Protect Attendee Routes

hackathon-zip · Oct 24, 2023 · 6b6f28e · 6b6f28e
1 parent f503e61
commit 6b6f28e
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 19 deletions.
diff --git a/pages/api/attendee/[slug]/project/create.ts b/pages/api/attendee/[slug]/project/create.ts
@@ -18,11 +18,11 @@ export default async function handler(
                 }
             }
         });
-        if (!attendee)
+        if (!attendee){
             return res.status(400).json({
                 error: "Attendee does not exist."
             });
-
+        }
         let project = await prisma.project.create({
             data: {
                 name: req.body.name,
@@ -38,7 +38,6 @@ export default async function handler(
                 }
             }
         });
-        console.log(project);
         return res.json({
             project
         });

diff --git a/pages/api/attendee/[slug]/project/delete.ts b/pages/api/attendee/[slug]/project/delete.ts
@@ -9,12 +9,30 @@ export default async function handler(
 ) {
     try {
         const slug = await getHackathonSlug(req.query.slug as string);
-        let project = await prisma.project.delete({
+        let attendee = await prisma.attendee.findFirst({
             where: {
-                id: req.body.id
+                tokens: {
+                    some: {
+                        token: req.cookies[slug]
+                    }
+                }
+            }
+        });
+        if (!attendee){
+            return res.status(400).json({
+                error: "Attendee does not exist."
+            });
+        }
+        await prisma.project.deleteMany({
+            where: {
+                id: req.body.id,
+                collaborators: {
+                    some: {
+                        id: attendee.id
+                    }
+                }
             }
         });
-        console.log(project);
         return res.json({
             deleted: true
         });

diff --git a/pages/api/attendee/[slug]/project/update.ts b/pages/api/attendee/[slug]/project/update.ts
@@ -13,6 +13,24 @@ export default async function handler(
         let slug = req.query.slug as string;
 
         slug = await getHackathonSlug(slug);
+
+        let attendee = await prisma.attendee.findFirst({
+            where: {
+                tokens: {
+                    some: {
+                        token: req.cookies[slug]
+                    }
+                },
+                project: {
+                    id
+                }
+            }
+        });
+        if (!attendee){
+            return res.status(400).json({
+                error: "Attendee does not exist or is not a member of this project."
+            });
+        }
 
         let project = await prisma.project.update({
             where: {

diff --git a/pages/api/hello.ts b/pages/api/hello.ts