Added security checks for normal user, contributor and maintainer

cms/src/api/update-item/controllers/update-item.js

@@ -15,14 +15,20 @@ module.exports = createCoreController('api::update-item.update-item', ({ strapi
   },
   async update(ctx) {
     // console.log(ctx.state.user.role.name);
-
+    let response;
     switch (ctx.state.user.role.name) {
       case 'Public':
       case 'Authenticated':
       case 'Contributor':
         // Remove operation should be intact
-        ctx.request.body.data.updatedBy = ctx.state.user.id;
-        ctx.request.body.data.UpdateSubmissionTimestamp = new Date();
+        if (ctx.request.body.data.submittedBy.id !== ctx.state.user.id) {
+          const sanitizedEntity = await this.sanitizeOutput(null, ctx);
+          response = this.transformResponse(sanitizedEntity);
+        } else {
+          ctx.request.body.data.updatedBy = ctx.state.user.id;
+          ctx.request.body.data.UpdateSubmissionTimestamp = new Date();
+          response = await super.update(ctx);
+        }
         break;
 
       case 'Maintainer':
@@ -32,12 +38,13 @@ module.exports = createCoreController('api::update-item.update-item', ({ strapi
         // Apply review operation
         // const entity = await strapi.service('api::update-item.update-item').findOne(ctx.params.id);
         // console.log(entity);
-        ctx.request.body.data.reviewedBy = ctx.state.user.id;
-        ctx.request.body.data.UpdateReviewTimestamp = new Date();
+        ctx.request.body.data.updatedBy = ctx.state.user.id;
+        ctx.request.body.data.UpdateSubmissionTimestamp = new Date();
+        response = await super.update(ctx);
         break;
     }
 
-    return super.update(ctx);
+    return response;
   },
   // This updateReview function is called by only either Maintainer or Administrator
   async updateReview(ctx) {