Enforce returning only publick field to not owner

andrew-bierman · Dec 20, 2024 · bb29c90 · bb29c90
1 parent 92fc6dd
commit bb29c90
Show file tree

Hide file tree

Showing 7 changed files with 30 additions and 14 deletions.
diff --git a/server/src/modules/feed/controllers/getPublicFeed.ts b/server/src/modules/feed/controllers/getPublicFeed.ts
@@ -19,7 +19,7 @@ export function getPublicFeedRoute() {
       const { queryBy, searchTerm, excludeType, pagination } = opts.input;
       const { data, totalCount, currentPagination } = await getFeedService(
         queryBy,
-        { searchTerm, isPublic: true },
+        { searchTerm, isPublic: true, authenticatedUserId: opts.ctx.user.id },
         excludeType,
         pagination,
       );

diff --git a/server/src/modules/feed/controllers/getUserPacksFeed.ts b/server/src/modules/feed/controllers/getUserPacksFeed.ts
@@ -23,7 +23,13 @@ export function getUserPacksFeedRoute() {
         opts.input;
       const { data, totalCount, currentPagination } = await getFeedService(
         queryBy,
-        { searchTerm, ownerId, isPublic, itemId },
+        {
+          searchTerm,
+          ownerId,
+          isPublic,
+          itemId,
+          authenticatedUserId: opts.ctx.user.id,
+        },
         'trips',
         pagination,
       );

diff --git a/server/src/modules/feed/controllers/getUserTripsFeed.ts b/server/src/modules/feed/controllers/getUserTripsFeed.ts
@@ -25,7 +25,12 @@ export function getUserTripsFeedRoute() {
       const { queryBy, searchTerm, ownerId, pagination, isPublic } = opts.input;
       const { data, totalCount, currentPagination } = await getFeedService(
         queryBy,
-        { searchTerm, ownerId, isPublic },
+        {
+          searchTerm,
+          ownerId,
+          isPublic,
+          authenticatedUserId: opts.ctx.user.id,
+        },
         'packs',
         pagination,
       );

diff --git a/server/src/modules/feed/model/feed.ts b/server/src/modules/feed/model/feed.ts
@@ -251,18 +251,19 @@ export class Feed {
     modifiers: Modifiers,
     table: typeof trip | typeof pack,
   ) {
+    const { authenticatedUserId, isPublic, ownerId, searchTerm } = modifiers;
     const conditions = [];
 
-    if (modifiers.isPublic !== undefined) {
-      conditions.push(eq(table.is_public, modifiers.isPublic));
+    if (!authenticatedUserId || isPublic || authenticatedUserId !== ownerId) {
+      conditions.push(eq(table.is_public, true));
     }
 
-    if (modifiers.ownerId) {
-      conditions.push(eq(table.owner_id, modifiers.ownerId));
+    if (ownerId) {
+      conditions.push(eq(table.owner_id, ownerId));
     }
 
-    if (modifiers.searchTerm) {
-      conditions.push(like(table.name, `%${modifiers.searchTerm}%`));
+    if (searchTerm) {
+      conditions.push(like(table.name, `%${searchTerm}%`));
     }
 
     return conditions.length > 0 ? and(...conditions) : undefined;

diff --git a/server/src/modules/feed/models.ts b/server/src/modules/feed/models.ts
@@ -1,6 +1,7 @@
 export interface Modifiers {
   isPublic?: boolean;
-  ownerId?: string;
+  ownerId: string;
+  authenticatedUserId: string;
   searchTerm?: string;
   itemId?: string;
   includeUserFavoritesOnly?: boolean;

diff --git a/server/src/modules/feed/services/getFeedService.ts b/server/src/modules/feed/services/getFeedService.ts
@@ -2,16 +2,17 @@
 
 import { PaginationParams } from '../../../helpers/pagination';
 import { Feed } from '../model';
-import { Modifiers } from '../models';
+import { FeedQueryBy, Modifiers } from '../models';
 
 /**
  * Retrieves public trips based on the given query parameter.
  * @param {PrismaClient} prisma - Prisma client.
+ * @param {string} authenticatedUserId - The authenticated user's ID.
  * @param {string} queryBy - The query parameter to sort the trips.
  * @return {Promise<object[]>} The public trips.
  */
 export const getFeedService = async (
-  queryBy: string,
+  queryBy: FeedQueryBy,
   modifiers?: Modifiers,
   excludeType?: 'trips' | 'packs',
   pagination?: PaginationParams,

diff --git a/server/src/services/favorite/getUserFavoritesService.ts b/server/src/services/favorite/getUserFavoritesService.ts
@@ -1,6 +1,7 @@
 import { Feed } from '../../modules/feed/model';
 import { User } from '../../drizzle/methods/User';
 import { PaginationParams } from 'src/helpers/pagination';
+import { Modifiers } from 'src/modules/feed/models';
 
 /**
  * Retrieves the favorite packs associated with a specific user.
@@ -10,10 +11,10 @@ import { PaginationParams } from 'src/helpers/pagination';
  */
 export const getUserFavoritesService = async (
   userId: string,
-  options?: { searchTerm?: string; isPublic?: boolean },
+  options?: Modifiers,
   pagination?: PaginationParams,
 ) => {
-  const { searchTerm, isPublic } = options || {};
+  const { searchTerm, isPublic, authenticatedUserId } = options || {};
   const userClass = new User();
   const feedClass = new Feed();
   const user = (await userClass.findUser({
@@ -32,6 +33,7 @@ export const getUserFavoritesService = async (
       searchTerm,
       isPublic,
       ownerId: userId,
+      authenticatedUserId,
     },
     'trips',
     pagination,