From db401a177e52b3e4ef0328a2244b0f5b7d85889e Mon Sep 17 00:00:00 2001 From: remy siminel Date: Mon, 28 Oct 2024 11:56:59 +0100 Subject: [PATCH 1/3] add checks --- routes/web.js | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/routes/web.js b/routes/web.js index 7e712555..4e5f153d 100644 --- a/routes/web.js +++ b/routes/web.js @@ -31,7 +31,6 @@ router.put('/web/:id/owner/:old/:new', async function(req, res) { } catch(e) { logger.error(e); res.status(404).send({message: 'User session not found'}); - res.end(); return; } @@ -45,10 +44,32 @@ router.put('/web/:id/owner/:old/:new', async function(req, res) { res.status(401).send({message: 'Not authorized'}); return; } + + try { + await dbsrv.mongo_web().findOne({name: req.params.id}); + } catch(e) { + logger.error(e); + res.status(404).send({message: 'Website not found'}); + return; + } + try { + await dbsrv.mongo_users().findOne({uid: req.params.old}); + } catch(e) { + logger.error(e); + res.status(404).send({message: 'Old website owner not found'}); + return; + } + try { + await dbsrv.mongo_users().findOne({uid: req.params.new}); + } catch(e) { + logger.error(e); + res.status(404).send({message: 'New website owner not found'}); + return; + } + await dbsrv.mongo_web().updateOne({name: req.params.id},{'$set': {owner: req.params.new}}); await dbsrv.mongo_events().insertOne({'owner': session_user.uid, 'date': new Date().getTime(), 'action': 'change website ' + req.params.id + ' owner to ' + req.params.new , 'logs': []}); res.send({message: 'Owner changed from ' + req.params.old + ' to ' + req.params.new}); - res.end(); }); router.get('/web', async function(req, res) { From d7c61c5a88abe4f06bcf2a248853e9368b3a4c37 Mon Sep 17 00:00:00 2001 From: remy siminel Date: Mon, 4 Nov 2024 10:29:45 +0100 Subject: [PATCH 2/3] add check and update changelog --- CHANGELOG.md | 2 ++ routes/web.js | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e14cc302..fa0ba279 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,8 @@ ## 1.4.32 (Unreleased) * Clearer error message when adding a website +* Add User, Project and Group static classes to front end (refactor) +* Add checks for website owner update ## 1.4.31 (2024-09-27) diff --git a/routes/web.js b/routes/web.js index 4e5f153d..d500168c 100644 --- a/routes/web.js +++ b/routes/web.js @@ -39,12 +39,15 @@ router.put('/web/:id/owner/:old/:new', async function(req, res) { return; } session_user.is_admin = isadmin; - if(!session_user.is_admin) { res.status(401).send({message: 'Not authorized'}); return; } + if (req.params.old == req.params.new) { + res.status(300).send({message: 'Old owner and new owner are the same person'}); + return; + } try { await dbsrv.mongo_web().findOne({name: req.params.id}); } catch(e) { From 70dfa1c9a918dcfa185e4b9bc3cdeedaf766547a Mon Sep 17 00:00:00 2001 From: mboudet Date: Fri, 8 Nov 2024 10:38:46 +0100 Subject: [PATCH 3/3] Update routes/web.js --- routes/web.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routes/web.js b/routes/web.js index d500168c..a1843c0c 100644 --- a/routes/web.js +++ b/routes/web.js @@ -45,7 +45,7 @@ router.put('/web/:id/owner/:old/:new', async function(req, res) { } if (req.params.old == req.params.new) { - res.status(300).send({message: 'Old owner and new owner are the same person'}); + res.status(400).send({message: 'Old owner and new owner are the same person'}); return; } try {