Commit 5e4cc171 authored by A. Koch's avatar A. Koch

fix broken ownership check

parent e19efa3e
......@@ -92,7 +92,7 @@ class Service extends TinyEmitter {
let result = await this.client.get(req.params.id)
if (result) {
// TODO: transactions anyone?!
if (req.user.uuid !== result.uuid) return this._errorResponse(res, 403)
if (req.user.uuid !== result.author.id) return this._errorResponse(res, 403)
data.uuid = req.params.id
let instance = new this.ModelConstructor(data, req.params.id)
await this.client.update(req.params.id, instance, req.params)
......@@ -105,7 +105,7 @@ class Service extends TinyEmitter {
const data = req.body
let existing = await this.client.get(req.params.id)
if (existing) {
if (req.user.uuid !== existing.uuid) return this._errorResponse(res, 403)
if (req.user.uuid !== existing.author.id) return this._errorResponse(res, 403)
let instance = new this.ModelConstructor(existing, req.params.id)
instance.populate(ObjectUtil.merge(instance.toObject(), data))
await this.client.update(req.params.id, instance, req.params)
......@@ -117,7 +117,7 @@ class Service extends TinyEmitter {
async deleteHandler (req, res) {
let existing = await this.client.get(req.params.id)
if (existing) {
if (req.user.uuid !== existing.uuid) return this._errorResponse(res, 403)
if (req.user.uuid !== existing.author.id) return this._errorResponse(res, 403)
const result = await this.client.remove(req.params.id, req.params)
if (result) {
return this._response(req, res, existing)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment