k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-21 14:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

adding permission check for creation and delete of links

Browse Source
This commit is contained in:
Marek Maslowski
2026-04-24 18:50:22 +02:00
parent 3a3267d998
commit ff3a7ddbf0
5 changed files with 81 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/routes/trips.ts
+8 -1
View File
@@ -382,9 +382,13 @@ router.get('/:id/subscribe.ics', authenticate, (req: Request, res: Response) =>
router.post('/:id/subscribe.ics', authenticate, (req: Request, res: Response) => {
const authReq = req as AuthRequest;
if (!canAccessTrip(req.params.id, authReq.user.id)) {
const access = canAccessTrip(req.params.id, authReq.user.id);
if (!access) {
return res.status(404).json({ error: 'Trip not found' });
}
if (!checkPermission('share_manage', authReq.user.role, access.user_id, authReq.user.id, access.user_id !== authReq.user.id)) {
return res.status(403).json({ error: 'No permission' });
}
const result = createOrUpdateCalendarShareLink(req.params.id, authReq.user.id);
const host = req.get('host');
@@ -404,6 +408,9 @@ router.delete('/:id/subscribe.ics', authenticate, (req: Request, res: Response)
const authReq = req as AuthRequest;
const access = canAccessTrip(req.params.id, authReq.user.id);
if (!access) return res.status(404).json({ error: 'Trip not found' });
if (!checkPermission('share_manage', authReq.user.role, access.user_id, authReq.user.id, access.user_id !== authReq.user.id)) {
return res.status(403).json({ error: 'No permission' });
}
deleteCalendarShareLink(req.params.id);
res.json({ success: true });
server/tests/integration/trips.test.ts
+32
View File
@@ -921,6 +921,38 @@ describe('ICS export', () => {
expect(res.status).toBe(404);
});
it('TRIP-025 — member without share_manage cannot create subscribe link → 403', async () => {
const { user: owner } = createUser(testDb);
const { user: member } = createUser(testDb);
const trip = createTrip(testDb, owner.id, { title: 'Shared Trip' });
addTripMember(testDb, trip.id, member.id);
const res = await request(app)
.post(`/api/trips/${trip.id}/subscribe.ics`)
.set('Host', 'trek.example.com')
.set('Cookie', authCookie(member.id));
expect(res.status).toBe(403);
});
it('TRIP-025 — member without share_manage cannot delete subscribe link → 403', async () => {
const { user: owner } = createUser(testDb);
const { user: member } = createUser(testDb);
const trip = createTrip(testDb, owner.id, { title: 'Shared Trip' });
addTripMember(testDb, trip.id, member.id);
await request(app)
.post(`/api/trips/${trip.id}/subscribe.ics`)
.set('Host', 'trek.example.com')
.set('Cookie', authCookie(owner.id));
const res = await request(app)
.delete(`/api/trips/${trip.id}/subscribe.ics`)
.set('Cookie', authCookie(member.id));
expect(res.status).toBe(403);
});
});
// ─────────────────────────────────────────────────────────────────────────────