From 7590477c85759d7cc039844edfa714bbd55b559e Mon Sep 17 00:00:00 2001 From: Remy Siminel <95074810+rsiminel@users.noreply.github.com> Date: Mon, 9 Dec 2024 15:47:39 +0100 Subject: [PATCH] add checks (#540) * add checks * add check and update changelog * Update routes/web.js --------- Co-authored-by: mboudet --- CHANGELOG.md | 3 +++ routes/web.js | 30 +++++++++++++++++++++++++++--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 31b3ae466..e639052a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,11 +3,14 @@ ## 1.4.32 (Unreleased) * Clearer error message when adding a website +* Add User, Project and Group static classes to front end (refactor) +* Add checks for website owner update * Fix error in 'projects' tab from user page * increase size of input field in users page * add a readonly input field under email for showing the email domain* * Add "custom_users" key to config file, to be used with various scripts + ## 1.4.31 (2024-09-27) * Fix 'Admin' button in 'My projects' page for administrators diff --git a/routes/web.js b/routes/web.js index 7e712555e..a1843c0c9 100644 --- a/routes/web.js +++ b/routes/web.js @@ -31,7 +31,6 @@ router.put('/web/:id/owner/:old/:new', async function(req, res) { } catch(e) { logger.error(e); res.status(404).send({message: 'User session not found'}); - res.end(); return; } @@ -40,15 +39,40 @@ router.put('/web/:id/owner/:old/:new', async function(req, res) { return; } session_user.is_admin = isadmin; - if(!session_user.is_admin) { res.status(401).send({message: 'Not authorized'}); return; } + + if (req.params.old == req.params.new) { + res.status(400).send({message: 'Old owner and new owner are the same person'}); + return; + } + try { + await dbsrv.mongo_web().findOne({name: req.params.id}); + } catch(e) { + logger.error(e); + res.status(404).send({message: 'Website not found'}); + return; + } + try { + await dbsrv.mongo_users().findOne({uid: req.params.old}); + } catch(e) { + logger.error(e); + res.status(404).send({message: 'Old website owner not found'}); + return; + } + try { + await dbsrv.mongo_users().findOne({uid: req.params.new}); + } catch(e) { + logger.error(e); + res.status(404).send({message: 'New website owner not found'}); + return; + } + await dbsrv.mongo_web().updateOne({name: req.params.id},{'$set': {owner: req.params.new}}); await dbsrv.mongo_events().insertOne({'owner': session_user.uid, 'date': new Date().getTime(), 'action': 'change website ' + req.params.id + ' owner to ' + req.params.new , 'logs': []}); res.send({message: 'Owner changed from ' + req.params.old + ' to ' + req.params.new}); - res.end(); }); router.get('/web', async function(req, res) {