Files
adastra_api/src/controllers/members.controller.js
T
julien f293d35455 fix(herowars): replace Object.assign with explicit field whitelists
Mass assignment via Object.assign(entity, req.body) allowed callers
to overwrite protected fields (id, author). Updates are now restricted
to explicitly listed data fields on both Clan and Member.
2026-04-26 20:42:29 +02:00

113 lines
4.4 KiB
JavaScript

const { MemberService, UserService } = require('../services');
const asyncHandler = require("../middlewares/asyncHandler");
const ErrorResponse = require("../utils/errorResponse");
module.exports.createMember = asyncHandler(async (req, res, next) => {
try {
const user = await UserService.getUserById(req.payload.id);
if (!user) {
return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
}
const {
id, allowPm, avatarId, clanIcon, clanId, clanRole, clanTitle, commander, frameId,
isChatModerator, lastLoginTime, leagueId, level, name, serverId
} = req.body;
const author = user.id;
const member = await MemberService.createMember({
id, allowPm, avatarId, clanIcon, clanId, clanRole, clanTitle, commander, frameId,
isChatModerator, lastLoginTime, leagueId, level, name, serverId, author
});
res.status(201).json({
message: 'Member created successfully.',
data: member.toJSONFor(),
});
} catch (err) {
return next(new ErrorResponse(`Something went wrong while creating member.`, 500, err.message));
}
});
module.exports.deleteMember = asyncHandler(async (req, res, next) => {
try {
const { memberId } = req.params;
let member = await MemberService.getMemberById(memberId);
if (req.payload.id !== member.author.id) {
return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
}
let data = await MemberService.deleteMember(member);
res.status(200).json({
message: 'Member deleted successfully.',
data: data.id
});
} catch (err) {
return next(new ErrorResponse(`Something went wrong while deleting member.`, 500, err.message));
}
});
module.exports.getAllMembers = asyncHandler(async (req, res, next) => {
try {
let query = {};
let { limit = 25, offset = 0 } = req.query;
if (typeof req.query.name !== 'undefined') {
const rgx = new RegExp(`.*${req.query.name}.*`);
query = {
$or: [
{ name: { $regex: rgx, $options: "i" } },
{ id: { $regex: rgx, $options: "i" } },
],
}
}
const data = await MemberService.getAllMembers(query, limit, offset);
res.status(200).json({
data: {
members: data.members.map(function (member) {
return member.toJSONFor();
}),
membersCount: data.membersCount
}
});
} catch (err) {
return next(new ErrorResponse(`Something went wrong while fetching members.`, 500, err.message));
}
});
module.exports.getMember = asyncHandler(async (req, res, next) => {
try {
const { memberId } = req.params;
let member = await MemberService.getMemberById(memberId);
if (!member) {
return next(new ErrorResponse("Member not found", 404));
}
res.status(200).json({ member: member.toJSONFor() });
} catch (err) {
return next(new ErrorResponse(`Something went wrong while updating member.`, 500, err.message));
}
});
module.exports.updateMember = asyncHandler(async (req, res, next) => {
try {
const { memberId } = req.params;
let member = await MemberService.getMemberById(memberId);
if (req.payload.id !== member.author.id) {
return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
}
const UPDATABLE_FIELDS = ['name', 'lastLoginTime', 'serverId', 'level', 'clanId', 'clanRole', 'commander', 'avatarId', 'isChatModerator', 'frameId', 'leagueId', 'clanTitle', 'champion', 'stats', 'membership', 'adventureSum', 'clanGiftsSum', 'clanWarSum', 'history', 'score', 'scoreGifts', 'warGifts', 'rewards'];
UPDATABLE_FIELDS.forEach(field => {
if (typeof req.body.member[field] !== 'undefined') member[field] = req.body.member[field];
});
let data = await MemberService.updateMember(member);
res.status(200).json({
message: 'Member updated successfully.',
member: data.toJSONFor()
});
} catch (err) {
return next(new ErrorResponse(`Something went wrong while updating member.`, 500, err.message));
}
});