Skip to content

Commit

Permalink
Update authorization check on removing members from team or from orga…
Browse files Browse the repository at this point in the history 
…nization

Allow the acting user to decline team or organization invitations.
Allow the acting user to leave team or organization.
  • Loading branch information
@aaronxsu
aaronxsu committed Dec 5, 2018
1 parent 1d118f0 commit 3820f0c
Showing 1 changed file with 20 additions and 2 deletions.
22 changes: 20 additions & 2 deletions app-backend/api/src/main/scala/platform/Routes.scala
View file
Original file line number Diff line number Diff line change
Expand Up @@ -492,7 +492,16 @@ trait PlatformRoutes
orgId: UUID,
userId: String): Route = authenticate { user =>
authorizeAsync {
OrganizationDao.userIsAdmin(user, orgId).transact(xa).unsafeToFuture
val authCheck = (
OrganizationDao.userIsAdmin(user, orgId),
(userId == user.id).pure[ConnectionIO]
).tupled.map(
{
case (true, _) | (_, true) => true
case _ => false
}
)
authCheck.transact(xa).unsafeToFuture
} {
complete {
OrganizationDao
Expand Down Expand Up @@ -647,7 +656,16 @@ trait PlatformRoutes
teamId: UUID,
userId: String): Route = authenticate { user =>
authorizeAsync {
TeamDao.userIsAdmin(user, teamId).transact(xa).unsafeToFuture
val authCheck = (
TeamDao.userIsAdmin(user, teamId),
(userId == user.id).pure[ConnectionIO]
).tupled.map(
{
case (true, _) | (_, true) => true
case _ => false
}
)
authCheck.transact(xa).unsafeToFuture
} {
complete {
TeamDao
Expand Down

0 comments on commit 3820f0c

Please sign in to comment.