Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
return (hook) => {
if (!getByDot(hook, 'params.before')) {
throw new Error('The "restrictReviewAndEnableChange" hook should be used after the "stashBefore()" hook');
}
const role = getByDot(hook, 'params.user.role');
const isModOrAdmin = role && ['admin', 'moderator'].includes(role);
const isReviewed = getByDot(hook, 'params.before.reviewedBy');
const userId = getByDot(hook, 'params.user._id');
const ownerId = getByDot(hook, 'params.before.userId');
const isOwner = userId && ownerId && ownerId.toString() === userId.toString();
// only allow mods and admins to change the review status
if (!isModOrAdmin) {
deleteByDot(hook.data, 'isReviewed');
}
// set reviewedBy to current user if the user has mod rights
// and wants to confirm the review status
deleteByDot(hook.data, 'reviewedBy');
if (hook.data.isReviewed) {
hook.data.reviewedBy = userId;
fields.forEach((field) => {
// get item by dot notation
const value = getByDot(items, field);
// set cleaned item by dot notation
setByDot(items, field, clean(value));
});
}
module.exports = (options = {field: 'organizationId'}) => async hook => {
const currentUserId = getByDot(hook, 'params.user._id');
if (!currentUserId) {
throw new errors.Forbidden('you can\'t create or edit for that organization');
}
// const userId = getByDot(hook, 'params.user._id') || getByDot(hook, 'data.userId');
const organizationId = getByDot(hook, `params.${options.field}`) || getByDot(hook, `data.${options.field}`);
if (!organizationId) {
// ignore items without organization id
return hook;
}
// get organization with the given id
const organization = await hook.app.service('organizations').get(organizationId);
// only allow when the user is assigned with the organization
if (!organization || (organization && organization.userId.toString() !== currentUserId.toString())) {
throw new errors.Forbidden('you can\'t create or edit for that organization');
}
return hook;
};
return (hook) => {
if (!getByDot(hook, 'params.before')) {
throw new Error('The "restrictReviewAndEnableChange" hook should be used after the "stashBefore()" hook');
}
const role = getByDot(hook, 'params.user.role');
const isModOrAdmin = role && ['admin', 'moderator'].includes(role);
const isReviewed = getByDot(hook, 'params.before.reviewedBy');
const userId = getByDot(hook, 'params.user._id');
const ownerId = getByDot(hook, 'params.before.userId');
const isOwner = userId && ownerId && ownerId.toString() === userId.toString();
// only allow mods and admins to change the review status
if (!isModOrAdmin) {
deleteByDot(hook.data, 'isReviewed');
}
// set reviewedBy to current user if the user has mod rights
// and wants to confirm the review status
deleteByDot(hook.data, 'reviewedBy');
if (hook.data.isReviewed) {
hook.data.reviewedBy = userId;
}
// only allow changes to mods, admin and owners (if its already reviewed)
if (!isModOrAdmin && (!isOwner || (isOwner && !isReviewed))) {
if (hook.type !== 'before') {
throw new Error('The "restrictToOwnerOrModerator" hook should only be used as a "before" hook.');
}
const isFindOrGet = ['find', 'get'].includes(hook.method);
if (!isFindOrGet && !getByDot(hook, 'params.before')) {
throw new Error('The "restrictToOwnerOrModerator" hook should be used after the "stashBefore()" hook');
}
if (!hook.params || !hook.params.user) {
return false;
}
const role = getByDot(hook, 'params.user.role');
const isModOrAdmin = role && ['admin', 'moderator'].includes(role);
const userId = getByDot(hook, 'params.user._id');
const ownerId = getByDot(hook, 'params.before.userId');
const isOwner = userId && ownerId && ownerId.toString() === userId.toString();
// allow for mods or admins
if (isModOrAdmin) {
return hook;
}
// change the query if the method is find or get
if (isFindOrGet) {
// restrict to owner or given query
const restrictedQuery = {
$or: [
{ userId },
{ ...query }
]
return function (hook) {
if (hook.type !== 'before') {
throw new Error('The "restrictToOwnerOrModerator" hook should only be used as a "before" hook.');
}
const isFindOrGet = ['find', 'get'].includes(hook.method);
if (!isFindOrGet && !getByDot(hook, 'params.before')) {
throw new Error('The "restrictToOwnerOrModerator" hook should be used after the "stashBefore()" hook');
}
if (!hook.params || !hook.params.user) {
return false;
}
const role = getByDot(hook, 'params.user.role');
const isModOrAdmin = role && ['admin', 'moderator'].includes(role);
const userId = getByDot(hook, 'params.user._id');
const ownerId = getByDot(hook, 'params.before.userId');
const isOwner = userId && ownerId && ownerId.toString() === userId.toString();
// allow for mods or admins
if (isModOrAdmin) {
return (parent: any, args: ArgMap, content: ResolverContext, ast: GraphQLResolveInfo) => {
let batchLoader = getByDot(content, contentByDot);
if (!batchLoader) {
batchLoader = getBatchLoader(batchLoaderName, parent, args, content, ast);
setByDot(content, contentByDot, batchLoader);
}
const returns1 = batchLoader.load(parent[fieldName]);
return !isArray ? returns1 : returns1.then((result: any) => result || []);
};
}
return (parent, args, content, ast) => {
let batchLoader = getByDot(content, contentByDot);
if (!batchLoader) {
batchLoader = getBatchLoader(batchLoaderName, parent, args, content, ast);
setByDot(content, contentByDot, batchLoader);
}
const returns1 = batchLoader.load(parent[fieldName]);
return !isArray ? returns1 : returns1.then(result => result || []);
};
}
return (parent: any, args: ArgMap, content: ResolverContext, ast: GraphQLResolveInfo) => {
let batchLoader = getByDot(content, contentByDot);
if (!batchLoader) {
batchLoader = getBatchLoader(batchLoaderName, parent, args, content, ast);
setByDot(content, contentByDot, batchLoader);
}
const returns1 = batchLoader.load(parent[fieldName]);
return !isArray ? returns1 : returns1.then((result: any) => result || []);
};
}