Fix unauthorized viewing of non-friends' dashboards for real

eding888 · eding888 · commit 0238ffbb1e56 · 2023-09-03T22:42:20.000-04:00
diff --git a/back/src/routers/taskRouter.ts b/back/src/routers/taskRouter.ts
@@ -53,7 +53,7 @@ taskRouter.get('/friend/:username', async (request: AuthenticatedRequest, respon
   if (!user) {
     return response.status(400).json({ error: 'User does not exist.' });
   }
-  if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {
+  if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase()).length === 0) {
     return response.status(401).json({ error: 'You do not have this user added.' });
   }
   const tasks: TaskInterface[] = [];
diff --git a/back/src/routers/userRouter.ts b/back/src/routers/userRouter.ts
@@ -26,7 +26,7 @@ userRouter.get('/friend/:username', async (request: AuthenticatedRequest, respon
   if (!user) {
     return response.status(400).json({ error: 'User does not exist.' });
   }
-  if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {
+  if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase()).length === 0) {
     return response.status(401).json({ error: 'You do not have this user added.' });
   }
   await user.populate({
@@ -66,7 +66,7 @@ userRouter.post('/acceptFriendRequest/:username', async (request: AuthenticatedR
   if (!requestUser) {
     return response.status(400).json({ error: 'User does not exist.' });
   }
-  if (!user.friendsData.friendRequests.map(request => request.toUpperCase() === username.toUpperCase())) {
+  if (user.friendsData.friendRequests.map(request => request.toUpperCase() === username.toUpperCase()).length === 0) {
     return response.status(400).json({ error: 'User never recieved friend request form this user.' });
   }
   user.friendsData.friendRequests = user.friendsData.friendRequests.filter(request => request.toUpperCase() !== username.toUpperCase());
@@ -85,7 +85,7 @@ userRouter.post('/rejectFriendRequest/:username', async (request: AuthenticatedR
   if (!user) {
     return response.status(401).json({ error: 'User/token not found' });
   }
-  if (!user.friendsData.friendRequests.map(friend => friend.toUpperCase() === username)) {
+  if (user.friendsData.friendRequests.map(friend => friend.toUpperCase() === username).length === 0) {
     return response.status(400).json({ error: 'User never recieved friend request from this user.' });
   }
   user.friendsData.friendRequests = user.friendsData.friendRequests.filter(request => request.toUpperCase() !== username);
@@ -104,7 +104,7 @@ userRouter.post('/removeFriend/:username', async (request: AuthenticatedRequest,
   if (!requestUser) {
     return response.status(400).json({ error: 'User does not exist.' });
   }
-  if (!user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {
+  if (user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase()).length === 0) {
     return response.status(400).json({ error: 'This user was never added.' });
   }
   user.friendsData.friends = user.friendsData.friends.filter(request => request.toUpperCase() !== username.toUpperCase());
diff --git a/front/taskwizard-front/src/pages/VisitorDashboard.tsx b/front/taskwizard-front/src/pages/VisitorDashboard.tsx
@@ -94,6 +94,7 @@ function VisitorDashboard () {
       console.log('Connected to server');
       if (username) {
         const user = await getFriendUser(username);
+        console.log(user);
         if (!user.id) {
           navigate('/dashboard');
         }

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ taskRouter.get('/friend/:username', async (request: AuthenticatedRequest, respon`
`53`	`53`	`if (!user) {`
`54`	`54`	`return response.status(400).json({ error: 'User does not exist.' });`
`55`	`55`	`}`
`56`		`- if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {`
	`56`	`+ if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase()).length === 0) {`
`57`	`57`	`return response.status(401).json({ error: 'You do not have this user added.' });`
`58`	`58`	`}`
`59`	`59`	`const tasks: TaskInterface[] = [];`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ userRouter.get('/friend/:username', async (request: AuthenticatedRequest, respon`
`26`	`26`	`if (!user) {`
`27`	`27`	`return response.status(400).json({ error: 'User does not exist.' });`
`28`	`28`	`}`
`29`		`- if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {`
	`29`	`+ if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase()).length === 0) {`
`30`	`30`	`return response.status(401).json({ error: 'You do not have this user added.' });`
`31`	`31`	`}`
`32`	`32`	`await user.populate({`
`@@ -66,7 +66,7 @@ userRouter.post('/acceptFriendRequest/:username', async (request: AuthenticatedR`
`66`	`66`	`if (!requestUser) {`
`67`	`67`	`return response.status(400).json({ error: 'User does not exist.' });`
`68`	`68`	`}`
`69`		`- if (!user.friendsData.friendRequests.map(request => request.toUpperCase() === username.toUpperCase())) {`
	`69`	`+ if (user.friendsData.friendRequests.map(request => request.toUpperCase() === username.toUpperCase()).length === 0) {`
`70`	`70`	`return response.status(400).json({ error: 'User never recieved friend request form this user.' });`
`71`	`71`	`}`
`72`	`72`	`user.friendsData.friendRequests = user.friendsData.friendRequests.filter(request => request.toUpperCase() !== username.toUpperCase());`
`@@ -85,7 +85,7 @@ userRouter.post('/rejectFriendRequest/:username', async (request: AuthenticatedR`
`85`	`85`	`if (!user) {`
`86`	`86`	`return response.status(401).json({ error: 'User/token not found' });`
`87`	`87`	`}`
`88`		`- if (!user.friendsData.friendRequests.map(friend => friend.toUpperCase() === username)) {`
	`88`	`+ if (user.friendsData.friendRequests.map(friend => friend.toUpperCase() === username).length === 0) {`
`89`	`89`	`return response.status(400).json({ error: 'User never recieved friend request from this user.' });`
`90`	`90`	`}`
`91`	`91`	`user.friendsData.friendRequests = user.friendsData.friendRequests.filter(request => request.toUpperCase() !== username);`
`@@ -104,7 +104,7 @@ userRouter.post('/removeFriend/:username', async (request: AuthenticatedRequest,`
`104`	`104`	`if (!requestUser) {`
`105`	`105`	`return response.status(400).json({ error: 'User does not exist.' });`
`106`	`106`	`}`
`107`		`- if (!user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {`
	`107`	`+ if (user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase()).length === 0) {`
`108`	`108`	`return response.status(400).json({ error: 'This user was never added.' });`
`109`	`109`	`}`
`110`	`110`	`user.friendsData.friends = user.friendsData.friends.filter(request => request.toUpperCase() !== username.toUpperCase());`
Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,7 @@ function VisitorDashboard () {`
`94`	`94`	`console.log('Connected to server');`
`95`	`95`	`if (username) {`
`96`	`96`	`const user = await getFriendUser(username);`
	`97`	`+ console.log(user);`
`97`	`98`	`if (!user.id) {`
`98`	`99`	`navigate('/dashboard');`
`99`	`100`	`}`