Update user with id from cookie jwt

Nonprofit-Exchange-Hub · Nov 7, 2023 · 986aa88 · 986aa88
1 parent f3bd587
commit 986aa88
Showing 1 changed file with 17 additions and 3 deletions.
diff --git a/server/src/acccount-manager/account-manager.controller.ts b/server/src/acccount-manager/account-manager.controller.ts
@@ -233,10 +233,16 @@ export class AccountManagerController {
     }),
   )
   async upsertProfile(
+    @Request() request: AuthedRequest,
     @Param('id') id: number,
     @UploadedFile()
     file: Express.Multer.File,
   ): Promise<ReturnUserDto | BadRequestException> {
+    const { user } = request;
+    if (user.id !== id) {
+      throw new BadRequestException('You can only update your own user');
+    }
+
     if (/\.(jpe?g|png|gif)$/i.test(file.filename)) {
       return new BadRequestException(
         'Only valid image extensions allowed (.jpg, .jpeg, .png, .gif)',
@@ -269,9 +275,17 @@ export class AccountManagerController {
   @UseGuards(CookieAuthGuard)
   @MapTo(ReturnUserDto)
   @Put('users/:id')
-  async update(@Param('id') id: number, @Body() updateUserDto: UpdateUserDto) {
-    const user = await this.usersService.findOne(id);
-    if (!user) {
+  async update(
+    @Request() request: AuthedRequest,
+    @Param('id') id: number,
+    @Body() updateUserDto: UpdateUserDto,
+  ) {
+    const { user } = request;
+    if (user.id !== id) {
+      throw new BadRequestException('You can only update your own user');
+    }
+    const dbUser = await this.usersService.findOne(id);
+    if (!dbUser) {
       throw new BadRequestException('User not found');
     }