fix: ability to delete other users images (#407)

* fix: Worst, but minimally working, fix so other users do not delete each other's files. * fix: include previous fix for PATCH --------- Co-authored-by: dicedtomato <35403473+diced@users.noreply.github.com>
2023-05-22 15:36:19 -07:00 · 2023-05-22 15:36:19 -07:00 · 60d7b22dca
commit 60d7b22dca
parent d111b0811f
1 changed files with 54 additions and 4 deletions
--- a/src/pages/api/user/files.ts
+++ b/src/pages/api/user/files.ts
@ -31,15 +31,46 @@ async function handler(req: NextApiReq, res: NextApiRes, user: UserExtended) {
    } else {
      if (!req.body.id) return res.badRequest('no file id');

-      const file = await prisma.file.delete({
+      let file = await prisma.file.findFirst({
        where: {
          id: req.body.id,
+          userId: user.id,
+        },
+        include: {
+          user: {
+            select: {
+              administrator: true,
+              superAdmin: true,
+              username: true,
+              id: true,
+            },
+          },
+        },
+      });
+
+      if (!file && (!user.administrator || !user.superAdmin)) return res.notFound('file not found');
+
+      file = await prisma.file.delete({
+        where: {
+          id: req.body.id,
+        },
+        include: {
+          user: {
+            select: {
+              administrator: true,
+              superAdmin: true,
+              username: true,
+              id: true,
+            },
+          },
        },
      });

      await datasource.delete(file.name);

-      logger.info(`User ${user.username} (${user.id}) deleted an image ${file.name} (${file.id})`);
+      logger.info(
+        `User ${user.username} (${user.id}) deleted an image ${file.name} (${file.id}) owned by ${file.user.username} (${file.user.id})`
+      );

      // @ts-ignore
      if (file.password) file.password = true;
@ -51,14 +82,33 @@ async function handler(req: NextApiReq, res: NextApiRes, user: UserExtended) {

    let file;

-    if (req.body.favorite !== null)
+    if (req.body.favorite !== null) {
+      file = await prisma.file.findFirst({
+        where: {
+          id: req.body.id,
+          userId: user.id,
+        },
+        include: {
+          user: {
+            select: {
+              administrator: true,
+              superAdmin: true,
+              username: true,
+              id: true,
+            },
+          },
+        },
+      });
+
+      if (!file && (!user.administrator || !user.superAdmin)) return res.notFound('file not found');
+
      file = await prisma.file.update({
        where: { id: req.body.id },
        data: {
          favorite: req.body.favorite,
        },
      });
-
+    }
    // @ts-ignore
    if (file.password) file.password = true;
    return res.json(file);