[OGUI-1604] Add middleware to 'edit layout' requests #2734
Conversation
…ure/OGUI-1604/add-layout-edit-middleware
mariscalromeroalejandro
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hi @mariscalromeroalejandro ,
The PR is in the right direction, good job!
Given that we move these checks to middleware function, and cleaning the tests for controller on such criteria, it means we are left exposed on API being tested against these scenarios.
Please have a look at the API tests from Control https://github.com/AliceO2Group/WebUi/tree/dev/Control/test/api and add some API tests for the PUT and PATCH layout:id paths as well
…ure/OGUI-1604/add-layout-edit-middleware
|
|
||
| test('should return a 404 error if the layout id is not provided', async () => { | ||
| await request(`${URL_ADDRESS}/api/layout/`) | ||
| .put(`?id=${null}&token=${OWNER_TEST_TOKEN}`) |
There was a problem hiding this comment.
Where is the query parameter id used? As far as I can tell the id/name of the layout is taken from the req url param list
There was a problem hiding this comment.
Yes. The id and token are included in the URL as query parameters, not in the request body. They are still part of the query string in the URL
There was a problem hiding this comment.
But the API PUT route is not expecting a query parameter (the ones after ?)
It is expecting a URL parameters (the one after api/layout/
…ure/OGUI-1604/add-layout-edit-middleware
This PR adds checks when editing layouts using
PATCHandPUTrequests:PUTrequests, ensures that only the owner can update their layout.