refactor: removed useless code, cleaned up, fixed permissions

author: Pitu <[email protected]> 2019-10-12 21:14:19 +0900
committer: Pitu <[email protected]> 2019-10-12 21:14:19 +0900
commit: bca8fbcd839d2239e3f6f141f662fbbc74726835 (patch)
tree: 174fb569e7ae5fb3daf4cbfbfb0d957db976074b /src/api
parent: Added new links to the navbar (diff)
download: host.fuwn.me-bca8fbcd839d2239e3f6f141f662fbbc74726835.tar.xz
host.fuwn.me-bca8fbcd839d2239e3f6f141f662fbbc74726835.zip
13 files changed, 37 insertions, 58 deletions
diff --git a/src/api/database/seeds/initial.js b/src/api/database/seeds/initial.js
index bb4ce8c..280fd74 100644
--- a/src/api/database/seeds/initial.js
+++ b/src/api/database/seeds/initial.js
@@ -3,7 +3,7 @@ const moment = require('moment');
 
 exports.seed = async db => {
 	const now = moment.utc().toDate();
-	const user = await db.table('users').where({ username: 'root' }).first();
+	const user = await db.table('users').where({ username: process.env.ADMIN_ACCOUNT }).first();
 	if (user) return;
 	try {
 		const hash = await bcrypt.hash(process.env.ADMIN_PASSWORD, 10);
diff --git a/src/api/routes/albums/albumDELETE.js b/src/api/routes/albums/albumDELETE.js
index 2aa9942..96698b4 100644
--- a/src/api/routes/albums/albumDELETE.js
+++ b/src/api/routes/albums/albumDELETE.js
@@ -14,7 +14,7 @@ class albumDELETE extends Route {
 			Check if the album exists
 		*/
 		const album = await db.table('albums').where({ id, userId: user.id }).first();
-		if (!album) return res.status(400).json({ message: 'The file doesn\'t exist or doesn\'t belong to the user' });
+		if (!album) return res.status(400).json({ message: 'The album doesn\'t exist or doesn\'t belong to the user' });
 
 		try {
 			/*
diff --git a/src/api/routes/albums/albumPurgeDELETE.js b/src/api/routes/albums/albumPurgeDELETE.js
index 5a67c8e..a63eafc 100644
--- a/src/api/routes/albums/albumPurgeDELETE.js
+++ b/src/api/routes/albums/albumPurgeDELETE.js
@@ -14,7 +14,7 @@ class albumDELETE extends Route {
 			Check if the album exists
 		*/
 		const album = await db.table('albums').where({ id, userId: user.id }).first();
-		if (!album) return res.status(400).json({ message: 'The file doesn\'t exist or doesn\'t belong to the user' });
+		if (!album) return res.status(400).json({ message: 'The album doesn\'t exist or doesn\'t belong to the user' });
 
 		try {
 			await Util.deleteAllFilesFromAlbum(id);
diff --git a/src/api/routes/albums/albumsGET.js b/src/api/routes/albums/albumsGET.js
index 3be1213..c61ad03 100644
--- a/src/api/routes/albums/albumsGET.js
+++ b/src/api/routes/albums/albumsGET.js
@@ -18,6 +18,8 @@ class albumsGET extends Route {
 			.select('id', 'name', 'createdAt', 'editedAt');
 
 		for (const album of albums) {
+			// TODO: Optimize the shit out of this.
+
 			/*
 				Fetch every public link the album has
 			*/
diff --git a/src/api/routes/albums/link/linkDELETE.js b/src/api/routes/albums/link/linkDELETE.js
index 7adcaac..904687f 100644
--- a/src/api/routes/albums/link/linkDELETE.js
+++ b/src/api/routes/albums/link/linkDELETE.js
@@ -6,13 +6,13 @@ class linkDELETE extends Route {
 		super('/album/link/delete/:identifier', 'delete');
 	}
 
-	async run(req, res, db) {
+	async run(req, res, db, user) {
 		const { identifier } = req.params;
 		if (!identifier) return res.status(400).json({ message: 'Invalid identifier supplied' });
 
 		try {
 			const link = await db.table('links')
-				.where({ identifier })
+				.where({ identifier, userId: user.id })
 				.first();
 
 			dump(link);
diff --git a/src/api/routes/albums/link/linkPOST.js b/src/api/routes/albums/link/linkPOST.js
index 297348c..6009922 100644
--- a/src/api/routes/albums/link/linkPOST.js
+++ b/src/api/routes/albums/link/linkPOST.js
@@ -1,6 +1,5 @@
 const Route = require('../../../structures/Route');
 const Util = require('../../../utils/Util');
-const log = require('../../../utils/Log');
 
 class linkPOST extends Route {
 	constructor() {
@@ -15,7 +14,7 @@ class linkPOST extends Route {
 		/*
 			Make sure the album exists
 		*/
-		const exists = await db.table('albums').where('id', albumId).first();
+		const exists = await db.table('albums').where({ id: albumId, userId: user.id }).first();
 		if (!exists) return res.status(400).json({ message: 'Album doesn\t exist' });
 
 		/*
diff --git a/src/api/routes/baseGET.js b/src/api/routes/baseGET.js
deleted file mode 100644
index a6c01ea..0000000
--- a/src/api/routes/baseGET.js
+++ /dev/null
@@ -1,13 +0,0 @@
-const Route = require('../structures/Route');
-
-class verifyGET extends Route {
-	constructor() {
-		super('/', 'get', { bypassAuth: true });
-	}
-
-	run(req, res) {
-		return res.json({ message: 'Hai hai api desu.' });
-	}
-}
-
-module.exports = verifyGET;
diff --git a/src/api/routes/files/albumAddPOST.js b/src/api/routes/files/albumAddPOST.js
index fc4ee71..af39caa 100644
--- a/src/api/routes/files/albumAddPOST.js
+++ b/src/api/routes/files/albumAddPOST.js
@@ -5,11 +5,17 @@ class albumAddPOST extends Route {
 		super('/file/album/add', 'post');
 	}
 
-	async run(req, res, db) {
+	async run(req, res, db, user) {
 		if (!req.body) return res.status(400).json({ message: 'No body provided' });
 		const { fileId, albumId } = req.body;
 		if (!fileId || !albumId) return res.status(400).json({ message: 'No id provided' });
 
+		// Make sure both file and album belong to the user
+		const file = await db.table('files').where({ id: fileId, userId: user.id }).first();
+		if (!file) return res.status(400).json({ message: 'File doesn\'t exist.' });
+		const album = await db.table('albums').where({ id: albumId, userId: user.id }).first();
+		if (!album) return res.status(400).json({ message: 'Album doesn\'t exist.' });
+
 		try {
 			await db.table('albumsFiles')
 				.insert({ fileId, albumId });
diff --git a/src/api/routes/files/albumDelPOST.js b/src/api/routes/files/albumDelPOST.js
index fd6bbd0..9a4b87b 100644
--- a/src/api/routes/files/albumDelPOST.js
+++ b/src/api/routes/files/albumDelPOST.js
@@ -5,11 +5,17 @@ class albumDelPOST extends Route {
 		super('/file/album/del', 'post');
 	}
 
-	async run(req, res, db) {
+	async run(req, res, db, user) {
 		if (!req.body) return res.status(400).json({ message: 'No body provided' });
 		const { fileId, albumId } = req.body;
 		if (!fileId || !albumId) return res.status(400).json({ message: 'No id provided' });
 
+		// Make sure both file and album belong to the user
+		const file = await db.table('files').where({ id: fileId, userId: user.id }).first();
+		if (!file) return res.status(400).json({ message: 'File doesn\'t exist.' });
+		const album = await db.table('albums').where({ id: albumId, userId: user.id }).first();
+		if (!album) return res.status(400).json({ message: 'Album doesn\'t exist.' });
+
 		try {
 			await db.table('albumsFiles')
 				.where({ fileId, albumId })
diff --git a/src/api/routes/files/tagAddPOST.js b/src/api/routes/files/tagAddPOST.js
index 9d334d8..25467ab 100644
--- a/src/api/routes/files/tagAddPOST.js
+++ b/src/api/routes/files/tagAddPOST.js
@@ -5,11 +5,15 @@ class tagAddPOST extends Route {
 		super('/file/tag/add', 'post');
 	}
 
-	run(req, res, db) {
+	async run(req, res, db, user) {
 		if (!req.body) return res.status(400).json({ message: 'No body provided' });
 		const { fileId, tagNames } = req.body;
 		if (!fileId || !tagNames.length) return res.status(400).json({ message: 'No tags provided' });
 
+		// Make sure the file belongs to the user
+		const file = await db.table('files').where({ id: fileId, userId: user.id }).first();
+		if (!file) return res.status(400).json({ message: 'File doesn\'t exist.' });
+
 		tagNames.forEach(async tag => {
 			try {
 				await db.table('fileTags').insert({ fileId, tag });
diff --git a/src/api/routes/files/tagDelPOST.js b/src/api/routes/files/tagDelPOST.js
deleted file mode 100644
index fd6bbd0..0000000
--- a/src/api/routes/files/tagDelPOST.js
+++ /dev/null
@@ -1,27 +0,0 @@
-const Route = require('../../structures/Route');
-
-class albumDelPOST extends Route {
-	constructor() {
-		super('/file/album/del', 'post');
-	}
-
-	async run(req, res, db) {
-		if (!req.body) return res.status(400).json({ message: 'No body provided' });
-		const { fileId, albumId } = req.body;
-		if (!fileId || !albumId) return res.status(400).json({ message: 'No id provided' });
-
-		try {
-			await db.table('albumsFiles')
-				.where({ fileId, albumId })
-				.delete();
-		} catch (error) {
-			return super.error(res, error);
-		}
-
-		return res.json({
-			message: 'Successfully removed file from album'
-		});
-	}
-}
-
-module.exports = albumDelPOST;
diff --git a/src/api/routes/files/uploadPOST.js b/src/api/routes/files/uploadPOST.js
index 5c6bcb0..6996a6e 100644
--- a/src/api/routes/files/uploadPOST.js
+++ b/src/api/routes/files/uploadPOST.js
@@ -19,10 +19,14 @@ class uploadPOST extends Route {
 		super('/upload.....', 'post', { bypassAuth: true });
 	}
 
-	async run(req, res, db) {
+	run(req, res) {
+		return res.status(201).send();
+
+		/*
 		const user = await Util.isAuthorized(req);
 		if (!user && process.env.PUBLIC_MODE == 'false') return res.status(401).json({ message: 'Not authorized to use this resource' });
 		return this.uploadFile(req, res, db, user);
+		*/
 	}
 
 	async processFile(req, res, db, user, file) {
diff --git a/src/api/routes/verifyGET.js b/src/api/routes/verifyGET.js
index 5875dbb..2f370e8 100644
--- a/src/api/routes/verifyGET.js
+++ b/src/api/routes/verifyGET.js
@@ -6,15 +6,13 @@ class verifyGET extends Route {
 	}
 
 	run(req, res, db, user) {
-		const returnUser = {
-			id:	user.id,
-			username: user.username,
-			isAdmin: user.isAdmin
-		};
-
 		return res.json({
 			message: 'Successfully verified token',
-			user: returnUser
+			user: {
+				id:	user.id,
+				username: user.username,
+				isAdmin: user.isAdmin
+			}
 		});
 	}
 }
author	Pitu <[email protected]>	2019-10-12 21:14:19 +0900
committer	Pitu <[email protected]>	2019-10-12 21:14:19 +0900
commit	bca8fbcd839d2239e3f6f141f662fbbc74726835 (patch)
tree	174fb569e7ae5fb3daf4cbfbfb0d957db976074b /src/api
parent	Added new links to the navbar (diff)
download	host.fuwn.me-bca8fbcd839d2239e3f6f141f662fbbc74726835.tar.xz host.fuwn.me-bca8fbcd839d2239e3f6f141f662fbbc74726835.zip