diff --git a/modules/offers/server/controllers/offers.server.controller.js b/modules/offers/server/controllers/offers.server.controller.js index 196a27cced..cecbbed9da 100644 --- a/modules/offers/server/controllers/offers.server.controller.js +++ b/modules/offers/server/controllers/offers.server.controller.js @@ -170,10 +170,9 @@ function isValidUntil(validUntil) { } /** - * Create (or update if exists) a Offer + * Create offer */ exports.create = function (req, res) { - if (!req.user) { return res.status(403).send({ message: errorService.getErrorMessageByKey('forbidden') @@ -218,10 +217,6 @@ exports.create = function (req, res) { // Update timestamp offer.updated = new Date(); - // Do the upsert, which works like this: If no Offer document exists with - // _id = offer.id, then create a new doc using upsertData. - // Otherwise, update the existing doc with upsertData - // @link http://stackoverflow.com/a/7855281 offer.save(function (err) { if (err) { return res.status(400).send({ @@ -233,20 +228,19 @@ exports.create = function (req, res) { message: 'Offer saved.' }); }); - }; /** * Update an Offer */ exports.update = function (req, res) { - async.waterfall([ // Validate function (done) { - if (!req.user) { + // User can modify only their own offers + if (!req.user || !req.offer.user._id.equals(req.user._id)) { return res.status(403).send({ message: errorService.getErrorMessageByKey('forbidden') }); diff --git a/modules/offers/tests/server/offer.server.routes.tests.js b/modules/offers/tests/server/offer.server.routes.tests.js index e18e09d548..f620c7e4ae 100644 --- a/modules/offers/tests/server/offer.server.routes.tests.js +++ b/modules/offers/tests/server/offer.server.routes.tests.js @@ -837,6 +837,36 @@ describe('Offer CRUD tests', function () { }); }); + it('should not be able to update offer of other user', function (done) { + agent.post('/api/auth/signin') + .send(credentials) + .expect(200) + .end(function (signinErr) { + // Handle signin error + if (signinErr) return done(signinErr); + + offer2.description = '

Not allowed

'; + + // Update offer + agent.put('/api/offers/' + offer2Id) + .send(offer2) + .expect(403) + .end(function (offerSaveErr) { + // Handle offer save error + if (offerSaveErr) return done(offerSaveErr); + + Offer.findOne({ + _id: offer2Id + }, function (err, offer) { + should.not.exist(err); + offer.description.should.not.equal(offer2.description); + return done(); + }); + }); + + }); + }); + it('should not able to change offer type when updating offer', function (done) { agent.post('/api/auth/signin') .send(credentials) diff --git a/package.json b/package.json index 9ba0498e79..244b8ee896 100644 --- a/package.json +++ b/package.json @@ -52,10 +52,10 @@ "start:worker:prod": "gulp worker:prod", "start:worker": "gulp worker:dev", "start": "concurrently --raw --kill-others --kill-others-on-fail 'npm:lint:watch' 'npm:start:develop' 'npm:start:worker' 'npm:dashboard:mail'", - "test:client:watch": "npm run pretest && concurrently --raw 'npm:lint:watch' 'gulp test:client:watch'", + "test:client:watch": "npm run pretest && gulp test:client:watch", "test:client": "npm run pretest && gulp test:client", "test:selenium": "python ./scripts/selenium/test.py", - "test:server:watch": "npm run pretest && concurrently --raw 'npm:lint:watch' 'gulp test:server:watch'", + "test:server:watch": "npm run pretest && gulp test:server:watch", "test:server": "npm run pretest && gulp test:server", "test": "npm run lint && gulp test", "travis-ci": "concurrently --kill-others-on-fail 'npm:lint' 'npm:build:prod'"