Skip to content

fix: user profile not deleted without "Manage User Access" permission gf-449 #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Sep 24, 2024
Merged

fix: user profile not deleted without "Manage User Access" permission gf-449 #478

merged 8 commits into from
Sep 24, 2024

Conversation

@Vitaliistf
Copy link
Collaborator

@Vitaliistf Vitaliistf commented Sep 23, 2024
edited
Loading

Added logic to handle user self-accessing activity to the check user permissions hook.

@Vitaliistf Vitaliistf added this to the git-fit-release-6 milestone Sep 23, 2024
@Vitaliistf Vitaliistf self-assigned this Sep 23, 2024
perekotypole
perekotypole reviewed Sep 23, 2024
View reviewed changes
liza-veis
liza-veis requested changes Sep 23, 2024
View reviewed changes
apps/backend/src/libs/hooks/check-user-permissions.hook.ts Outdated
Comment on lines 19 to 27
const resourceId = (params as { id?: string }).id;
const isUsersRoute = url.includes(APIPath.USERS);
const isCurrentUserRoute = isUsersRoute && Number(resourceId) === user.id;

if (isCurrentUserRoute) {
done();

return;
}
Copy link
Collaborator

@liza-veis liza-veis Sep 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This logic shouldn't be in checkUserPermissions hook. This hook is for common permission case and should now nothing about specific routes and their logic. Instead let's use DELETE /authenticated-user and PATCH /authenticated-user in auth controller for current user, and move the logic related to this routes to auth module

Copy link
Collaborator

@liza-veis liza-veis Sep 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually let's do it simpler and user DELETE /users, PATCH /users to update or delete current user

Copy link
Collaborator Author

@Vitaliistf Vitaliistf Sep 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, you mean, user that wants to delete/update his own account now should send a request without id, and the admin that wants to delete other user should use id (permissions will be checked of course), right?

Copy link
Collaborator

@liza-veis liza-veis Sep 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

@what1s1ove what1s1ove merged commit 5e017f5 into main Sep 24, 2024
This was referenced Sep 24, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@what1s1ove what1s1ove what1s1ove approved these changes

@liza-veis liza-veis liza-veis approved these changes

@yevhenii-hladkov yevhenii-hladkov Awaiting requested review from yevhenii-hladkov yevhenii-hladkov is a code owner

+1 more reviewer

@perekotypole perekotypole perekotypole left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@Vitaliistf Vitaliistf

Labels

backend frontend

Projects

bsa-2024-gitfit
Status: Backlog

Milestone

git-fit-release-6

Development

Successfully merging this pull request may close these issues.

5 participants

@Vitaliistf @what1s1ove @perekotypole @liza-veis