Fix bug where unauthorized user could get detailed planet data
This commit is contained in:
parent
46ad28bc1b
commit
ac9ce7dcf2
|
@ -3,8 +3,23 @@ import { getPlanetById } from "../../../../lib/db/planets";
|
|||
import { ObjectId } from "mongodb";
|
||||
import Planet from "../../../../types/Planet";
|
||||
import { calculateCurrentAvailableResources } from "../../../../lib/utils/resourceManager";
|
||||
import validateAccessToken from "../../../../lib/utils/validateAccessToken";
|
||||
import { getUserByAccessToken } from "../../../../lib/db/users";
|
||||
|
||||
export const GET: APIRoute = async ({ params, request }) => {
|
||||
const response = await validateAccessToken(request);
|
||||
if(response instanceof Response) return response;
|
||||
|
||||
const user = await getUserByAccessToken(response);
|
||||
if(user === null) {
|
||||
return new Response(
|
||||
JSON.stringify({
|
||||
code: 401,
|
||||
message: "Unauthorized"
|
||||
}), { status: 401 }
|
||||
)
|
||||
}
|
||||
|
||||
const planetId = params['planetId'];
|
||||
if(!planetId) return new Response(
|
||||
JSON.stringify({
|
||||
|
@ -32,6 +47,13 @@ export const GET: APIRoute = async ({ params, request }) => {
|
|||
);
|
||||
}
|
||||
|
||||
if(planet.owner._id !== user._id) return new Response(
|
||||
JSON.stringify({
|
||||
code: 403,
|
||||
message: "Forbidden"
|
||||
}), { status: 403 }
|
||||
);
|
||||
|
||||
await calculateCurrentAvailableResources(planet._id);
|
||||
|
||||
return new Response(
|
||||
|
|
Loading…
Reference in New Issue