ob/sprint
1
0
Fork 0
mirror of https://github.com/hex248/sprint.git synced 2026-02-08 18:33:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

use AuthedRequest for "organisation/by-user"

Browse Source
This commit is contained in:
Oliver Bryan
2025-12-23 16:17:59 +00:00
parent cb80e75c2a
commit 193b1dc93b
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
packages/backend/src/routes/organisation/by-user.ts
View File

@@ -1,8 +1,8 @@
import type { BunRequest } from "bun"; import type { AuthedRequest } from "../../auth/middleware";
import { getOrganisationsByUserId, getUserById } from "../../db/queries"; import { getOrganisationsByUserId, getUserById } from "../../db/queries";
// /organisation/by-user?userId=1 // /organisation/by-user?userId=1
export default async function organisationsByUser(req: BunRequest) { export default async function organisationsByUser(req: AuthedRequest) {
const url = new URL(req.url); const url = new URL(req.url);
const userId = url.searchParams.get("userId"); const userId = url.searchParams.get("userId");
@@ -15,6 +15,11 @@ export default async function organisationsByUser(req: BunRequest) {
return new Response("userId must be an integer", { status: 400 }); return new Response("userId must be an integer", { status: 400 });
} }
// Users can only view their own organisations
if (req.userId !== userIdNumber) {
return new Response("Access denied: you can only view your own organisations", { status: 403 });
}
const user = await getUserById(userIdNumber); const user = await getUserById(userIdNumber);
if (!user) { if (!user) {
return new Response(`user with id ${userId} not found`, { status: 404 }); return new Response(`user with id ${userId} not found`, { status: 404 });