fix: ability to delete other users images (#407)

* fix: Worst, but minimally working, fix so other users do not delete each other's files.

* fix: include previous fix for PATCH

---------

Co-authored-by: dicedtomato <35403473+diced@users.noreply.github.com>
This commit is contained in:
Jayvin Hernandez 2023-05-22 15:36:19 -07:00 committed by GitHub
parent d111b0811f
commit 60d7b22dca
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -31,15 +31,46 @@ async function handler(req: NextApiReq, res: NextApiRes, user: UserExtended) {
} else { } else {
if (!req.body.id) return res.badRequest('no file id'); if (!req.body.id) return res.badRequest('no file id');
const file = await prisma.file.delete({ let file = await prisma.file.findFirst({
where: { where: {
id: req.body.id, id: req.body.id,
userId: user.id,
},
include: {
user: {
select: {
administrator: true,
superAdmin: true,
username: true,
id: true,
},
},
},
});
if (!file && (!user.administrator || !user.superAdmin)) return res.notFound('file not found');
file = await prisma.file.delete({
where: {
id: req.body.id,
},
include: {
user: {
select: {
administrator: true,
superAdmin: true,
username: true,
id: true,
},
},
}, },
}); });
await datasource.delete(file.name); await datasource.delete(file.name);
logger.info(`User ${user.username} (${user.id}) deleted an image ${file.name} (${file.id})`); logger.info(
`User ${user.username} (${user.id}) deleted an image ${file.name} (${file.id}) owned by ${file.user.username} (${file.user.id})`
);
// @ts-ignore // @ts-ignore
if (file.password) file.password = true; if (file.password) file.password = true;
@ -51,14 +82,33 @@ async function handler(req: NextApiReq, res: NextApiRes, user: UserExtended) {
let file; let file;
if (req.body.favorite !== null) if (req.body.favorite !== null) {
file = await prisma.file.findFirst({
where: {
id: req.body.id,
userId: user.id,
},
include: {
user: {
select: {
administrator: true,
superAdmin: true,
username: true,
id: true,
},
},
},
});
if (!file && (!user.administrator || !user.superAdmin)) return res.notFound('file not found');
file = await prisma.file.update({ file = await prisma.file.update({
where: { id: req.body.id }, where: { id: req.body.id },
data: { data: {
favorite: req.body.favorite, favorite: req.body.favorite,
}, },
}); });
}
// @ts-ignore // @ts-ignore
if (file.password) file.password = true; if (file.password) file.password = true;
return res.json(file); return res.json(file);