Skip to content

Commit

Permalink
medaltimes:manage only allows managing own medal times
Browse files Browse the repository at this point in the history
  • Loading branch information
Dan Whitacre committed Feb 5, 2025
1 parent 68f87b3 commit d69ddce
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 6 deletions.
6 changes: 6 additions & 0 deletions api/routes/medaltimes.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,12 @@ class MedalTimes extends Route {
const medalTime = await req.parse(MedalTime);
if (!medalTime) return ApiResponse.badRequest(req);

if (
(await req.checkPermission(Permissions.MedalTimesManage)) &&
medalTime.accountId !== (await req.me())?.accountId
)
return ApiResponse.unauthorized(req);

await req.services.medaltimes.upsert(medalTime);
return ApiResponse.ok(req);
}
Expand Down
12 changes: 6 additions & 6 deletions test/api/permissions.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,10 @@ test("apikey:manage", async () => {

test("medaltimes:manage", async () => {
const apikey = await playerWithPermissionCreate(pool, "medaltimes:manage");
let response = await fetch(`http://localhost:8081/me?api-key=${apikey}`);
const accountId = (await response.json()).me.accountId;

let response = await mapCreate({ apikey });
response = await mapCreate({ apikey });
expect(response.status).toBe(401);

response = await playerCreate({ apikey });
Expand All @@ -62,9 +64,6 @@ test("medaltimes:manage", async () => {
response = await mapCreate({ apikey: adminApiKey });
const mapUid = (await response.json()).map.mapUid;

response = await playerCreate({ apikey: adminApiKey });
const accountId = (await response.json()).player.accountId;

response = await medalTimesCreate({ apikey, mapUid, accountId });
expect(response.status).toBe(200);
});
Expand Down Expand Up @@ -159,14 +158,15 @@ test("multiple - map:manage, player:manage, medaltimes:manage", async () => {
"medaltimes:manage",
"player:manage",
]);
let response = await fetch(`http://localhost:8081/me?api-key=${apikey}`);
const accountId = (await response.json()).me.accountId;

let response = await mapCreate({ apikey });
response = await mapCreate({ apikey });
expect(response.status).toBe(200);
const mapUid = (await response.json()).map.mapUid;

response = await playerCreate({ apikey });
expect(response.status).toBe(200);
const accountId = (await response.json()).player.accountId;

response = await medalTimesCreate({ apikey, accountId, mapUid });
expect(response.status).toBe(200);
Expand Down

0 comments on commit d69ddce

Please sign in to comment.