From 2ad8212dcff5029f89d7a1704eb4e59ffa080e15 Mon Sep 17 00:00:00 2001 From: Rafael Pernil Date: Fri, 24 Sep 2021 21:58:52 +0200 Subject: [PATCH] fix: Add admin guard to edit resource --- .../src/graphql/resolvers/ResourceResolvers.ts | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/https-graphql-backend/src/graphql/resolvers/ResourceResolvers.ts b/https-graphql-backend/src/graphql/resolvers/ResourceResolvers.ts index ee38336..d701fab 100644 --- a/https-graphql-backend/src/graphql/resolvers/ResourceResolvers.ts +++ b/https-graphql-backend/src/graphql/resolvers/ResourceResolvers.ts @@ -215,6 +215,12 @@ export const ResourceResolvers: Resolvers = { const client = await (await context.mongoDBConnection).connection; + const hasAdminAccess = await hasAdminAccessInResource(new ObjectId(context?.user?._id ?? "").toHexString() ?? "", id ?? "", db) + if (!hasAdminAccess) { + return { status: OperationResult.Error } + } + + let result: UpdateResult = { status: OperationResult.Ok }; // First let's clear out all awaiting confirmation @@ -358,7 +364,7 @@ export const ResourceResolvers: Resolvers = { const hasAdminAccess = await hasAdminAccessInResource(new ObjectId(context?.user?._id ?? "").toHexString() ?? "", resourceId, db) if (!hasAdminAccess) { - console.log("Does not have admin access", hasAdminAccess, new ObjectId(context?.user?._id ?? ""), resourceId); + // console.log("Does not have admin access", hasAdminAccess, new ObjectId(context?.user?._id ?? ""), resourceId); return { status: OperationResult.Error } } @@ -370,7 +376,7 @@ export const ResourceResolvers: Resolvers = { }) if (!deleteResult.deletedCount || !deleteNotificationResult.deletedCount) { - console.log("Has not deleted the resource or notifications"); + // console.log("Has not deleted the resource or notifications"); return { status: OperationResult.Error } } return { status: OperationResult.Ok };