diff --git a/src/api/middleware/company.js b/src/api/middleware/company.js index 3161353e..da57bd51 100644 --- a/src/api/middleware/company.js +++ b/src/api/middleware/company.js @@ -85,45 +85,41 @@ export const profileComplete = async (req, res, next) => { return next(); }; -export const restrictedAccess = (owner) => async (req, res, next) => { - const company = await (new CompanyService()).findById(owner, true); - let error = {}; - - if (req.params?.companyId === req.user.company) { - let reason = ValidationReasons.UNKNOWN; +export const canAccessProfile = (companyId) => async (req, res, next) => { + const company = await new CompanyService().findById(companyId, true); - if (company.isBlocked) - reason = ValidationReasons.COMPANY_BLOCKED; - else if (company.isDisabled) - reason = ValidationReasons.COMPANY_DISABLED; - - error = new APIError( - HTTPStatus.OK, + const notFound = () => + new APIError( + HTTPStatus.UNPROCESSABLE_ENTITY, ErrorTypes.VALIDATION_ERROR, - reason, - { company: company } + [ + { + value: companyId, + msg: ValidationReasons.COMPANY_NOT_FOUND(companyId), + param: "companyId", + location: "params", + }, + ] ); - } else { - error = new APIError( - HTTPStatus.FORBIDDEN, - ErrorTypes.FORBIDDEN, - ValidationReasons.NOT_FOUND + + const errorOrNotFound = (reason) => + companyId === req.user?.company?.toString() || req.hasAdminPrivileges + ? new APIError(HTTPStatus.FORBIDDEN, ErrorTypes.FORBIDDEN, reason) + : notFound(); + + if (!company.hasFinishedRegistration) + return next( + errorOrNotFound(ValidationReasons.REGISTRATION_NOT_FINISHED) ); - } - return next(error); -}; + if (req.hasAdminPrivileges) + return next(); -export const registrationStatus = (owner) => async (req, res, next) => { - const company = await (new CompanyService()).findById(owner, true); + if (company.isBlocked) + return next(errorOrNotFound(ValidationReasons.COMPANY_BLOCKED)); - if (!company.hasFinishedRegistration) { - return next(new APIError( - HTTPStatus.FORBIDDEN, - ErrorTypes.FORBIDDEN, - (req.params?.companyId !== req.user.company) ? ValidationReasons.NOT_FOUND : ValidationReasons.REGISTRATION_NOT_FINISHED - )); - } + if (company.isDisabled && companyId !== req.user?.company?.toString()) + return next(notFound()); return next(); }; diff --git a/src/api/routes/company.js b/src/api/routes/company.js index 8af239cf..3f1b85fc 100644 --- a/src/api/routes/company.js +++ b/src/api/routes/company.js @@ -75,14 +75,23 @@ export default (app) => { router.get("/:companyId", validators.profile, - (req, res, next) => companyMiddleware.restrictedAccess(req.params.companyId)(req, res, next), - (req, res, next) => companyMiddleware.registrationStatus(req.params.companyId)(req, res, next), + (req, res, next) => companyMiddleware.canAccessProfile(req.params.companyId)(req, res, next), async (req, res) => { - const company = await new CompanyService().findById(req.params.companyId, req.hasAdminPrivileges, req.hasAdminPrivileges); - const offers = (await new OfferService() - .getOffersByCompanyId(req.params.companyId, req.targetOwner, req.hasAdminPrivileges, { - sort: { publishDate: "desc" }, limit: CompanyConstants.offers.max_profile_visible - }) + const company = await new CompanyService().findById( + req.params.companyId, + // Can be safely set to true, as the middleware takes + // care of validation for us + true, + req.hasAdminPrivileges + ); + const offers = await new OfferService().getOffersByCompanyId( + req.params.companyId, + req.targetOwner, + req.hasAdminPrivileges, + { + sort: { publishDate: "desc" }, + limit: CompanyConstants.offers.max_profile_visible, + } ); return res.json({ company, offers }); }