fix(signature): ensure signature to update belongs to current user only

routes/api/user(id)/relationships/signature/update.patch.ts

@@ -16,6 +16,7 @@ import {
 	UPDATE_ANYONE_ON_OWN_DEPARTMENT,
 	UPDATE_ANYONE_ON_ALL_DEPARTMENTS
 } from "$/permissions/user_combinations"
+import Merger from "!/middlewares/miscellaneous/merger"
 import IDParameterValidation from "!/validations/id_parameter"
 import PermissionBasedPolicy from "!/policies/permission-based"
 import { user as permissionGroup } from "$/permissions/permission_list"
@@ -30,11 +31,14 @@ export default class extends MultipartController {
 	get filePath(): string { return __filename }
 
 	get policy(): Policy {
-		return new PermissionBasedPolicy(permissionGroup, [
-			UPDATE_OWN_DATA,
-			UPDATE_ANYONE_ON_OWN_DEPARTMENT,
-			UPDATE_ANYONE_ON_ALL_DEPARTMENTS
-		])
+		return new Merger([
+			new PermissionBasedPolicy(permissionGroup, [
+				UPDATE_OWN_DATA,
+				UPDATE_ANYONE_ON_OWN_DEPARTMENT,
+				UPDATE_ANYONE_ON_ALL_DEPARTMENTS
+			]),
+			new BelongsToCurrentUserPolicy(UserManager)
+		]) as unknown as Policy
 	}
 
 	get validations(): Validation[] {
@@ -66,12 +70,6 @@ export default class extends MultipartController {
 		})
 	}
 
-	get postParseMiddlewares(): Policy[] {
-		return [
-			new BelongsToCurrentUserPolicy()
-		]
-	}
-
 	async handle(request: AuthenticatedIDRequest, unusedResponse: Response)
 	: Promise<OkResponseInfo> {
 		const manager = new SignatureManager(request.transaction, request.cache)

server/bases/controller-likes/controller.ts

@@ -19,9 +19,9 @@ export default abstract class extends ControllerLike {
 
 	async intermediate(request: Request, response: Response, next: NextFunction): Promise<void> {
 		return await this.handle(request, response)
-			.then(responseInfo => this.respond(response, responseInfo))
-			.then(() => next())
-			.catch(next)
+		.then(responseInfo => this.respond(response, responseInfo))
+		.then(() => next())
+		.catch(next)
 	}
 
 	private respond(response: Response, responseInfo: ResponseInfo|void): void {