tabshift/payload
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: /me only works on current user's collection

Browse Source
This commit is contained in:
Elliot DeNolf
2020-10-26 20:20:36 -04:00
parent edcc6b56c8
commit ffa56e6c81
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/auth/operations/me.js
View File

@@ -1,11 +1,20 @@
const jwt = require('jsonwebtoken');
const httpStatus = require('http-status');
const getExtractJWT = require('../getExtractJWT');
const { APIError } = require('../../errors');
async function me({ req }) {
const extractJWT = getExtractJWT(this.config);
if (req.user) {
const requestedSlug = req.route.path.split('/').filter((r) => r !== '')[0];
const user = { ...req.user };
if (user.collection !== requestedSlug) {
throw new APIError('Incorrect collection', httpStatus.FORBIDDEN);
}
delete user.collection;
const response = {