f293d35455
Mass assignment via Object.assign(entity, req.body) allowed callers to overwrite protected fields (id, author). Updates are now restricted to explicitly listed data fields on both Clan and Member.
113 lines
4.4 KiB
JavaScript
113 lines
4.4 KiB
JavaScript
const { MemberService, UserService } = require('../services');
|
|
const asyncHandler = require("../middlewares/asyncHandler");
|
|
const ErrorResponse = require("../utils/errorResponse");
|
|
|
|
module.exports.createMember = asyncHandler(async (req, res, next) => {
|
|
try {
|
|
const user = await UserService.getUserById(req.payload.id);
|
|
if (!user) {
|
|
return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
|
|
}
|
|
const {
|
|
id, allowPm, avatarId, clanIcon, clanId, clanRole, clanTitle, commander, frameId,
|
|
isChatModerator, lastLoginTime, leagueId, level, name, serverId
|
|
} = req.body;
|
|
const author = user.id;
|
|
|
|
const member = await MemberService.createMember({
|
|
id, allowPm, avatarId, clanIcon, clanId, clanRole, clanTitle, commander, frameId,
|
|
isChatModerator, lastLoginTime, leagueId, level, name, serverId, author
|
|
});
|
|
|
|
res.status(201).json({
|
|
message: 'Member created successfully.',
|
|
data: member.toJSONFor(),
|
|
});
|
|
} catch (err) {
|
|
return next(new ErrorResponse(`Something went wrong while creating member.`, 500, err.message));
|
|
}
|
|
});
|
|
|
|
module.exports.deleteMember = asyncHandler(async (req, res, next) => {
|
|
try {
|
|
const { memberId } = req.params;
|
|
let member = await MemberService.getMemberById(memberId);
|
|
if (req.payload.id !== member.author.id) {
|
|
return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
|
|
}
|
|
|
|
let data = await MemberService.deleteMember(member);
|
|
res.status(200).json({
|
|
message: 'Member deleted successfully.',
|
|
data: data.id
|
|
});
|
|
} catch (err) {
|
|
return next(new ErrorResponse(`Something went wrong while deleting member.`, 500, err.message));
|
|
}
|
|
});
|
|
|
|
module.exports.getAllMembers = asyncHandler(async (req, res, next) => {
|
|
try {
|
|
let query = {};
|
|
let { limit = 25, offset = 0 } = req.query;
|
|
if (typeof req.query.name !== 'undefined') {
|
|
const rgx = new RegExp(`.*${req.query.name}.*`);
|
|
query = {
|
|
$or: [
|
|
{ name: { $regex: rgx, $options: "i" } },
|
|
{ id: { $regex: rgx, $options: "i" } },
|
|
],
|
|
}
|
|
}
|
|
|
|
const data = await MemberService.getAllMembers(query, limit, offset);
|
|
res.status(200).json({
|
|
data: {
|
|
members: data.members.map(function (member) {
|
|
return member.toJSONFor();
|
|
}),
|
|
membersCount: data.membersCount
|
|
}
|
|
});
|
|
} catch (err) {
|
|
return next(new ErrorResponse(`Something went wrong while fetching members.`, 500, err.message));
|
|
}
|
|
});
|
|
|
|
module.exports.getMember = asyncHandler(async (req, res, next) => {
|
|
try {
|
|
const { memberId } = req.params;
|
|
let member = await MemberService.getMemberById(memberId);
|
|
if (!member) {
|
|
return next(new ErrorResponse("Member not found", 404));
|
|
}
|
|
|
|
res.status(200).json({ member: member.toJSONFor() });
|
|
} catch (err) {
|
|
return next(new ErrorResponse(`Something went wrong while updating member.`, 500, err.message));
|
|
}
|
|
});
|
|
|
|
module.exports.updateMember = asyncHandler(async (req, res, next) => {
|
|
try {
|
|
const { memberId } = req.params;
|
|
let member = await MemberService.getMemberById(memberId);
|
|
|
|
if (req.payload.id !== member.author.id) {
|
|
return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
|
|
}
|
|
const UPDATABLE_FIELDS = ['name', 'lastLoginTime', 'serverId', 'level', 'clanId', 'clanRole', 'commander', 'avatarId', 'isChatModerator', 'frameId', 'leagueId', 'clanTitle', 'champion', 'stats', 'membership', 'adventureSum', 'clanGiftsSum', 'clanWarSum', 'history', 'score', 'scoreGifts', 'warGifts', 'rewards'];
|
|
UPDATABLE_FIELDS.forEach(field => {
|
|
if (typeof req.body.member[field] !== 'undefined') member[field] = req.body.member[field];
|
|
});
|
|
|
|
let data = await MemberService.updateMember(member);
|
|
res.status(200).json({
|
|
message: 'Member updated successfully.',
|
|
member: data.toJSONFor()
|
|
});
|
|
} catch (err) {
|
|
return next(new ErrorResponse(`Something went wrong while updating member.`, 500, err.message));
|
|
}
|
|
});
|