Hide delete build button if not logged in as corresponding user

Pansysk75 · Dec 31, 2023 · d69711d · d69711d
1 parent 9ab5c07
commit d69711d
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/web-app/app.js b/web-app/app.js
@@ -51,7 +51,6 @@ router.get('/user/:username', async (req, res) => {
 
     const backendUrl = "http://64.226.122.251:81/"
 
-    // Get id from url
     let username = req.params.username;
 
     // Fetch user from backend
@@ -65,7 +64,7 @@ router.get('/user/:username', async (req, res) => {
             console.log(error);
         });
 
-    if (userData.error) {
+    if(userData == undefined || userData.error != undefined) {
         res.send("User not found");
         return;
     }

diff --git a/web-app/src/user.js b/web-app/src/user.js
@@ -3,6 +3,7 @@ import {config} from './config.js';
 
 function deleteBuild(buildId) {
     // Send a DELETE request to the backend API
+    // This is completely unsafe bc this is client-side code and anyone can send a DELETE request to the API
     const url = `${config.backendUrl}/build/${buildId}`;
     return fetch(url, {method: 'DELETE'})
         .then(response => {

diff --git a/web-app/views/user.ejs b/web-app/views/user.ejs
@@ -19,7 +19,9 @@
                 <% for (let i = 0; i < user.builds_created.length; i++) { %>
                 <li class="build-created">
                   <a href="/build/<%=  user.builds_created[i].Build_id %>"><%=  user.builds_created[i].name %></a>
-                  <button class="delete-build" value="<%= user.builds_created[i].Build_id %>">X</button>      
+                  <% if (session.Username == user.Username || session.Username == "admin" ) { %>
+                    <button class="delete-build" value="<%= user.builds_created[i].Build_id %>">X</button>
+                  <% } %>
                 </li>
                 <% } %>
             </ul>