Skip to content

Commit

Permalink
Bugfix: any user can delete any record (#14)
Browse files Browse the repository at this point in the history 
* Updated Thunder collection

* Delete a diary record by usercode and register id.
  • Loading branch information
@oluizeduardo
oluizeduardo authored Jun 4, 2024
1 parent 2790404 commit e719dc6
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 9 deletions.
9 changes: 8 additions & 1 deletion src/controllers/diaryController.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,12 +173,19 @@ class DiaryController {
static deleteById = async (req, res) => {
logger.info('Executing DiaryController.deleteById');
try {
// Validate user code
const userCode = req.params.usercode;
if (!userCode) {
return res.status(CLIENT_ERROR).json({ message: Messages.INCOMPLETE_DATA_PROVIDED });
}

// Validate id
const id = Number.parseInt(req.params.id);
if (isNaN(id)) {
return res.status(NOT_FOUND).json({ message: Messages.NOTHING_FOUND });
}

const result = await DiaryDAO.deleteById(id);
const result = await DiaryDAO.deleteById(id, userCode);

if (result.success) {
return res.status(OK).json({ message: result.message });
Expand Down
14 changes: 12 additions & 2 deletions src/dao/DiaryDAO.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,12 +101,22 @@ export default class DiaryDAO {
}
}

static async deleteById(id) {
static async deleteById(id, userCode) {
try {

// Check the register existence.
const result = await database(TABLE_NAME).where('id', id).select('id');

if (result.length > 0) {
await database(TABLE_NAME).where('id', result[0].id).del();
await database(TABLE_NAME)
.where('id', result[0].id)
.whereIn('id_user', function() {
this.select('id')
.from('users')
.where('cod_user', userCode);
})
.del();

return { success: true, message: Messages.DIARY_DATA_DELETED };
} else {
return { success: false, message: Messages.NOTHING_FOUND };
Expand Down
2 changes: 1 addition & 1 deletion src/routes/diaryRouter.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ diaryRouter
.post('/:usercode', UserCodeMiddleware.validateUserCode, DiaryController.addNew)
.get('/:id', DiaryController.getById)
.put('/:usercode/:id', UserCodeMiddleware.validateUserCode, DiaryController.updateById)
.delete('/:id', DiaryController.deleteById)
.delete('/:usercode/:id', UserCodeMiddleware.validateUserCode, DiaryController.deleteById)
.delete('/user/:usercode', UserCodeMiddleware.validateUserCode, DiaryController.deleteByUserCode)
.get('/user/:usercode', UserCodeMiddleware.validateUserCode, DiaryController.getByUserCode);

Expand Down
10 changes: 5 additions & 5 deletions thunder-collection_Glicocheck.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"clientName": "Thunder Client",
"collectionName": "Glicocheck",
"collectionId": "a9cf7d89-7e3f-410e-928f-c83cbed2644f",
"dateExported": "2024-06-04T01:26:07.578Z",
"dateExported": "2024-06-04T01:43:50.010Z",
"version": "1.2",
"folders": [
{
Expand Down Expand Up @@ -354,15 +354,15 @@
"colId": "a9cf7d89-7e3f-410e-928f-c83cbed2644f",
"containerId": "f91b0224-a64c-403f-9552-eaeb5d066007",
"name": "Delete glucose record by id",
"url": "{{LOCALHOST}}/api/diary/1",
"url": "{{LOCALHOST}}/api/diary/78412d60-ce7e-4a37-9bb1-6ab73187fa0d/7",
"method": "DELETE",
"sortNum": 90000,
"created": "2024-02-13T19:33:44.017Z",
"modified": "2024-06-02T17:25:05.030Z",
"modified": "2024-06-04T01:41:14.690Z",
"headers": [],
"auth": {
"type": "bearer",
"bearer": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijk0Yjk0NGMzLTc5MTItNGI4Mi04ODZkLTM2NzY3M2QwYTRjOSIsImlhdCI6MTcxNzM0NzU2MywiZXhwIjoxNzE3MzQ5MzYzfQ.pubA2qOwIYCsd-Llxsx9t4TXAsFBqslOXi_7jQV0hfU"
"bearer": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijc4NDEyZDYwLWNlN2UtNGEzNy05YmIxLTZhYjczMTg3ZmEwZCIsImlhdCI6MTcxNzQ2NTEzNiwiZXhwIjoxNzE3NDY2OTM2fQ.eHBiP2nQiCrfnW70EwbA_leF0J8U7pv7HGFvBrlSOtg"
}
},
{
Expand Down Expand Up @@ -914,5 +914,5 @@
"settings": {
"envId": "f0223d0d-c7c0-4d5a-b204-ecc7a093cbf2"
},
"ref": "AacjCQHooDV61gcZhlKO5dE6COwnuMOEFbzomqOy1CWp2_ncWgnyqo_VKqfS2H3G2FuKZUkSI-nYNECdjwJYMg"
"ref": "AacjCQHooDV61gcZhlKO5dE6COwnuMOEFbzomqOy1CV3Ed4VwkvqDsU4tvk7iIkcHaKTaALgZkrdfByc7Uh_ZQ"
}

0 comments on commit e719dc6

Please sign in to comment.