fix: ability to delete other users images (#407)
* fix: Worst, but minimally working, fix so other users do not delete each other's files. * fix: include previous fix for PATCH --------- Co-authored-by: dicedtomato <35403473+diced@users.noreply.github.com>
This commit is contained in:
Jayvin Hernandez
GitHub
parent
d111b0811f
commit
60d7b22dca
1 changed files with 54 additions and 4 deletions
|
|
@ -31,15 +31,46 @@ async function handler(req: NextApiReq, res: NextApiRes, user: UserExtended) {
|
||||||
} else {
|
} else {
|
||||||
if (!req.body.id) return res.badRequest('no file id');
|
if (!req.body.id) return res.badRequest('no file id');
|
||||||
|
|
||||||
const file = await prisma.file.delete({
|
let file = await prisma.file.findFirst({
|
||||||
where: {
|
where: {
|
||||||
id: req.body.id,
|
id: req.body.id,
|
||||||
|
userId: user.id,
|
||||||
|
},
|
||||||
|
include: {
|
||||||
|
user: {
|
||||||
|
select: {
|
||||||
|
administrator: true,
|
||||||
|
superAdmin: true,
|
||||||
|
username: true,
|
||||||
|
id: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
});
|
||||||
|
|
||||||
|
if (!file && (!user.administrator || !user.superAdmin)) return res.notFound('file not found');
|
||||||
|
|
||||||
|
file = await prisma.file.delete({
|
||||||
|
where: {
|
||||||
|
id: req.body.id,
|
||||||
|
},
|
||||||
|
include: {
|
||||||
|
user: {
|
||||||
|
select: {
|
||||||
|
administrator: true,
|
||||||
|
superAdmin: true,
|
||||||
|
username: true,
|
||||||
|
id: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
await datasource.delete(file.name);
|
await datasource.delete(file.name);
|
||||||
|
|
||||||
logger.info(`User ${user.username} (${user.id}) deleted an image ${file.name} (${file.id})`);
|
logger.info(
|
||||||
|
`User ${user.username} (${user.id}) deleted an image ${file.name} (${file.id}) owned by ${file.user.username} (${file.user.id})`
|
||||||
|
);
|
||||||
|
|
||||||
// @ts-ignore
|
// @ts-ignore
|
||||||
if (file.password) file.password = true;
|
if (file.password) file.password = true;
|
||||||
|
|
@ -51,14 +82,33 @@ async function handler(req: NextApiReq, res: NextApiRes, user: UserExtended) {
|
||||||
|
|
||||||
let file;
|
let file;
|
||||||
|
|
||||||
if (req.body.favorite !== null)
|
if (req.body.favorite !== null) {
|
||||||
|
file = await prisma.file.findFirst({
|
||||||
|
where: {
|
||||||
|
id: req.body.id,
|
||||||
|
userId: user.id,
|
||||||
|
},
|
||||||
|
include: {
|
||||||
|
user: {
|
||||||
|
select: {
|
||||||
|
administrator: true,
|
||||||
|
superAdmin: true,
|
||||||
|
username: true,
|
||||||
|
id: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
});
|
||||||
|
|
||||||
|
if (!file && (!user.administrator || !user.superAdmin)) return res.notFound('file not found');
|
||||||
|
|
||||||
file = await prisma.file.update({
|
file = await prisma.file.update({
|
||||||
where: { id: req.body.id },
|
where: { id: req.body.id },
|
||||||
data: {
|
data: {
|
||||||
favorite: req.body.favorite,
|
favorite: req.body.favorite,
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
}
|
||||||
// @ts-ignore
|
// @ts-ignore
|
||||||
if (file.password) file.password = true;
|
if (file.password) file.password = true;
|
||||||
return res.json(file);
|
return res.json(file);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue