Use UserPermissions in TeamRoutes

packages/server/src/application/Application.ts

@@ -105,6 +105,7 @@ export class Application implements IApplication {
 
     router.use('/api', new team.TeamRoutes(
       this.teamService,
+      this.userPermissions,
       this.createTransactionalRouter(),
     ).handle)
 

packages/server/src/team/TeamRoutes.ts

@@ -2,11 +2,13 @@ import {AsyncRouter} from '../router'
 import {BaseRoute} from '../routes/BaseRoute'
 import {IAPIDef} from '@rondo/common'
 import {ITeamService} from './ITeamService'
+import {IUserPermissions} from '../user/IUserPermissions'
 import {ensureLoggedInApi} from '../middleware'
 
 export class TeamRoutes extends BaseRoute<IAPIDef> {
   constructor(
     protected readonly teamService: ITeamService,
+    protected readonly permissions: IUserPermissions,
     protected readonly t: AsyncRouter<IAPIDef>,
   ) {
     super(t)
@@ -35,6 +37,12 @@ export class TeamRoutes extends BaseRoute<IAPIDef> {
 
     t.put('/teams/:id', async req => {
       const id = Number(req.params.id)
+
+      await this.permissions.belongsToTeam({
+        teamId: id,
+        userId: req.user!.id,
+      })
+
       return this.teamService.update({
         id,
         name: req.body.name,
@@ -44,6 +52,12 @@ export class TeamRoutes extends BaseRoute<IAPIDef> {
 
     t.delete('/teams/:id', async req => {
       const id = Number(req.params.id)
+
+      await this.permissions.belongsToTeam({
+        teamId: id,
+        userId: req.user!.id,
+      })
+
       return this.teamService.remove({
         id,
         userId: req.user!.id,

packages/server/src/team/TeamService.ts

@@ -3,24 +3,9 @@ import {ITeamService} from './ITeamService'
 import {IUserTeamParams} from './IUserTeamParams'
 import {Team} from '../entities/Team'
 import {UserTeam} from '../entities/UserTeam'
-import createError from 'http-errors'
 
 export class TeamService extends BaseService implements ITeamService {
 
-  protected async canModify({id, userId}: {id: number, userId: number}) {
-    const count = await this.getRepository(UserTeam)
-    .count({
-      where: {
-        teamId: id,
-        userId,
-      },
-    })
-
-    if (count === 0) {
-      throw createError(403, 'Forbidden')
-    }
-  }
-
   // TODO check team limit per user
   async create({name, userId}: {name: string, userId: number}) {
     const team = await this.getRepository(Team).save({
@@ -39,9 +24,6 @@ export class TeamService extends BaseService implements ITeamService {
   }
 
   async remove({id, userId}: {id: number, userId: number}) {
-    // TODO check for role
-    this.canModify({id, userId})
-
     await this.getRepository(UserTeam)
     .delete({userId})
 
@@ -50,8 +32,6 @@ export class TeamService extends BaseService implements ITeamService {
   }
 
   async update({id, name, userId}: {id: number, name: string, userId: number}) {
-    this.canModify({id, userId})
-
     await this.getRepository(Team)
     .update({
       id,

packages/server/src/user/IUserPermissions.ts

@@ -1,4 +1,4 @@
 export interface IUserPermissions {
   // TODO check for role too
-  belongsToTeam(params: {userId: number, teamId: number}): void
+  belongsToTeam(params: {userId: number, teamId: number}): Promise<void>
 }