From f671341bad962c3f59a3cbaae2f54aa89bfb9af3 Mon Sep 17 00:00:00 2001
From: Gabriellvl <vanlangenhovefga@gmail.com>
Date: Fri, 18 Apr 2025 22:33:22 +0200
Subject: [PATCH] feat: teacher invitation middelware + extra error catchings

---
 .../src/controllers/teacher-invitations.ts    |  5 ++++
 .../auth/checks/teacher-invitation-checks.ts  | 23 +++++++++++++++++++
 backend/src/routes/teacher-invitations.ts     | 16 +++++++++----
 backend/src/services/teacher-invitations.ts   |  4 ++++
 4 files changed, 43 insertions(+), 5 deletions(-)
 create mode 100644 backend/src/middleware/auth/checks/teacher-invitation-checks.ts

diff --git a/backend/src/controllers/teacher-invitations.ts b/backend/src/controllers/teacher-invitations.ts
index 4956f3e2..c69415ec 100644
--- a/backend/src/controllers/teacher-invitations.ts
+++ b/backend/src/controllers/teacher-invitations.ts
@@ -2,6 +2,7 @@ import { Request, Response } from 'express';
 import { requireFields } from './error-helper';
 import { createInvitation, deleteInvitation, getAllInvitations, getInvitation, updateInvitation } from '../services/teacher-invitations';
 import { TeacherInvitationData } from '@dwengo-1/common/interfaces/teacher-invitation';
+import {ConflictException} from "../exceptions/conflict-exception";
 
 export async function getAllInvitationsHandler(req: Request, res: Response): Promise<void> {
     const username = req.params.username;
@@ -30,6 +31,10 @@ export async function createInvitationHandler(req: Request, res: Response): Prom
     const classId = req.body.class;
     requireFields({ sender, receiver, classId });
 
+    if (sender === receiver){
+        throw new ConflictException("Cannot send an invitation to yourself");
+    }
+
     const data = req.body as TeacherInvitationData;
     const invitation = await createInvitation(data);
 
diff --git a/backend/src/middleware/auth/checks/teacher-invitation-checks.ts b/backend/src/middleware/auth/checks/teacher-invitation-checks.ts
new file mode 100644
index 00000000..6ebc8512
--- /dev/null
+++ b/backend/src/middleware/auth/checks/teacher-invitation-checks.ts
@@ -0,0 +1,23 @@
+import {authorize} from "./auth-checks";
+import {AuthenticationInfo} from "../authentication-info";
+import {AuthenticatedRequest} from "../authenticated-request";
+
+export const onlyAllowSenderOrReceiver = authorize(
+    (auth: AuthenticationInfo, req: AuthenticatedRequest) =>
+        req.params.sender === auth.username || req.params.receiver === auth.username
+);
+
+export const onlyAllowSender = authorize(
+    (auth: AuthenticationInfo, req: AuthenticatedRequest) =>
+        req.params.sender === auth.username
+);
+
+export const onlyAllowSenderBody = authorize(
+    (auth: AuthenticationInfo, req: AuthenticatedRequest) =>
+        req.body.sender === auth.username
+);
+
+export const onlyAllowReceiverBody = authorize(
+    (auth: AuthenticationInfo, req: AuthenticatedRequest) =>
+        req.body.receiver === auth.username
+);
diff --git a/backend/src/routes/teacher-invitations.ts b/backend/src/routes/teacher-invitations.ts
index 772b1351..fe0b924f 100644
--- a/backend/src/routes/teacher-invitations.ts
+++ b/backend/src/routes/teacher-invitations.ts
@@ -6,17 +6,23 @@ import {
     getInvitationHandler,
     updateInvitationHandler,
 } from '../controllers/teacher-invitations';
+import {onlyAllowUserHimself} from "../middleware/auth/checks/user-auth-checks";
+import {
+    onlyAllowReceiverBody, onlyAllowSender,
+    onlyAllowSenderBody,
+    onlyAllowSenderOrReceiver
+} from "../middleware/auth/checks/teacher-invitation-checks";
 
 const router = express.Router({ mergeParams: true });
 
-router.get('/:username', getAllInvitationsHandler);
+router.get('/:username', onlyAllowUserHimself, getAllInvitationsHandler);
 
-router.get('/:sender/:receiver/:classId', getInvitationHandler);
+router.get('/:sender/:receiver/:classId', onlyAllowSenderOrReceiver ,getInvitationHandler);
 
-router.post('/', createInvitationHandler);
+router.post('/', onlyAllowSenderBody, createInvitationHandler);
 
-router.put('/', updateInvitationHandler);
+router.put('/', onlyAllowReceiverBody, updateInvitationHandler);
 
-router.delete('/:sender/:receiver/:classId', deleteInvitationHandler);
+router.delete('/:sender/:receiver/:classId', onlyAllowSender, deleteInvitationHandler);
 
 export default router;
diff --git a/backend/src/services/teacher-invitations.ts b/backend/src/services/teacher-invitations.ts
index 07f61bae..c50e00b1 100644
--- a/backend/src/services/teacher-invitations.ts
+++ b/backend/src/services/teacher-invitations.ts
@@ -32,6 +32,10 @@ export async function createInvitation(data: TeacherInvitationData): Promise<Tea
         throw new ConflictException('The teacher sending the invite is not part of the class');
     }
 
+    if (cls.teachers.contains(receiver)){
+        throw new ConflictException('The teacher receiving the invite is already part of the class');
+    }
+
     const newInvitation = mapToInvitation(sender, receiver, cls);
     await teacherInvitationRepository.save(newInvitation, { preventOverwrite: true });