add authorization to file routes

Author: catarak

server/controllers/file.controller.js

@@ -9,8 +9,11 @@ import { deleteObjectsFromS3, getObjectKey } from './aws.controller';
 // be fixed in mongoose soon
 // https://github.com/Automattic/mongoose/issues/4049
 export function createFile(req, res) {
-  Project.findByIdAndUpdate(
-    req.params.project_id,
+  Project.findOneAndUpdate(
+    {
+      _id: req.params.project_id,
+      user: req.user._id
+    },
     {
       $push: {
         files: req.body
@@ -19,9 +22,9 @@ export function createFile(req, res) {
     {
       new: true
     }, (err, updatedProject) => {
-      if (err) {
+      if (err || !updatedProject) {
         console.log(err);
-        res.json({ success: false });
+        res.status(403).send({ success: false, message: 'Project does not exist, or user does not match owner.' });
         return;
       }
       const newFile = updatedProject.files[updatedProject.files.length - 1];
@@ -39,7 +42,9 @@ export function createFile(req, res) {
 }
 
 function getAllDescendantIds(files, nodeId) {
-  return files.find(file => file.id === nodeId).children
+  const parentFile = files.find(file => file.id === nodeId);
+  if (!parentFile) return [];
+  return parentFile.children
     .reduce((acc, childId) => (
       [...acc, childId, ...getAllDescendantIds(files, childId)]
     ), []);
@@ -75,12 +80,24 @@ function deleteChild(files, parentId, id) {
 
 export function deleteFile(req, res) {
   Project.findById(req.params.project_id, (err, project) => {
+    if (!project) {
+      res.status(404).send({ success: false, message: 'Project does not exist.' });
+    }
+    if (!project.user.equals(req.user._id)) {
+      res.status(403).send({ success: false, message: 'Session does not match owner of project.' });
+      return;
+    }
+
+    // make sure file exists for project
+    const fileToDelete = project.files.find(file => file.id === req.params.file_id);
+    if (!fileToDelete) {
+      res.status(404).send({ success: false, message: 'File does not exist in project.' });
+      return;
+    }
+
     const idsToDelete = getAllDescendantIds(project.files, req.params.file_id);
     deleteMany(project.files, [req.params.file_id, ...idsToDelete]);
     project.files = deleteChild(project.files, req.query.parentId, req.params.file_id);
-    // project.files.id(req.params.file_id).remove();
-    // const childrenArray = project.files.id(req.query.parentId).children;
-    // project.files.id(req.query.parentId).children = childrenArray.filter(id => id !== req.params.file_id);
     project.save((innerErr) => {
       res.json(project.files);
     });

server/models/project.js

@@ -11,7 +11,7 @@ const fileSchema = new Schema({
   children: { type: [String], default: [] },
   fileType: { type: String, default: 'file' },
   isSelectedFile: { type: Boolean }
-}, { timestamps: true, _id: true });
+}, { timestamps: true, _id: true, usePushEach: true });
 
 fileSchema.virtual('id').get(function getFileId() {
   return this._id.toHexString();
@@ -28,7 +28,7 @@ const projectSchema = new Schema({
   files: { type: [fileSchema] },
   _id: { type: String, default: shortid.generate },
   slug: { type: String }
-}, { timestamps: true });
+}, { timestamps: true, usePushEach: true });
 
 projectSchema.virtual('id').get(function getProjectId() {
   return this._id;

server/server.js

@@ -84,8 +84,8 @@ app.use(passport.initialize());
 app.use(passport.session());
 app.use('/api', requestsOfTypeJSON(), users);
 app.use('/api', requestsOfTypeJSON(), sessions);
-app.use('/api', requestsOfTypeJSON(), projects);
 app.use('/api', requestsOfTypeJSON(), files);
+app.use('/api', requestsOfTypeJSON(), projects);
 app.use('/api', requestsOfTypeJSON(), aws);
 app.use(assetRoutes);
 // this is supposed to be TEMPORARY -- until i figure out