Protect asset create endpoint #263

jd2rogers2 · 2023-01-05T03:19:13Z

Dev Summary

only a user that is part of an org should be able to create an asset/post
to do this i added a new auth guard and used it on the endpoint

still to do -> fix the test that's breaking locally

(later to come, checking that updating/deleting a post can only be done by user within poster's org)

Test Plan

repro steps:

for these tests you can see that i have the seeded users and orgs, but i also inserted into user_orgs userId, organizationsId values 1, 1 to create a relationship between my user 1 and the first org

in browser login with user 1 and get cookie from dev tools
make curl request with user 1's cookie. expect success (because they have an org related)

curl -X POST localhost:3001/api/assets \
--cookie "NEH_is_cool=s%3AeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiZmlyc3ROYW1lIjoidXNlcjFGaXJzdCIsImxhc3RfbmFtZSI6InVzZXIxTGFzdCIsImVtYWlsIjoidXNlcjFGaXJzdEBleGFtcGxlLmNvbSIsImVtYWlsX25vdGlmaWNhdGlvbl9vcHRfb3V0IjpmYWxzZSwiaWF0IjoxNjcyODg2NTk4LCJleHAiOjE2NzI4OTAxOTh9._QCbE3mJWcKa72l6vnCEO1hCrtgR2cwzm8CdyzuOjTE.FdOBENq0wBAtBcXENuEwGX7X4Wm2ctqlajkL1enxP64" \
-H "Content-Type: application/json" \
-d '{ "title": "title", "description": "description", "quantity": 1 }'

repeat 1 and 2 with other user (with no org). expect fail

--cookie "NEH_is_cool=s%3AeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MiwiZmlyc3ROYW1lIjoidXNlcjJGaXJzdCIsImxhc3RfbmFtZSI6InVzZXIyTGFzdCIsImVtYWlsIjoidXNlcjJGaXJzdEBleGFtcGxlLmNvbSIsImVtYWlsX25vdGlmaWNhdGlvbl9vcHRfb3V0IjpmYWxzZSwiaWF0IjoxNjcyODg4NjM5LCJleHAiOjE2NzI4OTIyMzl9.bqtpcaXXf3Eg1plPHBsBtjOmpdpDY-nvV7jHZKwe-7Y.MVgCtcVqxDUkxSpBhGlUQVtQEWRte%2FQjpa8ijLGxZ6k" \
-H "Content-Type: application/json" \
-d '{ "title": "title", "description": "description", "quantity": 1 }'

Resources

esteban-gs · 2023-02-08T04:02:27Z

My changes in #264 throws a wrench in your work. Happy to pair on merge conflicts

skyfox93

Aren't assets with that are "offers"/ "donations" created by users without orgs? It's only the "request" asset type that needs this guard.

skyfox93 · 2023-04-04T18:43:24Z

server/src/user-org/user-org.service.ts

@@ -59,6 +59,17 @@ export class UserOrganizationsService {
    return userOrg;
  }

+  async getAllByUserId(userId: number): Promise<UserOrganization[]> {


Reminder that relations do this for us. I.e, we already have a method on the user entity, user.organizations, that does the same thing as this method.

esteban-gs · 2023-04-09T04:31:45Z

Aren't assets with that are "offers"/ "donations" created by users without orgs? It's only the "request" asset type that needs this guard.

This sounds right.

jd2rogers2 added 4 commits January 4, 2023 18:12

create new guard, create new user org service function

6c40d32

fix module imports

1658b01

make quantity required

a03d795

test import

9b892c9

jd2rogers2 linked an issue Jan 5, 2023 that may be closed by this pull request

add auth/checks to nonprofit posting endpoints #60

Open

jd2rogers2 self-assigned this Jan 5, 2023

skyfox93 reviewed Apr 4, 2023

View reviewed changes

esteban-gs added the documentation Improvements or additions to documentation label Sep 10, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Protect asset create endpoint #263

Protect asset create endpoint #263

jd2rogers2 commented Jan 5, 2023

esteban-gs commented Feb 8, 2023

skyfox93 left a comment

skyfox93 Apr 4, 2023

esteban-gs commented Apr 9, 2023

Protect asset create endpoint #263

Are you sure you want to change the base?

Protect asset create endpoint #263

Conversation

jd2rogers2 commented Jan 5, 2023

Dev Summary

Test Plan

Resources

esteban-gs commented Feb 8, 2023

skyfox93 left a comment

Choose a reason for hiding this comment

skyfox93 Apr 4, 2023

Choose a reason for hiding this comment

esteban-gs commented Apr 9, 2023