prevent buying market gear if class doesn't match (#10818)

* prevent buying market gear if class doesn't match * add test
HabitRPG · Nov 12, 2018 · eca7382 · eca7382
1 parent be95cd9
commit eca7382
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/test/api/v3/integration/user/buy/POST-user_buy_gear.test.js b/test/api/v3/integration/user/buy/POST-user_buy_gear.test.js
@@ -53,4 +53,15 @@ describe('POST /user/buy-gear/:key', () => {
         message: 'You need to purchase a lower level gear before this one.',
       });
   });
+
+  it('returns an error if tries to buy gear from a different class', async () => {
+    let key = 'armor_rogue_1';
+
+    return expect(user.post(`/user/buy-gear/${key}`))
+      .to.eventually.be.rejected.and.eql({
+        code: 401,
+        error: 'NotAuthorized',
+        message: 'You can\'t buy this item.',
+      });
+  });
 });
diff --git a/website/common/script/ops/buy/buyMarketGear.js b/website/common/script/ops/buy/buyMarketGear.js
@@ -24,6 +24,15 @@ export class BuyMarketGearOperation extends AbstractGoldItemOperation {
     return false;
   }
 
+  canUserPurchase (user, item)  {
+    super.canUserPurchase(user, item);
+
+    // check for different class gear
+    if (item.klass !== 'special' && item.klass !== user.stats.class) {
+      throw new NotAuthorized(this.i18n('cannotBuyItem'));
+    }
+  }
+
   extractAndValidateParams (user, req) {
     let key = this.key = get(req, 'params.key');
     if (!key) throw new BadRequest(errorMessage('missingKeyParam'));