer', getAnswerHandler);
+router.get('/:seqAnswer', onlyAllowIfHasAccessToQuestion, getAnswerHandler);

-router.delete('/:seqAnswer', deleteAnswerHandler);
+router.delete('/:seqAnswer', teachersOnly, onlyAllowAuthorRequestAnswer, deleteAnswerHandler);

-router.put('/:seqAnswer', updateAnswerHandler);
+router.put('/:seqAnswer', teachersOnly, onlyAllowAuthorRequestAnswer, updateAnswerHandler);

 export default router;
--- a/backend/src/routes/assignments.ts
+++ b/backend/src/routes/assignments.ts
@ -9,22 +9,25 @@ import {
    putAssignmentHandler,
 } from '../controllers/assignments.js';
 import groupRouter from './groups.js';
+import { teachersOnly } from '../middleware/auth/checks/auth-checks.js';
+import { onlyAllowIfInClass } from '../middleware/auth/checks/class-auth-checks.js';
+import { onlyAllowIfHasAccessToAssignment } from '../middleware/auth/checks/assignment-auth-checks.js';

 const router = express.Router({ mergeParams: true });

-router.get('/', getAllAssignmentsHandler);
+router.get('/', teachersOnly, onlyAllowIfInClass, getAllAssignmentsHandler);

-router.post('/', createAssignmentHandler);
+router.post('/', teachersOnly, onlyAllowIfInClass, createAssignmentHandler);

-router.get('/:id', getAssignmentHandler);
+router.get('/:id', onlyAllowIfHasAccessToAssignment, getAssignmentHandler);

-router.put('/:id', putAssignmentHandler);
+router.put('/:id', teachersOnly, onlyAllowIfHasAccessToAssignment, putAssignmentHandler);

-router.delete('/:id', deleteAssignmentHandler);
+router.delete('/:id', teachersOnly, onlyAllowIfHasAccessToAssignment, deleteAssignmentHandler);

-router.get('/:id/submissions', getAssignmentsSubmissionsHandler);
+router.get('/:id/submissions', teachersOnly, onlyAllowIfHasAccessToAssignment, getAssignmentsSubmissionsHandler);

-router.get('/:id/questions', getAssignmentQuestionsHandler);
+router.get('/:id/questions', teachersOnly, onlyAllowIfHasAccessToAssignment, getAssignmentQuestionsHandler);

 router.use('/:assignmentid/groups', groupRouter);

--- a/backend/src/routes/auth.ts
+++ b/backend/src/routes/auth.ts
@ -1,28 +1,35 @@
 import express from 'express';
-import { getFrontendAuthConfig, postHelloHandler } from '../controllers/auth.js';
-import { authenticatedOnly, studentsOnly, teachersOnly } from '../middleware/auth/auth.js';
+import { handleGetFrontendAuthConfig, postHelloHandler } from '../controllers/auth.js';
+import { authenticatedOnly, studentsOnly, teachersOnly } from '../middleware/auth/checks/auth-checks.js';
+
 const router = express.Router();

 // Returns auth configuration for frontend
-router.get('/config', (_req, res) => {
-    res.json(getFrontendAuthConfig());
-});
+router.get('/config', handleGetFrontendAuthConfig);

 router.get('/testAuthenticatedOnly', authenticatedOnly, (_req, res) => {
-    /* #swagger.security = [{ "student": [ ] }, { "teacher": [ ] }] */
+    /* #swagger.security = [{ "studentProduction": [ ] }, { "teacherProduction": [ ] }, { "studentStaging": [ ] }, { "teacherStaging": [ ] }, { "studentDev": [ ] }, { "teacherDev": [ ] }] */
    res.json({ message: 'If you see this, you should be authenticated!' });
 });

 router.get('/testStudentsOnly', studentsOnly, (_req, res) => {
-    /* #swagger.security = [{ "student": [ ] }] */
+    /* #swagger.security = [{ "studentProduction": [ ] }, { "studentStaging": [ ] }, { "studentDev": [ ] }] */
    res.json({ message: 'If you see this, you should be a student!' });
 });

 router.get('/testTeachersOnly', teachersOnly, (_req, res) => {
-    /* #swagger.security = [{ "teacher": [ ] }] */
+    /* #swagger.security = [{ "teacherProduction": [ ] }, { "teacherStaging": [ ] }, { "teacherDev": [ ] }] */
    res.json({ message: 'If you see this, you should be a teacher!' });
 });

-router.post('/hello', authenticatedOnly, postHelloHandler);
+// This endpoint is called by the client when the user has just logged in.
+// It creates or updates the user entity based on the authentication data the endpoint was called with.
+router.post(
+    '/hello',
+    authenticatedOnly,
+    /*
+    #swagger.security = [{ "studentProduction": [ ] }, { "teacherProduction": [ ] }, { "studentStaging": [ ] }, { "teacherStaging": [ ] }, { "studentDev": [ ] }, { "teacherDev": [ ] }]
+*/ postHelloHandler
+);

 export default router;
--- a/backend/src/routes/classes.ts
+++ b/backend/src/routes/classes.ts
@ -14,33 +14,35 @@ import {
    putClassHandler,
 } from '../controllers/classes.js';
 import assignmentRouter from './assignments.js';
+import { adminOnly, teachersOnly } from '../middleware/auth/checks/auth-checks.js';
+import { onlyAllowIfInClass, onlyAllowIfInClassOrInvited } from '../middleware/auth/checks/class-auth-checks.js';

 const router = express.Router();

-// Root endpoint used to search objects
-router.get('/', getAllClassesHandler);
+router.get('/', adminOnly, getAllClassesHandler);

-router.post('/', createClassHandler);
+router.post('/', teachersOnly, createClassHandler);

-router.get('/:id', getClassHandler);
+router.get('/:id', onlyAllowIfInClassOrInvited, getClassHandler);

-router.put('/:id', putClassHandler);
+router.put('/:id', teachersOnly, onlyAllowIfInClass, putClassHandler);

-router.delete('/:id', deleteClassHandler);
+router.delete('/:id', teachersOnly, onlyAllowIfInClass, deleteClassHandler);

-router.get('/:id/teacher-invitations', getTeacherInvitationsHandler);
+router.get('/:id/teacher-invitations', teachersOnly, onlyAllowIfInClass, getTeacherInvitationsHandler);

-router.get('/:id/students', getClassStudentsHandler);
+router.get('/:id/students', onlyAllowIfInClass, getClassStudentsHandler);

-router.post('/:id/students', addClassStudentHandler);
+router.post('/:id/students', teachersOnly, onlyAllowIfInClass, addClassStudentHandler);

-router.delete('/:id/students/:username', deleteClassStudentHandler);
+router.delete('/:id/students/:username', teachersOnly, onlyAllowIfInClass, deleteClassStudentHandler);

-router.get('/:id/teachers', getClassTeachersHandler);
+router.get('/:id/teachers', onlyAllowIfInClass, getClassTeachersHandler);

-router.post('/:id/teachers', addClassTeacherHandler);
+// De combinatie van deze POST en DELETE endpoints kan lethal zijn
+router.post('/:id/teachers', teachersOnly, onlyAllowIfInClass, addClassTeacherHandler);

-router.delete('/:id/teachers/:username', deleteClassTeacherHandler);
+router.delete('/:id/teachers/:username', teachersOnly, onlyAllowIfInClass, deleteClassTeacherHandler);

 router.use('/:classid/assignments', assignmentRouter);

--- a/backend/src/routes/groups.ts
+++ b/backend/src/routes/groups.ts
@ -8,22 +8,24 @@ import {
    getGroupSubmissionsHandler,
    putGroupHandler,
 } from '../controllers/groups.js';
+import { onlyAllowIfHasAccessToGroup } from '../middleware/auth/checks/group-auth-checker.js';
+import { teachersOnly } from '../middleware/auth/checks/auth-checks.js';
+import { onlyAllowIfHasAccessToAssignment } from '../middleware/auth/checks/assignment-auth-checks.js';

 const router = express.Router({ mergeParams: true });

-// Root endpoint used to search objects
-router.get('/', getAllGroupsHandler);
+router.get('/', onlyAllowIfHasAccessToAssignment, getAllGroupsHandler);

-router.post('/', createGroupHandler);
+router.post('/', teachersOnly, onlyAllowIfHasAccessToAssignment, createGroupHandler);

-router.get('/:groupid', getGroupHandler);
+router.get('/:groupid', onlyAllowIfHasAccessToAssignment, getGroupHandler);

-router.put('/:groupid', putGroupHandler);
+router.put('/:groupid', teachersOnly, onlyAllowIfHasAccessToAssignment, putGroupHandler);

-router.delete('/:groupid', deleteGroupHandler);
+router.delete('/:groupid', teachersOnly, onlyAllowIfHasAccessToAssignment, deleteGroupHandler);

-router.get('/:groupid/submissions', getGroupSubmissionsHandler);
+router.get('/:groupid/submissions', onlyAllowIfHasAccessToGroup, getGroupSubmissionsHandler);

-router.get('/:groupid/questions', getGroupQuestionsHandler);
+router.get('/:groupid/questions', onlyAllowIfHasAccessToGroup, getGroupQuestionsHandler);

 export default router;
--- a/backend/src/routes/learning-objects.ts
+++ b/backend/src/routes/learning-objects.ts
@ -7,12 +7,11 @@ import {
    handleDeleteLearningObject,
    handlePostLearningObject,
 } from '../controllers/learning-objects.js';
-
 import submissionRoutes from './submissions.js';
 import questionRoutes from './questions.js';
 import fileUpload from 'express-fileupload';
-import { teachersOnly } from '../middleware/auth/auth.js';
 import { onlyAdminsForLearningObject } from '../middleware/auth/checks/learning-object-auth-checks.js';
+import { authenticatedOnly, teachersOnly } from '../middleware/auth/checks/auth-checks.js';

 const router = express.Router();

@ -26,7 +25,7 @@ const router = express.Router();

 // Route 2: list of object data
 // Example 2: http://localhost:3000/learningObject?full=true&hruid=un_artificiele_intelligentie
-router.get('/', getAllLearningObjects);
+router.get('/', authenticatedOnly, getAllLearningObjects);

 router.post('/', teachersOnly, fileUpload({ useTempFiles: true }), handlePostLearningObject);

@ -34,7 +33,7 @@ router.post('/', teachersOnly, fileUpload({ useTempFiles: true }), handlePostLea
 // Query: language
 // Route to fetch data of one learning object based on its hruid
 // Example: http://localhost:3000/learningObject/un_ai7
-router.get('/:hruid', getLearningObject);
+router.get('/:hruid', authenticatedOnly, getLearningObject);

 // Parameter: hruid of learning object
 // Query: language
@ -50,12 +49,12 @@ router.use('/:hruid/:version/questions', questionRoutes);
 // Query: language, version (optional)
 // Route to fetch the HTML rendering of one learning object based on its hruid.
 // Example: http://localhost:3000/learningObject/un_ai7/html
-router.get('/:hruid/html', getLearningObjectHTML);
+router.get('/:hruid/html', authenticatedOnly, getLearningObjectHTML);

 // Parameter: hruid of learning object, name of attachment.
 // Query: language, version (optional).
 // Route to get the raw data of the attachment for one learning object based on its hruid.
 // Example: http://localhost:3000/learningObject/u_test/attachment/testimage.png
-router.get('/:hruid/html/:attachmentName', getAttachment);
+router.get('/:hruid/html/:attachmentName', authenticatedOnly, getAttachment);

 export default router;
--- a/backend/src/routes/learning-paths.ts
+++ b/backend/src/routes/learning-paths.ts
@ -1,6 +1,6 @@
 import express from 'express';
+import { authenticatedOnly, teachersOnly } from '../middleware/auth/checks/auth-checks.js';
 import { deleteLearningPath, getLearningPaths, postLearningPath, putLearningPath } from '../controllers/learning-paths.js';
-import { teachersOnly } from '../middleware/auth/auth.js';
 import { onlyAdminsForLearningPath } from '../middleware/auth/checks/learning-path-auth-checks.js';

 const router = express.Router();
@ -24,7 +24,7 @@ const router = express.Router();
 // Route to fetch learning paths based on a theme
 // Example: http://localhost:3000/learningPath?theme=kiks

-router.get('/', getLearningPaths);
+router.get('/', authenticatedOnly, getLearningPaths);
 router.post('/', teachersOnly, postLearningPath);

 router.put('/:hruid/:language', onlyAdminsForLearningPath, putLearningPath);
--- a/backend/src/routes/questions.ts
+++ b/backend/src/routes/questions.ts
@ -1,20 +1,25 @@
 import express from 'express';
 import { createQuestionHandler, deleteQuestionHandler, getAllQuestionsHandler, getQuestionHandler } from '../controllers/questions.js';
 import answerRoutes from './answers.js';
+import { authenticatedOnly, studentsOnly } from '../middleware/auth/checks/auth-checks.js';
+import { updateAnswerHandler } from '../controllers/answers.js';
+import { onlyAllowAuthor, onlyAllowAuthorRequest, onlyAllowIfHasAccessToQuestion } from '../middleware/auth/checks/question-checks.js';

 const router = express.Router({ mergeParams: true });

 // Query language

 // Root endpoint used to search objects
-router.get('/', getAllQuestionsHandler);
+router.get('/', authenticatedOnly, getAllQuestionsHandler);

-router.post('/', createQuestionHandler);
-
-router.delete('/:seq', deleteQuestionHandler);
+router.post('/', studentsOnly, onlyAllowAuthor, createQuestionHandler);

 // Information about a question with id
-router.get('/:seq', getQuestionHandler);
+router.get('/:seq', onlyAllowIfHasAccessToQuestion, getQuestionHandler);
+
+router.delete('/:seq', studentsOnly, onlyAllowAuthorRequest, deleteQuestionHandler);
+
+router.put('/:seq', studentsOnly, onlyAllowAuthorRequest, updateAnswerHandler);

 router.use('/:seq/answers', answerRoutes);

--- a/backend/src/routes/router.ts
+++ b/backend/src/routes/router.ts
@ -18,12 +18,30 @@ router.get('/', (_, res: Response) => {
    });
 });

-router.use('/student', studentRouter /* #swagger.tags = ['Student'] */);
-router.use('/teacher', teacherRouter /* #swagger.tags = ['Teacher'] */);
-router.use('/class', classRouter /* #swagger.tags = ['Class'] */);
 router.use('/auth', authRouter /* #swagger.tags = ['Auth'] */);
-router.use('/theme', themeRoutes /* #swagger.tags = ['Theme'] */);
-router.use('/learningPath', learningPathRoutes /* #swagger.tags = ['Learning Path'] */);
-router.use('/learningObject', learningObjectRoutes /* #swagger.tags = ['Learning Object'] */);
+router.use(
+    '/class',
+    classRouter /* #swagger.tags = ['Class'], #swagger.security = [{ "studentProduction": [ ] }, { "teacherProduction": [ ] }, { "studentStaging": [ ] }, { "teacherStaging": [ ] }, { "studentDev": [ ] }, { "teacherDev": [ ] }] */
+);
+router.use(
+    '/learningObject',
+    learningObjectRoutes /* #swagger.tags = ['Learning Object'], #swagger.security = [{ "studentProduction": [ ] }, { "teacherProduction": [ ] }, { "studentStaging": [ ] }, { "teacherStaging": [ ] }, { "studentDev": [ ] }, { "teacherDev": [ ] }] */
+);
+router.use(
+    '/learningPath',
+    learningPathRoutes /* #swagger.tags = ['Learning Path'], #swagger.security = [{ "studentProduction": [ ] }, { "teacherProduction": [ ] }, { "studentStaging": [ ] }, { "teacherStaging": [ ] }, { "studentDev": [ ] }, { "teacherDev": [ ] }] */
+);
+router.use(
+    '/student',
+    studentRouter /* #swagger.tags = ['Student'], #swagger.security = [{ "studentProduction": [ ] }, { "teacherProduction": [ ] }, { "studentStaging": [ ] }, { "teacherStaging": [ ] }, { "studentDev": [ ] }, { "teacherDev": [ ] }] */
+);
+router.use(
+    '/teacher',
+    teacherRouter /* #swagger.tags = ['Teacher'], #swagger.security = [{ "studentProduction": [ ] }, { "teacherProduction": [ ] }, { "studentStaging": [ ] }, { "teacherStaging": [ ] }, { "studentDev": [ ] }, { "teacherDev": [ ] }] */
+);
+router.use(
+    '/theme',
+    themeRoutes /* #swagger.tags = ['Theme'], #swagger.security = [{ "studentProduction": [ ] }, { "teacherProduction": [ ] }, { "studentStaging": [ ] }, { "teacherStaging": [ ] }, { "studentDev": [ ] }, { "teacherDev": [ ] }] */
+);

 export default router;
--- a/backend/src/routes/student-join-requests.ts
+++ b/backend/src/routes/student-join-requests.ts
@ -5,15 +5,19 @@ import {
    getStudentRequestHandler,
    getStudentRequestsHandler,
 } from '../controllers/students.js';
+import { preventImpersonation } from '../middleware/auth/checks/user-auth-checks.js';
+import { onlyAllowStudentHimselfAndTeachersOfClass } from '../middleware/auth/checks/class-auth-checks.js';
+
+// Under /:username/joinRequests/

 const router = express.Router({ mergeParams: true });

-router.get('/', getStudentRequestsHandler);
+router.get('/', preventImpersonation, getStudentRequestsHandler);

-router.post('/', createStudentRequestHandler);
+router.post('/', preventImpersonation, createStudentRequestHandler);

-router.get('/:classId', getStudentRequestHandler);
+router.get('/:classId', onlyAllowStudentHimselfAndTeachersOfClass, getStudentRequestHandler);

-router.delete('/:classId', deleteClassJoinRequestHandler);
+router.delete('/:classId', onlyAllowStudentHimselfAndTeachersOfClass, deleteClassJoinRequestHandler);

 export default router;
--- a/backend/src/routes/students.ts
+++ b/backend/src/routes/students.ts
@ -11,33 +11,37 @@ import {
    getStudentSubmissionsHandler,
 } from '../controllers/students.js';
 import joinRequestRouter from './student-join-requests.js';
+import { preventImpersonation } from '../middleware/auth/checks/user-auth-checks.js';
+import { adminOnly } from '../middleware/auth/checks/auth-checks.js';

 const router = express.Router();

 // Root endpoint used to search objects
-router.get('/', getAllStudentsHandler);
+router.get('/', adminOnly, getAllStudentsHandler);

-router.post('/', createStudentHandler);
+// Users will be created automatically when some resource is created for them. Therefore, this endpoint
+// Can only be used by an administrator.
+router.post('/', adminOnly, createStudentHandler);

-router.delete('/:username', deleteStudentHandler);
+router.delete('/:username', preventImpersonation, deleteStudentHandler);

 // Information about a student's profile
-router.get('/:username', getStudentHandler);
+router.get('/:username', preventImpersonation, getStudentHandler);

 // The list of classes a student is in
-router.get('/:username/classes', getStudentClassesHandler);
+router.get('/:username/classes', preventImpersonation, getStudentClassesHandler);

 // The list of submissions a student has made
-router.get('/:username/submissions', getStudentSubmissionsHandler);
+router.get('/:username/submissions', preventImpersonation, getStudentSubmissionsHandler);

 // The list of assignments a student has
-router.get('/:username/assignments', getStudentAssignmentsHandler);
+router.get('/:username/assignments', preventImpersonation, getStudentAssignmentsHandler);

 // The list of groups a student is in
-router.get('/:username/groups', getStudentGroupsHandler);
+router.get('/:username/groups', preventImpersonation, getStudentGroupsHandler);

 // A list of questions a user has created
-router.get('/:username/questions', getStudentQuestionsHandler);
+router.get('/:username/questions', preventImpersonation, getStudentQuestionsHandler);

 router.use('/:username/joinRequests', joinRequestRouter);

--- a/backend/src/routes/submissions.ts
+++ b/backend/src/routes/submissions.ts
@ -1,15 +1,15 @@
 import express from 'express';
 import { createSubmissionHandler, deleteSubmissionHandler, getSubmissionHandler, getSubmissionsHandler } from '../controllers/submissions.js';
+import { onlyAllowIfHasAccessToSubmission, onlyAllowSubmitter } from '../middleware/auth/checks/submission-checks.js';
+import { adminOnly, studentsOnly } from '../middleware/auth/checks/auth-checks.js';
 const router = express.Router({ mergeParams: true });

-// Root endpoint used to search objects
-router.get('/', getSubmissionsHandler);
+router.get('/', adminOnly, getSubmissionsHandler);

-router.post('/', createSubmissionHandler);
+router.post('/', studentsOnly, onlyAllowSubmitter, createSubmissionHandler);

-// Information about an submission with id 'id'
-router.get('/:id', getSubmissionHandler);
+router.get('/:id', onlyAllowIfHasAccessToSubmission, getSubmissionHandler);

-router.delete('/:id', deleteSubmissionHandler);
+router.delete('/:id', onlyAllowIfHasAccessToSubmission, deleteSubmissionHandler);

 export default router;
--- a/backend/src/routes/teacher-invitations.ts
+++ b/backend/src/routes/teacher-invitations.ts
@ -6,17 +6,24 @@ import {
    getInvitationHandler,
    updateInvitationHandler,
 } from '../controllers/teacher-invitations.js';
+import { preventImpersonation } from '../middleware/auth/checks/user-auth-checks.js';
+import {
+    onlyAllowReceiverBody,
+    onlyAllowSender,
+    onlyAllowSenderBody,
+    onlyAllowSenderOrReceiver,
+} from '../middleware/auth/checks/teacher-invitation-checks.js';

 const router = express.Router({ mergeParams: true });

-router.get('/:username', getAllInvitationsHandler);
+router.get('/:username', preventImpersonation, getAllInvitationsHandler);

-router.get('/:sender/:receiver/:classId', getInvitationHandler);
+router.get('/:sender/:receiver/:classId', onlyAllowSenderOrReceiver, getInvitationHandler);

-router.post('/', createInvitationHandler);
+router.post('/', onlyAllowSenderBody, createInvitationHandler);

-router.put('/', updateInvitationHandler);
+router.put('/', onlyAllowReceiverBody, updateInvitationHandler);

-router.delete('/:sender/:receiver/:classId', deleteInvitationHandler);
+router.delete('/:sender/:receiver/:classId', onlyAllowSender, deleteInvitationHandler);

 export default router;
--- a/backend/src/routes/teachers.ts
+++ b/backend/src/routes/teachers.ts
@ -10,25 +10,27 @@ import {
    updateStudentJoinRequestHandler,
 } from '../controllers/teachers.js';
 import invitationRouter from './teacher-invitations.js';
-
+import { adminOnly } from '../middleware/auth/checks/auth-checks.js';
+import { preventImpersonation } from '../middleware/auth/checks/user-auth-checks.js';
+import { onlyAllowTeacherOfClass } from '../middleware/auth/checks/class-auth-checks.js';
 const router = express.Router();

 // Root endpoint used to search objects
-router.get('/', getAllTeachersHandler);
+router.get('/', adminOnly, getAllTeachersHandler);

-router.post('/', createTeacherHandler);
+router.post('/', adminOnly, createTeacherHandler);

-router.get('/:username', getTeacherHandler);
+router.get('/:username', preventImpersonation, getTeacherHandler);

-router.delete('/:username', deleteTeacherHandler);
+router.delete('/:username', preventImpersonation, deleteTeacherHandler);

-router.get('/:username/classes', getTeacherClassHandler);
+router.get('/:username/classes', preventImpersonation, getTeacherClassHandler);

-router.get('/:username/students', getTeacherStudentHandler);
+router.get('/:username/students', preventImpersonation, getTeacherStudentHandler);

-router.get('/:username/joinRequests/:classId', getStudentJoinRequestHandler);
+router.get('/:username/joinRequests/:classId', onlyAllowTeacherOfClass, getStudentJoinRequestHandler);

-router.put('/:username/joinRequests/:classId/:studentUsername', updateStudentJoinRequestHandler);
+router.put('/:username/joinRequests/:classId/:studentUsername', onlyAllowTeacherOfClass, updateStudentJoinRequestHandler);

 // Invitations to other classes a teacher received
 router.use('/invitations', invitationRouter);
--- a/backend/src/routes/themes.ts
+++ b/backend/src/routes/themes.ts
@ -1,14 +1,15 @@
 import express from 'express';
 import { getThemesHandler, getHruidsByThemeHandler } from '../controllers/themes.js';
+import { authenticatedOnly } from '../middleware/auth/checks/auth-checks.js';

 const router = express.Router();

 // Query: language
 //  Route to fetch list of {key, title, description, image} themes in their respective language
-router.get('/', getThemesHandler);
+router.get('/', authenticatedOnly, getThemesHandler);

 // Arg: theme (key)
 //  Route to fetch list of hruids based on theme
-router.get('/:theme', getHruidsByThemeHandler);
+router.get('/:theme', authenticatedOnly, getHruidsByThemeHandler);

 export default router;