Merge pull request #102 from Cavdy/ft-protect-view-account-route-from…

…-other-user-165652538 #165652538 Protect view account route from other user
Cavdy · Apr 27, 2019 · 1deeeeb · 1deeeeb
2 parents 7dae26e + 04982bf
commit 1deeeeb
Show file tree

Hide file tree

Showing 10 changed files with 308 additions and 104 deletions.
diff --git a/server/v1/controllers/accounts.js b/server/v1/controllers/accounts.js
@@ -52,7 +52,7 @@ const CreateAccountController = {
   async specificAccounts(req, res) {
     const { accountNumber } = req.params;
     const specificAccounts = await AccountsService
-      .specificAccounts(accountNumber);
+      .specificAccounts(accountNumber, req.authorizedData);
 
     const data = await statusHelper
       .statusHelper(req,
@@ -72,7 +72,7 @@ const CreateAccountController = {
   async allAccountTransaction(req, res) {
     const { accountNumber } = req.params;
     const transactionHistory = await AccountsService
-      .allAccountTransaction(accountNumber);
+      .allAccountTransaction(accountNumber, req.authorizedData);
 
     const data = await statusHelper
       .statusHelper(req,

diff --git a/server/v1/controllers/auth.js b/server/v1/controllers/auth.js
@@ -40,26 +40,6 @@ const AuthController = {
         createdUser.returnSuccess);
     return data;
   },
-
-  /**
-   * Signup staff
-   * @constructor
-   * @param {*} req - get request.
-   * @param {*} res -get response
-   */
-  async createStaffs(req, res) {
-    const userData = req.body;
-    const createdStaff = await AuthService
-      .createStaffs(userData, req.signintoken, req.authorizedData);
-
-    const data = await statusHelper
-      .statusHelper(req,
-        res,
-        createdStaff.returnStatus,
-        createdStaff.returnError,
-        createdStaff.returnSuccess);
-    return data;
-  },
 };
 
 export default AuthController;
diff --git a/server/v1/controllers/users.js b/server/v1/controllers/users.js
@@ -59,6 +59,26 @@ const UsersController = {
         deleteUser.returnSuccess);
     return data;
   },
+
+  /**
+   * Signup staff
+   * @constructor
+   * @param {*} req - get request.
+   * @param {*} res -get response
+   */
+  async createStaffs(req, res) {
+    const userData = req.body;
+    const createdStaff = await UserService
+      .createStaffs(userData, req.signintoken, req.authorizedData);
+
+    const data = await statusHelper
+      .statusHelper(req,
+        res,
+        createdStaff.returnStatus,
+        createdStaff.returnError,
+        createdStaff.returnSuccess);
+    return data;
+  },
 };
 
 export default UsersController;
diff --git a/server/v1/routes/auth.js b/server/v1/routes/auth.js
@@ -7,10 +7,5 @@ const router = express.Router();
 // creating our routes
 router.post('/signin', jwtMiddleware.signinJwt, AuthController.loginUser);
 router.post('/signup', jwtMiddleware.signinJwt, AuthController.registerUser);
-router.post('/signup/addstaff',
-  jwtMiddleware.checkToken,
-  jwtMiddleware.signinJwt,
-  jwtMiddleware.verifyJwt,
-  AuthController.createStaffs);
 
 export default router;
diff --git a/server/v1/routes/users.js b/server/v1/routes/users.js
@@ -10,5 +10,10 @@ router.get('/:email/accounts',
   jwtMiddleware.verifyJwt,
   UsersController.getUsersAccounts);
 router.delete('/:id', jwtMiddleware.verifyJwt, UsersController.deleteUser);
+router.post('/addstaff',
+  jwtMiddleware.checkToken,
+  jwtMiddleware.signinJwt,
+  jwtMiddleware.verifyJwt,
+  UsersController.createStaffs);
 
 export default router;
diff --git a/server/v1/services/accounts.js b/server/v1/services/accounts.js
@@ -113,20 +113,38 @@ const CreateAccountService = {
    * Get specific account
    * @constructor
    * @param {*} accountNumber - recieve account number.
+   * @param {*} loggedIn - logged in details.
    */
-  async specificAccounts(accountNumber) {
+  async specificAccounts(accountNumber, loggedIn) {
     let returnStatus; let returnSuccess = ''; let returnError = '';
+
+    const users = await dbConnection
+      .dbConnect('SELECT * from users WHERE email=$1',
+        [loggedIn.email]);
+    const { type, isadmin } = users.rows[0];
+
     const userAccount = await dbConnection
       .dbConnect('SELECT * from accounts WHERE accountnumber=$1',
         [accountNumber]);
+
     if (userAccount.rows.length > 0) {
-      returnStatus = 200;
-      // eslint-disable-next-line prefer-destructuring
-      returnSuccess = userAccount.rows[0];
+      if (userAccount.rows[0].email === loggedIn.email) {
+        returnStatus = 200;
+        // eslint-disable-next-line prefer-destructuring
+        returnSuccess = userAccount.rows[0];
+      } else if (type === 'staff' || isadmin === true) {
+        returnStatus = 200;
+        // eslint-disable-next-line prefer-destructuring
+        returnSuccess = userAccount.rows[0];
+      } else {
+        returnStatus = 401;
+        returnError = 'sorry you can\'t view another user\'s account';
+      }
     } else {
       returnStatus = 404;
       returnError = 'no account found';
     }
+
     return {
       returnStatus,
       returnSuccess,
@@ -138,19 +156,42 @@ const CreateAccountService = {
    * Get all accounts trasactions that belongs to account number
    * @constructor
    * @param {*} accountNumber - recieve account number.
+   * @param {*} loggedIn - logged in details.
    */
-  async allAccountTransaction(accountNumber) {
+  async allAccountTransaction(accountNumber, loggedIn) {
     let returnStatus; let returnSuccess = ''; let returnError = '';
+
+    const users = await dbConnection
+      .dbConnect('SELECT * from users WHERE email=$1',
+        [loggedIn.email]);
+    const { type, isadmin } = users.rows[0];
+
     const userTransaction = await dbConnection
       .dbConnect('SELECT * from transactions WHERE accountnumber=$1',
         [accountNumber]);
+
+    const userAccount = await dbConnection
+      .dbConnect('SELECT email from accounts WHERE accountnumber=$1',
+        [accountNumber]);
+
     if (userTransaction.rows.length > 0) {
-      returnStatus = 200;
-      returnSuccess = userTransaction.rows;
+      if (userAccount.rows[0].email === loggedIn.email) {
+        returnStatus = 200;
+        // eslint-disable-next-line prefer-destructuring
+        returnSuccess = userTransaction.rows;
+      } else if (type === 'staff' || isadmin === true) {
+        returnStatus = 200;
+        // eslint-disable-next-line prefer-destructuring
+        returnSuccess = userTransaction.rows;
+      } else {
+        returnStatus = 401;
+        returnError = 'sorry you can\'t view another user\'s transactions';
+      }
     } else {
       returnStatus = 404;
       returnError = 'no transaction found';
     }
+
     return {
       returnStatus,
       returnSuccess,

diff --git a/server/v1/services/auth.js b/server/v1/services/auth.js
@@ -147,70 +147,6 @@ const AuthService = {
       returnError,
     };
   },
-
-  /**
-   * Create staffs
-   * @constructor
-   * @param {*} userData - user form data.
-   * @param {*} token - user's token
-   * @param {*} admin - admin's token
-   */
-  async createStaffs(userData, token, admin) {
-    const returnData = await registrationHelper.registrationHelper(userData);
-    let returnStatus; let returnSuccess = ''; let returnError = '';
-
-    const userDetails = await dbConnection
-      .dbConnect('SELECT isadmin FROM users WHERE email=$1', [admin.email]);
-    const { isadmin } = userDetails.rows[0];
-
-    if (isadmin === true) {
-      if (returnData[0] === true
-        && returnData[1] === true
-        && returnData[2] === true
-        && returnData[3] === true) {
-        const salt = bcrypt.genSaltSync(10);
-        const hash = bcrypt.hashSync(userData.password, salt);
-        // checks if email exist
-        const emailresponse = await dbConnection
-          .dbConnect('SELECT email FROM users WHERE email=$1',
-            [userData.email]);
-        if (emailresponse.rows.length >= 1) {
-          returnStatus = 409;
-          returnError = 'email already exist';
-        } else {
-          // email does not exist... you can insert data
-          const response = await dbConnection
-            .dbConnect('INSERT into users(email, firstName, lastName, password, type, isAdmin) values($1, $2, $3, $4, $5, $6)',
-              [userData.email, userData.firstName, userData.lastName, hash, userData.type, userData.isAdmin]);
-          if (response.command === 'INSERT') {
-            const userDbData = await dbConnection
-              .dbConnect('SELECT * FROM users WHERE email=$1',
-                [userData.email]);
-            const user = new UserModel();
-            user.id = userDbData.rows[0].id;
-            user.firstName = userDbData.rows[0].firstname;
-            user.lastName = userDbData.rows[0].lastname;
-            user.email = userDbData.rows[0].email;
-            user.token = token;
-            returnStatus = 201;
-            returnSuccess = user;
-          }
-        }
-      } else {
-        returnStatus = 422;
-        // eslint-disable-next-line prefer-destructuring
-        returnError = returnData[4];
-      }
-    } else {
-      returnStatus = 401;
-      returnError = 'you must be an admin to create staffs';
-    }
-    return {
-      returnStatus,
-      returnSuccess,
-      returnError,
-    };
-  },
 };
 
 export default AuthService;
diff --git a/server/v1/services/users.js b/server/v1/services/users.js
@@ -1,4 +1,7 @@
+import bcrypt from 'bcryptjs';
 import dbConnection from '../config/database';
+import UserModel from '../model/users';
+import registrationHelper from '../helper/registrationHelper';
 
 const UsersServices = {
   /**
@@ -125,6 +128,67 @@ const UsersServices = {
       returnError,
     };
   },
+
+  /**
+   * Create staffs
+   * @constructor
+   * @param {*} userData - user form data.
+   * @param {*} token - user's token
+   * @param {*} admin - admin's token
+   */
+  async createStaffs(userData, token, admin) {
+    const returnData = await registrationHelper.registrationHelper(userData);
+    let returnStatus; let returnSuccess = ''; let returnError = '';
+
+    const userDetails = await dbConnection
+      .dbConnect('SELECT isadmin FROM users WHERE email=$1', [admin.email]);
+    const { isadmin } = userDetails.rows[0];
+
+    if (isadmin === true) {
+      if (returnData[0] === true
+        && returnData[1] === true
+        && returnData[2] === true
+        && returnData[3] === true) {
+        const salt = bcrypt.genSaltSync(10);
+        const hash = bcrypt.hashSync(userData.password, salt);
+        // checks if email exist
+        const emailresponse = await dbConnection
+          .dbConnect('SELECT email FROM users WHERE email=$1',
+            [userData.email]);
+        if (emailresponse.rows.length >= 1) {
+          returnStatus = 409;
+          returnError = 'email already exist';
+        } else {
+          // email does not exist... you can insert data
+          const response = await dbConnection
+            .dbConnect('INSERT into users(email, firstName, lastName, password, type, isAdmin) values($1, $2, $3, $4, $5, $6) RETURNING id, firstname, lastname, email',
+              [userData.email, userData.firstName, userData.lastName, hash, userData.type, userData.isAdmin]);
+          if (response.command === 'INSERT') {
+            const user = new UserModel();
+            user.id = response.rows[0].id;
+            user.firstName = response.rows[0].firstname;
+            user.lastName = response.rows[0].lastname;
+            user.email = response.rows[0].email;
+            user.token = token;
+            returnStatus = 201;
+            returnSuccess = user;
+          }
+        }
+      } else {
+        returnStatus = 422;
+        // eslint-disable-next-line prefer-destructuring
+        returnError = returnData[4];
+      }
+    } else {
+      returnStatus = 401;
+      returnError = 'you must be an admin to create staffs';
+    }
+    return {
+      returnStatus,
+      returnSuccess,
+      returnError,
+    };
+  },
 };
 
 export default UsersServices;