RageStudio/comty
1
0
Fork 0
mirror of https://github.com/ragestudio/comty.git synced 2025-06-10 02:54:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix AllowedPublicUpdateFields for only apply to public methods

Browse Source
This commit is contained in:
srgooglo 2022-03-15 03:10:22 +01:00
parent 76c9e905b9
commit 5f1b11569a
1 changed files with 45 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
packages/server/src/controllers/UserController/index.js
View File

@ -6,12 +6,11 @@ import { Token, Schematized, createUser } from "../../lib"
import SessionController from "../SessionController" import SessionController from "../SessionController"
import _ from "lodash" import _ from "lodash"
const AllowedUserUpdateKeys = [ const AllowedPublicUpdateFields = [
"avatar",
"username",
"email",
"fullName", "fullName",
"verified", "avatar",
"email",
"description",
] ]
export default class UserController extends ComplexController { export default class UserController extends ComplexController {
@ -42,10 +41,6 @@ export default class UserController extends ComplexController {
const updateKeys = Object.keys(payload.update) const updateKeys = Object.keys(payload.update)
updateKeys.forEach((key) => { updateKeys.forEach((key) => {
if (!AllowedUserUpdateKeys.includes(key)) {
return false
}
user[key] = payload.update[key] user[key] = payload.update[key]
}) })
@ -97,8 +92,13 @@ export default class UserController extends ComplexController {
...user.toObject(), ...user.toObject(),
}) })
const followers = await UserFollow.find({
to: payload.to,
})
return { return {
following: true, following: true,
followers: followers,
} }
}, },
unfollow: async (payload) => { unfollow: async (payload) => {
@ -133,13 +133,39 @@ export default class UserController extends ComplexController {
...user.toObject(), ...user.toObject(),
}) })
const followers = await UserFollow.find({
to: payload.to,
})
return { return {
following: false, following: false,
followers: followers,
} }
}, },
} }
get = { get = {
"/followers": Schematized({
required: ["user_id"],
select: ["user_id"],
}, async (req, res) => {
let followers = []
const follows = await UserFollow.find({
to: req.selection.user_id,
})
for await (const follow of follows) {
const user = await User.findById(follow.user_id)
if (!user) {
continue
}
followers.push(user.toObject())
}
return res.json(followers)
}),
"/is_followed": { "/is_followed": {
middlewares: ["withAuthentication"], middlewares: ["withAuthentication"],
fn: Schematized({ fn: Schematized({
@ -291,9 +317,7 @@ export default class UserController extends ComplexController {
}) })
} }
return res.json({ return res.json(result)
following: result.following
})
}) })
} }
} }
@ -349,9 +373,17 @@ export default class UserController extends ComplexController {
return res.status(403).json({ error: "You are not allowed to update this user" }) return res.status(403).json({ error: "You are not allowed to update this user" })
} }
let update = {}
AllowedPublicUpdateFields.forEach((key) => {
if (typeof req.selection.update[key] !== "undefined") {
update[key] = req.selection.update[key]
}
})
this.methods.update({ this.methods.update({
user_id: req.selection.user_id, user_id: req.selection.user_id,
update: req.selection.update, update: update,
}).then((user) => { }).then((user) => {
return res.json({ return res.json({
...user ...user