Files
adastra_api/src/controllers/clans.controller.js
T
julien f293d35455 fix(herowars): replace Object.assign with explicit field whitelists
Mass assignment via Object.assign(entity, req.body) allowed callers
to overwrite protected fields (id, author). Updates are now restricted
to explicitly listed data fields on both Clan and Member.
2026-04-26 20:42:29 +02:00

114 lines
4.2 KiB
JavaScript

const { ClanService, UserService } = require('../services');
const asyncHandler = require("../middlewares/asyncHandler");
const ErrorResponse = require("../utils/errorResponse");
module.exports.createClan = asyncHandler(async (req, res, next) => {
try {
const user = await UserService.getUserById(req.payload.id);
if (!user) {
return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
}
const {
id, title, country, description, disbanding, frameId, icon, level, members,
membersCount, minLevel, ownerId, serverId, topActivity, topDungeon
} = req.body;
const author = user.id;
const clan = await ClanService.createClan({
id, title, country, description, disbanding, frameId, icon, level, members,
membersCount, minLevel, ownerId, serverId, topActivity, topDungeon, author
});
//console.log(clan);
res.status(201).json({
message: 'Clan created successfully.',
data: clan.toJSONFor(),
});
} catch (err) {
return next(new ErrorResponse(`Something went wrong while creating clan.`, 500, err.message));
}
});
module.exports.deleteClan = asyncHandler(async (req, res, next) => {
try {
const { clanId } = req.params;
let clan = await ClanService.getClanById(clanId);
if (req.payload.id !== clan.author.id) {
return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
}
let data = await ClanService.deleteClan(clan);
res.status(200).json({
message: 'Clan deleted successfully.',
data: data.id
});
} catch (err) {
return next(new ErrorResponse(`Something went wrong while deleting clan.`, 500, err.message));
}
});
module.exports.getAllClans = asyncHandler(async (req, res, next) => {
try {
let query = {};
let { limit = 25, offset = 0 } = req.query;
if (typeof req.query.title !== 'undefined') {
const rgx = new RegExp(`.*${req.query.title}.*`);
query = {
$or: [
{ title: { $regex: rgx, $options: "i" } },
{ id: { $regex: rgx, $options: "i" } },
],
}
}
const data = await ClanService.getAllClans(query, limit, offset);
res.status(200).json({
data: {
clans: data.clans.map(function (clan) {
return clan.toJSONFor();
}),
clansCount: data.clansCount
}
});
} catch (err) {
return next(new ErrorResponse(`Something went wrong while fetching clans.`, 500, err.message));
}
});
module.exports.getClan = asyncHandler(async (req, res, next) => {
try {
const { clanId } = req.params;
let clan = await ClanService.getClanById(clanId);
if (!clan) {
return next(new ErrorResponse("Clan not found", 404));
}
res.status(200).json({ clan: clan.toJSONFor() });
} catch (err) {
return next(new ErrorResponse(`Something went wrong while fetching clan.`, 500, err.message));
}
});
module.exports.updateClan = asyncHandler(async (req, res, next) => {
try {
const { clanId } = req.params;
let clan = await ClanService.getClanById(clanId);
console.log(clan.author.id, clan.author);
if (req.payload.id !== clan.author.id) {
return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
}
const UPDATABLE_FIELDS = ['country', 'description', 'disbanding', 'frameId', 'flag', 'level', 'membersCount', 'minLevel', 'ownerId', 'serverId', 'title', 'topActivity', 'topDungeon'];
UPDATABLE_FIELDS.forEach(field => {
if (typeof req.body.clan[field] !== 'undefined') clan[field] = req.body.clan[field];
});
let data = await ClanService.updateClan(clan);
res.status(200).json({
message: 'Clan updated successfully.',
clan: data.toJSONFor()
});
} catch (err) {
return next(new ErrorResponse(`Something went wrong while updating clan.`, 500, err.message));
}
});