fix(meetings): Add aurhorization checking

Edugaze-Inc · Jul 15, 2021 · 08e9e9c · 08e9e9c
1 parent ae4a68e
commit 08e9e9c
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/meetings/src/routes/end.ts b/meetings/src/routes/end.ts
@@ -32,6 +32,11 @@ router.post(`${baseUrl}/end/:id`, async (req: Request, res: Response) => {
   }
 
   const user = resV.data._id;
+  const role = resV.data.role;
+
+  if (role != "instructor") {
+    return res.status(400).send("Only instructors can end meetings!");
+  }
 
   if (!id.match(/^[0-9a-fA-F]{24}$/)) {
     return res.status(400).send("Meeting is not found");

diff --git a/meetings/src/routes/new.ts b/meetings/src/routes/new.ts
@@ -42,6 +42,12 @@ router.post(
       return res.status(400).send("User is not authorized");
     }
 
+    const role = resV.data.role;
+
+    if (role != "instructor") {
+      return res.status(400).send("Only instructors can create meetings!");
+    }
+
     const { title, course, startTime, endTime } = req.body;
     const status = "incoming";
     const host = resV.data._id;

diff --git a/meetings/src/routes/start.ts b/meetings/src/routes/start.ts
@@ -32,6 +32,11 @@ router.post(`${baseUrl}/start/:id`, async (req: Request, res: Response) => {
     return res.status(400).send("User is not authorized");
   }
   const user = resV.data._id;
+  const role = resV.data.role;
+
+  if (role != "instructor") {
+    return res.status(400).send("Only instructors can start meetings!");
+  }
 
   if (!id.match(/^[0-9a-fA-F]{24}$/)) {
     return res.status(400).send("Meeting is not found");