From ec5d40584a18cd5de8d8b6f255dc54acc68a2f20 Mon Sep 17 00:00:00 2001 From: Tim Kent Date: Tue, 7 Nov 2023 12:41:53 -0800 Subject: [PATCH] update project routes. add auth checks to controllers. --- .../bmdashboard/bmProjectController.js | 47 +++++++++++++------ src/routes/bmdashboard/bmProjectRouter.js | 4 +- 2 files changed, 34 insertions(+), 17 deletions(-) diff --git a/src/controllers/bmdashboard/bmProjectController.js b/src/controllers/bmdashboard/bmProjectController.js index 3e88ea08a..929aba4ba 100644 --- a/src/controllers/bmdashboard/bmProjectController.js +++ b/src/controllers/bmdashboard/bmProjectController.js @@ -1,10 +1,21 @@ +// TODO: uncomment when executing auth checks +// const jwt = require('jsonwebtoken'); +// const config = require('../../config'); + const bmMProjectController = function (BuildingProject) { - // fetches all projects by building manager id + // TODO: uncomment when executing auth checks + // const { JWT_SECRET } = config; + const fetchAllProjects = async (req, res) => { - const { userId } = req.params; - try { + //! Note: for easier testing this route currently returns all projects from the db + // TODO: uncomment the lines below to return only projects where field buildingManager === userid + // const token = req.headers.authorization; + // const { userid } = jwt.verify(token, JWT_SECRET); + try { const projectData = await BuildingProject - .find({ buildingManager: userId }) + // TODO: uncomment this line to filter by buildingManager field + // .find({ buildingManager: userid }) + .find() .populate([ { path: 'buildingManager', @@ -26,7 +37,11 @@ const bmMProjectController = function (BuildingProject) { // fetches single project by project id const fetchSingleProject = async (req, res) => { - const { userId, projectId } = req.params; + //! Note: for easier testing this route currently returns the project without an auth check + // TODO: uncomment the lines below to check the user's ability to view the current project + // const token = req.headers.authorization; + // const { userid } = jwt.verify(token, JWT_SECRET); + const { projectId } = req.params; try { BuildingProject .findById(projectId) @@ -41,16 +56,18 @@ const bmMProjectController = function (BuildingProject) { }, ]) .exec() - .then((project) => { - // authenticate request by comparing userId param with buildingManager id field - // ObjectId must be converted to string - if (userId !== project.buildingManager._id.toString()) { - return res.status(403).send({ - message: 'You are not authorized to view this record.', - }); - } - return res.status(200).send(project); - }) + .then(project => res.status(200).send(project)) + // TODO: uncomment this block to execute the auth check + // authenticate request by comparing userId param with buildingManager id field + // Note: _id has type object and must be converted to string + // .then((project) => { + // if (userid !== project.buildingManager._id.toString()) { + // return res.status(403).send({ + // message: 'You are not authorized to view this record.', + // }); + // } + // return res.status(200).send(project); + // }) .catch(error => res.status(500).send(error)); } catch (err) { res.json(err); diff --git a/src/routes/bmdashboard/bmProjectRouter.js b/src/routes/bmdashboard/bmProjectRouter.js index 7069950dc..d60ea9b2b 100644 --- a/src/routes/bmdashboard/bmProjectRouter.js +++ b/src/routes/bmdashboard/bmProjectRouter.js @@ -4,10 +4,10 @@ const routes = function (buildingProject) { const projectRouter = express.Router(); const controller = require('../../controllers/bmdashboard/bmProjectController')(buildingProject); -projectRouter.route('/projects/:userId') +projectRouter.route('/projects') .get(controller.fetchAllProjects); -projectRouter.route('/projects/:userId/:projectId') +projectRouter.route('/project/:projectId') .get(controller.fetchSingleProject); return projectRouter;