apunkt/mike
1
0
Fork 0
mirror of https://github.com/willchen96/mike.git synced 2026-06-12 20:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: prevent users from sharing projects and reviews with themselves

Browse source
This commit is contained in:
willchen96 2026-05-16 00:05:16 +08:00
parent 9e7046d4aa
commit 87e55d6046
4 changed files with 60 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

27
backend/src/routes/projects.ts
View file

@ -83,6 +83,7 @@ projectsRouter.get("/", requireAuth, async (req, res) => {
// POST /projects
projectsRouter.post("/", requireAuth, async (req, res) => {
const userId = res.locals.userId as string;
const userEmail = res.locals.userEmail as string | undefined;
const { name, cm_number, shared_with } = req.body as {
name: string;
cm_number?: string;
@ -90,6 +91,23 @@ projectsRouter.post("/", requireAuth, async (req, res) => {
};
if (!name?.trim())
return void res.status(400).json({ detail: "name is required" });
const normalizedUserEmail = userEmail?.trim().toLowerCase();
const cleanedSharedWith: string[] = [];
const seenSharedEmails = new Set<string>();
if (Array.isArray(shared_with)) {
for (const raw of shared_with) {
if (typeof raw !== "string") continue;
const e = raw.trim().toLowerCase();
if (!e || seenSharedEmails.has(e)) continue;
if (normalizedUserEmail && e === normalizedUserEmail) {
return void res
.status(400)
.json({ detail: "You cannot share a project with yourself." });
}
seenSharedEmails.add(e);
cleanedSharedWith.push(e);
}
}
const db = createServerSupabase();
const { data, error } = await db
@ -98,7 +116,7 @@ projectsRouter.post("/", requireAuth, async (req, res) => {
user_id: userId,
name: name.trim(),
cm_number: cm_number ?? null,
shared_with: shared_with ?? [],
shared_with: cleanedSharedWith,
})
.select("*")
.single();
@ -238,18 +256,25 @@ projectsRouter.get("/:projectId/people", requireAuth, async (req, res) => {
// PATCH /projects/:projectId
projectsRouter.patch("/:projectId", requireAuth, async (req, res) => {
const userId = res.locals.userId as string;
const userEmail = res.locals.userEmail as string | undefined;
const { projectId } = req.params;
const updates: Record<string, unknown> = {};
if (req.body.name != null) updates.name = req.body.name;
if (req.body.cm_number != null) updates.cm_number = req.body.cm_number;
if (Array.isArray(req.body.shared_with)) {
// Normalise: lowercase + dedupe + drop empties.
const normalizedUserEmail = userEmail?.trim().toLowerCase();
const seen = new Set<string>();
const cleaned: string[] = [];
for (const raw of req.body.shared_with) {
if (typeof raw !== "string") continue;
const e = raw.trim().toLowerCase();
if (!e || seen.has(e)) continue;
if (normalizedUserEmail && e === normalizedUserEmail) {
return void res
.status(400)
.json({ detail: "You cannot share a project with yourself." });
}
seen.add(e);
cleaned.push(e);
}

6
backend/src/routes/tabular.ts
View file

@ -463,12 +463,18 @@ tabularRouter.patch("/:reviewId", requireAuth, async (req, res) => {
// making the call. Normalize lowercase + dedupe + drop empties.
let sharedWithUpdate: string[] | undefined;
if (Array.isArray(req.body.shared_with)) {
const normalizedUserEmail = userEmail?.trim().toLowerCase();
const seen = new Set<string>();
const cleaned: string[] = [];
for (const raw of req.body.shared_with) {
if (typeof raw !== "string") continue;
const e = raw.trim().toLowerCase();
if (!e || seen.has(e)) continue;
if (normalizedUserEmail && e === normalizedUserEmail) {
return void res.status(400).json({
detail: "You cannot share a tabular review with yourself.",
});
}
seen.add(e);
cleaned.push(e);
}