check if user is in course before allowing request

vatger · May 20, 2024 · 7811bc1 · 7811bc1
1 parent 3cc3b9e
commit 7811bc1
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/backend/src/controllers/training-request/TrainingRequestController.ts b/backend/src/controllers/training-request/TrainingRequestController.ts
@@ -10,6 +10,7 @@ import Validator, { ValidationTypeEnum } from "../../utility/Validator";
 import { GenericException } from "../../exceptions/GenericException";
 import { ForbiddenException } from "../../exceptions/ForbiddenException";
 import { ConversionUtils } from "turbocommons-ts";
+import { Course } from "../../models/Course";
 
 /**
  * Creates a new training request
@@ -32,6 +33,11 @@ async function create(request: Request, response: Response, next: NextFunction)
             training_type_id: [ValidationTypeEnum.NON_NULL, ValidationTypeEnum.NUMBER],
         });
 
+        const courseUUID = await Course.getUUIDFromID(body.course_id);
+        if (!await user.isMemberOfCourse(courseUUID)) {
+            throw new ForbiddenException("You are not a member of this course");
+        }
+
         const trainingRequest = await TrainingRequest.create({
             uuid: generateUUID(),
             user_id: user.id,

diff --git a/backend/src/models/User.ts b/backend/src/models/User.ts
@@ -107,7 +107,7 @@ export class User extends Model<InferAttributes<User>, InferCreationAttributes<U
     isMentorInCourse = UserExtensions.isMentorInCourse.bind(this);
     isMentor = UserExtensions.isMentor.bind(this);
 
-    async isMemberOfCourse(uuid: string): Promise<boolean> {
+    async isMemberOfCourse(uuid?: string): Promise<boolean> {
         const course = await Course.findOne({
             where: {
                 uuid: uuid,