fix: Enhance dataset controllers with user authentication checks and improve mail configuration

2025-11-13 11:02:00 +01:00 · 2025-11-13 11:02:00 +01:00 · d44d08abcd
commit d44d08abcd
parent 38c05f6714
7 changed files with 204 additions and 48 deletions
--- a/app/Controllers/Http/Submitter/DatasetController.ts
+++ b/app/Controllers/Http/Submitter/DatasetController.ts
@ -824,13 +824,20 @@ export default class DatasetController {
    };

    // public async release({ params, view }) {
-    public async release({ request, inertia, response }: HttpContext) {
+    public async release({ request, inertia, response, auth }: HttpContext) {
        const id = request.param('id');
+        const user = auth.user;
+
+        // Check if user is authenticated
+        if (!user) {
+            return response.flash('You must be logged in to edit a dataset.', 'error').redirect().toRoute('app.login.show');
+        }

        const dataset = await Dataset.query()
            .preload('user', (builder) => {
                builder.select('id', 'login');
            })
+            .where('account_id', user.id) // Only fetch if user owns it
            .where('id', id)
            .firstOrFail();

@ -851,9 +858,20 @@ export default class DatasetController {
        });
    }

-    public async releaseUpdate({ request, response }: HttpContext) {
+    public async releaseUpdate({ request, response, auth }: HttpContext) {
        const id = request.param('id');
-        const dataset = await Dataset.query().preload('files').where('id', id).firstOrFail();
+        const user = auth.user;
+
+        // Check if user is authenticated
+        if (!user) {
+            return response.flash('You must be logged in to edit a dataset.', 'error').redirect().toRoute('app.login.show');
+        }
+
+        const dataset = await Dataset.query()
+            .preload('files')
+            .where('id', id)
+            .where('account_id', user.id) // Only fetch if user owns it
+            .firstOrFail();

        const validStates = ['inprogress', 'rejected_editor'];
        if (!validStates.includes(dataset.server_state)) {
@ -933,7 +951,15 @@ export default class DatasetController {

    public async edit({ request, inertia, response, auth }: HttpContext) {
        const id = request.param('id');
-        const datasetQuery = Dataset.query().where('id', id);
+        const user = auth.user;
+
+        // Check if user is authenticated
+        if (!user) {
+            return response.flash('You must be logged in to edit a dataset.', 'error').redirect().toRoute('app.login.show');
+        }
+
+        // Prefilter by both id AND account_id
+        const datasetQuery = Dataset.query().where('id', id).where('account_id', user.id); // Only fetch if user owns it
        datasetQuery
            .preload('titles', (query) => query.orderBy('id', 'asc'))
            .preload('descriptions', (query) => query.orderBy('id', 'asc'))
@ -949,8 +975,9 @@ export default class DatasetController {
            .preload('files', (query) => {
                query.orderBy('sort_order', 'asc'); // Sort by sort_order column
            });
-
+        // This will throw 404 if dataset doesn't exist OR user doesn't own it
        const dataset = await datasetQuery.firstOrFail();
+
        const validStates = ['inprogress', 'rejected_editor'];
        if (!validStates.includes(dataset.server_state)) {
            // session.flash('errors', 'Invalid server state!');
@ -1014,11 +1041,30 @@ export default class DatasetController {
        });
    }

-    public async update({ request, response, session }: HttpContext) {
+    public async update({ request, response, session, auth }: HttpContext) {
        // Get the dataset id from the route parameter
        const datasetId = request.param('id');
-        // Retrieve the dataset and load its existing files
-        const dataset = await Dataset.findOrFail(datasetId);
+        const user = auth.user;
+
+        // Check if user is authenticated
+        if (!user) {
+            return response.flash('You must be logged in to update a dataset.', 'error').redirect().toRoute('app.login.show');
+        }
+
+        // Prefilter by both id AND account_id
+        const dataset = await Dataset.query()
+            .where('id', datasetId)
+            .where('account_id', user.id) // Only fetch if user owns it
+            .firstOrFail();
+
+        // // Check if the authenticated user is the owner of the dataset
+        // if (dataset.account_id !== user.id) {
+        //     return response
+        //         .flash(`Unauthorized access. You are not the owner of dataset with id ${id}.`, 'error')
+        //         .redirect()
+        //         .toRoute('dataset.list');
+        // }
+
        await dataset.load('files');
        // Accumulate the size of the already related files
        // const preExistingFileSize = dataset.files.reduce((acc, file) => acc + file.fileSize, 0);
@ -1442,16 +1488,26 @@ export default class DatasetController {
        }
    }

-    public async delete({ request, inertia, response, session }: HttpContext) {
+    public async delete({ request, inertia, response, session, auth }: HttpContext) {
        const id = request.param('id');
+        const user = auth.user;
+
+        // Check if user is authenticated
+        if (!user) {
+            return response.flash('You must be logged in to edit a dataset.', 'error').redirect().toRoute('app.login.show');
+        }
+
        try {
+            // This will throw 404 if dataset doesn't exist OR user doesn't own it
            const dataset = await Dataset.query()
                .preload('user', (builder) => {
                    builder.select('id', 'login');
                })
                .where('id', id)
+                .where('account_id', user.id) // Only fetch if user owns it
                .preload('files')
                .firstOrFail();
+
            const validStates = ['inprogress', 'rejected_editor'];
            if (!validStates.includes(dataset.server_state)) {
                // session.flash('errors', 'Invalid server state!');
@ -1476,9 +1532,27 @@ export default class DatasetController {
        }
    }

-    public async deleteUpdate({ params, session, response }: HttpContext) {
+    public async deleteUpdate({ params, session, response, auth }: HttpContext) {
        try {
-            const dataset = await Dataset.query().where('id', params.id).preload('files').firstOrFail();
+            const user = auth.user;
+            if (!user) {
+                return response.flash('You must be logged in to edit a dataset.', 'error').redirect().toRoute('app.login.show');
+            }
+
+            // This will throw 404 if dataset doesn't exist OR user doesn't own it
+            const dataset = await Dataset.query()
+                .where('id', params.id)
+                .where('account_id', user.id) // Only fetch if user owns it
+                .preload('files')
+                .firstOrFail();
+
+            // // Check if the authenticated user is the owner of the dataset
+            // if (dataset.account_id !== user.id) {
+            //     return response
+            //         .flash(`Unauthorized access. You are not the owner of dataset with id ${params.id}.`, 'error')
+            //         .redirect()
+            //         .toRoute('dataset.list');
+            // }

            const validStates = ['inprogress', 'rejected_editor'];
            if (validStates.includes(dataset.server_state)) {