From 9eb9e526edff8bf82ae032f7a04867c8d58572bc Mon Sep 17 00:00:00 2001
From: hughcrt <chocart.hugues@icloud.com>
Date: Mon, 19 Feb 2024 09:39:01 -0300
Subject: [PATCH] feat: add project modification safeguard

---
 packages/backend/src/api/v1/projects/index.ts | 12 +++++++++---
 packages/backend/src/utils/authorization.ts   |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/packages/backend/src/api/v1/projects/index.ts b/packages/backend/src/api/v1/projects/index.ts
index 76467d7e..89b16a7d 100644
--- a/packages/backend/src/api/v1/projects/index.ts
+++ b/packages/backend/src/api/v1/projects/index.ts
@@ -1,4 +1,4 @@
-import { verifyProjectAccess } from "@/src/utils/authorization"
+import { checkProjectAccess } from "@/src/utils/authorization"
 import sql from "@/src/utils/db"
 import Context from "@/src/utils/koa"
 import Router from "koa-router"
@@ -71,9 +71,8 @@ projects.post("/", async (ctx: Context) => {
 projects.delete("/:projectId", async (ctx: Context) => {
   const { projectId } = ctx.params
   const { orgId, userId } = ctx.state
-  console.log(ctx.state)
 
-  const hasProjectAccess = await verifyProjectAccess(projectId, userId)
+  const hasProjectAccess = await checkProjectAccess(projectId, userId)
   const [user] = await sql`select * from account where id = ${userId}`
 
   if (!hasProjectAccess) {
@@ -105,6 +104,13 @@ projects.delete("/:projectId", async (ctx: Context) => {
 
 projects.patch("/:projectId", async (ctx: Context) => {
   const { projectId } = ctx.params
+  const { userId } = ctx.params
+
+  const hasProjectAccess = await checkProjectAccess(projectId, userId)
+  if (!hasProjectAccess) {
+    ctx.throw(401, "Unauthorized")
+  }
+
   const bodySchema = z.object({
     name: z.string(),
   })
diff --git a/packages/backend/src/utils/authorization.ts b/packages/backend/src/utils/authorization.ts
index 3cf0c4b4..1ea667bf 100644
--- a/packages/backend/src/utils/authorization.ts
+++ b/packages/backend/src/utils/authorization.ts
@@ -1,6 +1,6 @@
 import sql from "./db"
 
-export async function verifyProjectAccess(projectId: string, userId: string) {
+export async function checkProjectAccess(projectId: string, userId: string) {
   const [{ exists: hasAccess }] = await sql`
       select exists (
         select 1