Fix unauthorized viewing of non-friends' dashboards

eding888 · eding888 · commit ac249929aa31 · 2023-09-03T21:40:45.000-04:00
diff --git a/back/src/routers/taskRouter.ts b/back/src/routers/taskRouter.ts
@@ -53,7 +53,7 @@ taskRouter.get('/friend/:username', async (request: AuthenticatedRequest, respon
   if (!user) {
     return response.status(400).json({ error: 'User does not exist.' });
   }
-  if (!request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {
+  if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {
     return response.status(401).json({ error: 'You do not have this user added.' });
   }
   const tasks: TaskInterface[] = [];
diff --git a/back/src/routers/userRouter.ts b/back/src/routers/userRouter.ts
@@ -26,7 +26,7 @@ userRouter.get('/friend/:username', async (request: AuthenticatedRequest, respon
   if (!user) {
     return response.status(400).json({ error: 'User does not exist.' });
   }
-  if (!request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {
+  if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {
     return response.status(401).json({ error: 'You do not have this user added.' });
   }
   await user.populate({
diff --git a/front/taskwizard-front/src/pages/VisitorDashboard.tsx b/front/taskwizard-front/src/pages/VisitorDashboard.tsx
@@ -95,6 +95,9 @@ function VisitorDashboard () {
       console.log('Connected to server');
       if (username) {
         const user = await getFriendUser(username);
+        if (!user.id) {
+          navigate('/dashboard');
+        }
         socket.emit('subscribeToUser', user.id);
       }
     });

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ taskRouter.get('/friend/:username', async (request: AuthenticatedRequest, respon`
`53`	`53`	`if (!user) {`
`54`	`54`	`return response.status(400).json({ error: 'User does not exist.' });`
`55`	`55`	`}`
`56`		`- if (!request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {`
	`56`	`+ if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {`
`57`	`57`	`return response.status(401).json({ error: 'You do not have this user added.' });`
`58`	`58`	`}`
`59`	`59`	`const tasks: TaskInterface[] = [];`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ userRouter.get('/friend/:username', async (request: AuthenticatedRequest, respon`
`26`	`26`	`if (!user) {`
`27`	`27`	`return response.status(400).json({ error: 'User does not exist.' });`
`28`	`28`	`}`
`29`		`- if (!request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {`
	`29`	`+ if (request.user.friendsData.friends.map(friend => friend.toUpperCase() === username.toUpperCase())) {`
`30`	`30`	`return response.status(401).json({ error: 'You do not have this user added.' });`
`31`	`31`	`}`
`32`	`32`	`await user.populate({`