Use UserPermissions in TeamRoutes

2019-03-10 15:42:58 +05:00 · 2019-03-10 15:42:58 +05:00 · e18e00a6e5
commit e18e00a6e5
parent 14e90f9559
4 changed files with 16 additions and 21 deletions
--- a/packages/server/src/application/Application.ts
+++ b/packages/server/src/application/Application.ts
@ -105,6 +105,7 @@ export class Application implements IApplication {

    router.use('/api', new team.TeamRoutes(
      this.teamService,
+      this.userPermissions,
      this.createTransactionalRouter(),
    ).handle)

--- a/packages/server/src/team/TeamRoutes.ts
+++ b/packages/server/src/team/TeamRoutes.ts
@ -2,11 +2,13 @@ import {AsyncRouter} from '../router'
 import {BaseRoute} from '../routes/BaseRoute'
 import {IAPIDef} from '@rondo/common'
 import {ITeamService} from './ITeamService'
+import {IUserPermissions} from '../user/IUserPermissions'
 import {ensureLoggedInApi} from '../middleware'

 export class TeamRoutes extends BaseRoute<IAPIDef> {
  constructor(
    protected readonly teamService: ITeamService,
+    protected readonly permissions: IUserPermissions,
    protected readonly t: AsyncRouter<IAPIDef>,
  ) {
    super(t)
@ -35,6 +37,12 @@ export class TeamRoutes extends BaseRoute<IAPIDef> {

    t.put('/teams/:id', async req => {
      const id = Number(req.params.id)
+
+      await this.permissions.belongsToTeam({
+        teamId: id,
+        userId: req.user!.id,
+      })
+
      return this.teamService.update({
        id,
        name: req.body.name,
@ -44,6 +52,12 @@ export class TeamRoutes extends BaseRoute<IAPIDef> {

    t.delete('/teams/:id', async req => {
      const id = Number(req.params.id)
+
+      await this.permissions.belongsToTeam({
+        teamId: id,
+        userId: req.user!.id,
+      })
+
      return this.teamService.remove({
        id,
        userId: req.user!.id,
--- a/packages/server/src/team/TeamService.ts
+++ b/packages/server/src/team/TeamService.ts
@ -3,24 +3,9 @@ import {ITeamService} from './ITeamService'
 import {IUserTeamParams} from './IUserTeamParams'
 import {Team} from '../entities/Team'
 import {UserTeam} from '../entities/UserTeam'
-import createError from 'http-errors'

 export class TeamService extends BaseService implements ITeamService {

-  protected async canModify({id, userId}: {id: number, userId: number}) {
-    const count = await this.getRepository(UserTeam)
-    .count({
-      where: {
-        teamId: id,
-        userId,
-      },
-    })
-
-    if (count === 0) {
-      throw createError(403, 'Forbidden')
-    }
-  }
-
  // TODO check team limit per user
  async create({name, userId}: {name: string, userId: number}) {
    const team = await this.getRepository(Team).save({
@ -39,9 +24,6 @@ export class TeamService extends BaseService implements ITeamService {
  }

  async remove({id, userId}: {id: number, userId: number}) {
-    // TODO check for role
-    this.canModify({id, userId})
-
    await this.getRepository(UserTeam)
    .delete({userId})

@ -50,8 +32,6 @@ export class TeamService extends BaseService implements ITeamService {
  }

  async update({id, name, userId}: {id: number, name: string, userId: number}) {
-    this.canModify({id, userId})
-
    await this.getRepository(Team)
    .update({
      id,
--- a/packages/server/src/user/IUserPermissions.ts
+++ b/packages/server/src/user/IUserPermissions.ts
@ -1,4 +1,4 @@
 export interface IUserPermissions {
  // TODO check for role too
-  belongsToTeam(params: {userId: number, teamId: number}): void
+  belongsToTeam(params: {userId: number, teamId: number}): Promise<void>
 }