Trustroots · simison · Dec 24, 2018 · Dec 24, 2018 · Dec 24, 2018
diff --git a/modules/offers/server/controllers/offers.server.controller.js b/modules/offers/server/controllers/offers.server.controller.js
@@ -170,10 +170,9 @@ function isValidUntil(validUntil) {
 }
 
 /**
- * Create (or update if exists) a Offer
+ * Create offer
  */
 exports.create = function (req, res) {
-
   if (!req.user) {
     return res.status(403).send({
       message: errorService.getErrorMessageByKey('forbidden')
@@ -218,10 +217,6 @@ exports.create = function (req, res) {
   // Update timestamp
   offer.updated = new Date();
 
-  // Do the upsert, which works like this: If no Offer document exists with
-  // _id = offer.id, then create a new doc using upsertData.
-  // Otherwise, update the existing doc with upsertData
-  // @link http://stackoverflow.com/a/7855281
   offer.save(function (err) {
     if (err) {
       return res.status(400).send({
@@ -233,20 +228,19 @@ exports.create = function (req, res) {
       message: 'Offer saved.'
     });
   });
-
 };
 
 /**
  * Update an Offer
  */
 exports.update = function (req, res) {
-
   async.waterfall([
 
     // Validate
     function (done) {
 
-      if (!req.user) {
+      // User can modify only their own offers
+      if (!req.user || !req.offer.user._id.equals(req.user._id)) {
         return res.status(403).send({
           message: errorService.getErrorMessageByKey('forbidden')
         });

diff --git a/modules/offers/tests/server/offer.server.routes.tests.js b/modules/offers/tests/server/offer.server.routes.tests.js
@@ -837,6 +837,36 @@ describe('Offer CRUD tests', function () {
         });
     });
 
+    it('should not be able to update offer of other user', function (done) {
+      agent.post('/api/auth/signin')
+        .send(credentials)
+        .expect(200)
+        .end(function (signinErr) {
+          // Handle signin error
+          if (signinErr) return done(signinErr);
+
+          offer2.description = '<p>Not allowed</p>';
+
+          // Update offer
+          agent.put('/api/offers/' + offer2Id)
+            .send(offer2)
+            .expect(403)
+            .end(function (offerSaveErr) {
+              // Handle offer save error
+              if (offerSaveErr) return done(offerSaveErr);
+
+              Offer.findOne({
+                _id: offer2Id
+              }, function (err, offer) {
+                should.not.exist(err);
+                offer.description.should.not.equal(offer2.description);
+                return done();
+              });
+            });
+
+        });
+    });
+
     it('should not able to change offer type when updating offer', function (done) {
       agent.post('/api/auth/signin')
         .send(credentials)

diff --git a/package.json b/package.json
@@ -52,10 +52,10 @@
     "start:worker:prod": "gulp worker:prod",
     "start:worker": "gulp worker:dev",
     "start": "concurrently --raw --kill-others --kill-others-on-fail 'npm:lint:watch' 'npm:start:develop' 'npm:start:worker' 'npm:dashboard:mail'",
-    "test:client:watch": "npm run pretest && concurrently --raw 'npm:lint:watch' 'gulp test:client:watch'",
+    "test:client:watch": "npm run pretest && gulp test:client:watch",
     "test:client": "npm run pretest && gulp test:client",
     "test:selenium": "python ./scripts/selenium/test.py",
-    "test:server:watch": "npm run pretest && concurrently --raw 'npm:lint:watch' 'gulp test:server:watch'",
+    "test:server:watch": "npm run pretest && gulp test:server:watch",
     "test:server": "npm run pretest && gulp test:server",
     "test": "npm run lint && gulp test",
     "travis-ci": "concurrently --kill-others-on-fail 'npm:lint' 'npm:build:prod'"