refacto/securize vote deletion

2023-08-14 14:34:41 +02:00 · 2023-08-14 14:34:41 +02:00 · e7438ae41b
commit e7438ae41b
parent dfdc09845c
2 changed files with 8 additions and 3 deletions
--- a/src/app/api/idnot/UserController.ts
+++ b/src/app/api/idnot/UserController.ts
@ -42,7 +42,7 @@ export default class UserController extends ApiController {
 			const id = req.params["idnot"];
 			if (!id) throw new Error("idnot is required");

-			const payload = await this.authService.getUserJwtPayload(id!);
+			const payload = await this.authService.getUserJwtPayload(id);
 			const accessToken = this.authService.generateAccessToken(payload);
 			const refreshToken = this.authService.generateRefreshToken(payload);

@ -50,7 +50,7 @@ export default class UserController extends ApiController {
 			this.httpSuccess(response, { accessToken, refreshToken });
 		} catch (error) {
 			console.log(error);
-			this.httpInternalError(response);
+			this.httpInternalError(response, error);
 			return;
 		}
 	}
--- a/src/app/api/super-admin/VotesController.ts
+++ b/src/app/api/super-admin/VotesController.ts
@ -76,7 +76,7 @@ export default class VotesController extends ApiController {
 	}

 	/**
-	 * @description Delete a specific folder
+	 * @description Delete a specific vote
 	 */
 	@Delete("/api/v1/super-admin/votes/:uid", [authHandler])
 	protected async delete(req: Request, response: Response) {
@ -94,6 +94,11 @@ export default class VotesController extends ApiController {
 				return;
 			}

+			if (voteFound.voter_uid !== req.body.user.userId) {
+				this.httpUnauthorized(response, "Can't delete a vote that's not yours");
+				return;
+			}
+
 			//call service to get prisma entity
 			const votetEntity: Votes = await this.votesService.delete(uid);