From 4728e6ff05efaea11d922590de32949b9bf28c61 Mon Sep 17 00:00:00 2001 From: Tim Howitz Date: Fri, 6 Jun 2025 18:08:52 +0100 Subject: [PATCH] Added correct auth to log and log-bulk api routes --- src/app/api/warehouse/log-bulk/route.ts | 19 +++++++++++++++++++ src/app/api/warehouse/log/route.ts | 24 +++++++++++++++++++++--- src/components/AuthModal.tsx | 1 - src/components/EarthquakeSearchModal.tsx | 2 -- 4 files changed, 40 insertions(+), 6 deletions(-) diff --git a/src/app/api/warehouse/log-bulk/route.ts b/src/app/api/warehouse/log-bulk/route.ts index 97aaf8c..cc0e27e 100644 --- a/src/app/api/warehouse/log-bulk/route.ts +++ b/src/app/api/warehouse/log-bulk/route.ts @@ -12,6 +12,25 @@ export async function POST(request: NextRequest) { const { user } = authResult; + if (user.role !== "ADMIN" && user.role !== "SCIENTIST") { + return NextResponse.json({ error: "Not authorized" }, { status: 401 }); + } + + if (user.role === "SCIENTIST") { + const scientist = await prisma.scientist.findUnique({ + where: { + userId: user.id, + }, + include: { + subordinates: true, + }, + }); + + if (!scientist || scientist.level !== "SENIOR") { + return NextResponse.json({ message: "Not authorised" }, { status: 401 }); + } + } + if (!palletNote || !warehouseLocation) { return NextResponse.json({ error: "Missing fields" }, { status: 400 }); } diff --git a/src/app/api/warehouse/log/route.ts b/src/app/api/warehouse/log/route.ts index dabedb5..af3415c 100644 --- a/src/app/api/warehouse/log/route.ts +++ b/src/app/api/warehouse/log/route.ts @@ -10,7 +10,6 @@ export async function POST(request: NextRequest) { const name = formData.get("name") as string; const type = formData.get("type") as string; const description = formData.get("description") as string; - const location = formData.get("location") as string; const earthquakeCode = formData.get("earthquakeCode") as string; const warehouseLocation = formData.get("warehouseLocation") as string; const image = formData.get("image") as File | null; @@ -20,10 +19,29 @@ export async function POST(request: NextRequest) { const { user } = authResult; - if (!name || !type || !description || !location || !earthquakeCode || !warehouseLocation) { + if (!name || !type || !description || !earthquakeCode || !warehouseLocation) { return NextResponse.json({ error: "Missing fields" }, { status: 400 }); } + if (user.role !== "ADMIN" && user.role !== "SCIENTIST") { + return NextResponse.json({ error: "Not authorized" }, { status: 401 }); + } + + if (user.role === "SCIENTIST") { + const scientist = await prisma.scientist.findUnique({ + where: { + userId: user.id, + }, + include: { + subordinates: true, + }, + }); + + if (!scientist || scientist.level !== "SENIOR") { + return NextResponse.json({ message: "Not authorised" }, { status: 401 }); + } + } + const linkedEarthquake = await prisma.earthquake.findUnique({ where: { code: earthquakeCode } }); if (!linkedEarthquake) { @@ -35,7 +53,7 @@ export async function POST(request: NextRequest) { const buffer = Buffer.from(await image.arrayBuffer()); const extension = image.type === "image/jpeg" ? "jpg" : "png"; imageName = `${name}-${new Date().toLocaleDateString("en-GB")}.${extension}`; - const imagePath = join(process.cwd(), "public", "uploads", imageName); + const imagePath = join(process.cwd(), "public", imageName); await writeFile(imagePath, buffer); } diff --git a/src/components/AuthModal.tsx b/src/components/AuthModal.tsx index fff3657..7f61e9c 100644 --- a/src/components/AuthModal.tsx +++ b/src/components/AuthModal.tsx @@ -10,7 +10,6 @@ interface AuthModalProps { } export default function AuthModal({ isOpen, onClose }: AuthModalProps) { - // todo add login successful message const [isLogin, setIsLogin] = useState(true); const modalRef = useRef(null); const [isFailed, setIsFailed] = useState(false); diff --git a/src/components/EarthquakeSearchModal.tsx b/src/components/EarthquakeSearchModal.tsx index 4c0b2e0..e5b427b 100644 --- a/src/components/EarthquakeSearchModal.tsx +++ b/src/components/EarthquakeSearchModal.tsx @@ -23,8 +23,6 @@ const COLUMNS = [ { label: "Date", key: "date" }, ]; -// todo modify slightly - export default function EarthquakeSearchModal({ open, onClose,