Merge pull request #146 from WildCodeSchool/finalbis

front: fix edit user + back secure endpoint

backend/src/controllers/cvControllers.js

@@ -2,7 +2,7 @@ const models = require("../models/index");
 
 const getCv = async (req, res) => {
   const userId = parseInt(req.params.id, 10);
-  if (userId !== req.user.id) {
+  if (userId !== req.user.id && !req.user.isAdmin) {
     return res.status(403).send({ message: "Invalid user" }); // <=== Ton erreur vient d'ici
   }
   try {

backend/src/controllers/userControllers.js

@@ -18,17 +18,26 @@ const getUsers = async (_, res) => {
 const setSkills = async (req, res) => {
   const id = +req.params.id;
 
+  if (req.user.id !== id && !req.user.is_admin) {
+    return res.status(403).send({ error: "You do not have permission" });
+  }
+
   try {
     await models.userCompetence.setUserCompetencesList(id, req.body);
-    res.status(201).send({});
+    return res.status(201).send({});
   } catch (err) {
     console.error(err);
-    res.status(500).send({ error: err.message });
+    return res.status(400).send({ error: err.message });
   }
 };
 
 const getUserById = async (req, res) => {
   const id = +req.params.id;
+
+  if (req.user.id !== id && !req.user.is_admin) {
+    return res.status(403).send({ error: "You do not have permission" });
+  }
+
   try {
     const [result] = await models.user.findId(id);
     if (!result.length) {
@@ -65,6 +74,11 @@ const postUser = async (req, res) => {
 const updateUser = async (req, res) => {
   try {
     const id = +req.params.id;
+
+    if (req.user.id !== id && !req.user.is_admin) {
+      return res.status(403).send({ error: "You do not have permission" });
+    }
+
     let result = await models.user.update(id, req.body);
     if (result.affectedRows.length === 0) {
       return res.status(404);

backend/src/router.js

@@ -26,15 +26,24 @@ router.get(
   userControllers.getUsers
 );
 router.get("/users/:id([0-9]+)/cvs", authMiddleware, cvControllers.getCv);
-router.get("/users/:id([0-9]+)", userControllers.getUserById);
+router.get("/users/:id([0-9]+)", authMiddleware, userControllers.getUserById);
 router.get("/users/me", authMiddleware, userControllers.getProfile);
-router.post("/users", userControllers.postUser);
+router.post(
+  "/users",
+  authMiddleware,
+  authAdminMiddleware,
+  userControllers.postUser
+);
 router.post(
   "/users/:id([0-9]+)/add/skills",
   authMiddleware,
   userControllers.addSkills
 );
-router.post("/users/:id([0-9]+)/set/skills", userControllers.setSkills);
+router.post(
+  "/users/:id([0-9]+)/set/skills",
+  authMiddleware,
+  userControllers.setSkills
+);
 router.get(
   "/users/me/get-matching-offers",
   authMiddleware,
@@ -54,6 +63,7 @@ router.delete(
   userControllers.deleteUser
 );
 /* SKILLS. */
+// TODO: A revoir pb security
 router.post("/user/skills", userControllers.postSkills);
 router.get("/user/skills", userControllers.getSkills);
 router.get("/skills", competenceControllers.getSkills);

frontend/src/pages/ProfileUser/EditUser.jsx

@@ -36,7 +36,7 @@ function EditUser({ fromDashboard }) {
   const { id } = useParams();
 
   useEffect(() => {
-    if (currentUser.id !== +id) {
+    if (currentUser.id !== +id && !currentUser.is_admin) {
       navigate("/profile");
     }
     const getUser = async () => {