Added the security check for find(), findOne() and updateReview()

7e83c40c · moon · 0078b184 · 7e83c40c
Commit 7e83c40c authored 3 years ago by moon
--- a/cms/src/api/update-item/controllers/update-item.js
+++ b/cms/src/api/update-item/controllers/update-item.js
@@ -39,17 +39,84 @@ module.exports = createCoreController('api::update-item.update-item', ({ strapi

    return super.update(ctx);
  },
+  // This updateReview function is called by only either Maintainer or Administrator
  async updateReview(ctx) {
-    console.log('update info')
-    const response = await super.update(ctx);
+    // console.log('update info')
+    let response;
+    switch (ctx.state.user.role.name) {
+      case 'Public':
+      case 'Authenticated':
+      case 'Contributor':
+        // Remove operation should be intact
+        const sanitizedEntity = await this.sanitizeOutput(null, ctx);
+        response = this.transformResponse(sanitizedEntity);
+        break;
+
+      case 'Maintainer':
+      case 'Administrator':
+        // Handle the review comment and
+        // If ReviewAt field is null, should be set. Otherwise it continues;
+        // Apply review operation
+        // const entity = await strapi.service('api::update-item.update-item').findOne(ctx.params.id);
+        // console.log(entity);
+        ctx.request.body.data.reviewedBy = ctx.state.user.id;
+        ctx.request.body.data.UpdateReviewTimestamp = new Date();
+        response = await super.update(ctx);
+        break;
+    }
+
    return response;
+  },
+  async find(ctx) {
+    // console.log(ctx.state.user.role.name);
+    ctx.query['populate'] = ['submittedBy', 'reviewedBy'];
+
+    switch (ctx.state.user.role.name) {
+      case 'Public':
+      case 'Authenticated':
+      case 'Contributor':
+        // Remove operation should be intact
+        ctx.query['filters'] = { submittedBy: ctx.state.user.id };
+        break;
+
+      case 'Maintainer':
+      case 'Administrator':
+        // Handle the review comment and
+        // If ReviewAt field is null, should be set. Otherwise it continues;
+        // Apply review operation
+        // const entity = await strapi.service('api::update-item.update-item').findOne(ctx.params.id);
+        // console.log(entity);
+        break;
+    }
+    // console.log(ctx.query)
+
+    return super.find(ctx)
+  },
+  async findOne(ctx) {
+    // console.log(ctx);
+    const { id } = ctx.params;
+    const { query } = ctx;
+    query['populate'] = ['submittedBy', 'reviewedBy'];
+
+    let entity = await strapi.service("api::update-item.update-item").findOne(id, query);
+    // console.log(entity);
+
+    switch (ctx.state.user.role.name) {
+      case 'Public':
+      case 'Authenticated':
+      case 'Contributor':
+        if (entity.submittedBy === null || entity.submittedBy.id !== ctx.state.user.id) {
+          entity = null;
+        }
+        break;
+
+      case 'Maintainer':
+      case 'Administrator':
+        break;
+    }
+
+    const sanitizedEntity = await this.sanitizeOutput(entity, ctx);
+
+    return this.transformResponse(sanitizedEntity);
  }
-  // async findAll(ctx) {
-  //   console.log(ctx);
-  //   return super.findAll(ctx, { populate: ['submittedBy', 'reviewedBy']})
-  // },
-  // async find(ctx) {
-  //   console.log(ctx);
-  //   return super.find(ctx, { populate: ['submittedBy', 'reviewedBy']})
-  // }
 }));