Fix bug where unauthorized user could get detailed planet data
This commit is contained in:
parent
46ad28bc1b
commit
25b7a01bd6
|
@ -42,9 +42,14 @@ export const createPlanet = async (options: { name: string, owner?: User, ownerI
|
|||
|
||||
export const getPlanetById = async (id: ObjectId) => {
|
||||
const planets = await Planets();
|
||||
return planets.findOne({
|
||||
const planet = await planets.findOne({
|
||||
_id: id
|
||||
}) as Promise<Planet | null>;
|
||||
});
|
||||
|
||||
if(!planet) return null;
|
||||
|
||||
planet.owner = await getUserById(planet.owner);
|
||||
return planet as Planet;
|
||||
}
|
||||
|
||||
export const createOrUpgradeBuilding = async (planetId: ObjectId, building: Building) => {
|
||||
|
|
|
@ -3,8 +3,23 @@ import { getPlanetById } from "../../../../lib/db/planets";
|
|||
import { ObjectId } from "mongodb";
|
||||
import Planet from "../../../../types/Planet";
|
||||
import { calculateCurrentAvailableResources } from "../../../../lib/utils/resourceManager";
|
||||
import validateAccessToken from "../../../../lib/utils/validateAccessToken";
|
||||
import { getUserByAccessToken } from "../../../../lib/db/users";
|
||||
|
||||
export const GET: APIRoute = async ({ params, request }) => {
|
||||
const response = await validateAccessToken(request);
|
||||
if(response instanceof Response) return response;
|
||||
|
||||
const user = await getUserByAccessToken(response);
|
||||
if(user === null) {
|
||||
return new Response(
|
||||
JSON.stringify({
|
||||
code: 401,
|
||||
message: "Unauthorized"
|
||||
}), { status: 401 }
|
||||
)
|
||||
}
|
||||
|
||||
const planetId = params['planetId'];
|
||||
if(!planetId) return new Response(
|
||||
JSON.stringify({
|
||||
|
@ -32,8 +47,18 @@ export const GET: APIRoute = async ({ params, request }) => {
|
|||
);
|
||||
}
|
||||
|
||||
if(planet.owner._id.toString() !== user._id.toString()) return new Response(
|
||||
JSON.stringify({
|
||||
code: 403,
|
||||
message: "Forbidden"
|
||||
}), { status: 403 }
|
||||
);
|
||||
|
||||
await calculateCurrentAvailableResources(planet._id);
|
||||
|
||||
//@ts-ignore
|
||||
delete planet.owner.password;
|
||||
|
||||
return new Response(
|
||||
JSON.stringify({
|
||||
code: 200,
|
||||
|
|
Loading…
Reference in New Issue