Kaikanes lessonlist routing/controller

[lacnoskillz]

Description

Created routing/controllers for lesson list page so users can edit a lesson or delete a lesson in the back end. Can also fetch all lessons and a single lesson.

Related PRS (if any):

Used the same model from
#635
Will eventually be used in the front end which is still in the works
OneCommunityGlobal/HighestGoodNetworkApp#1618

Main changes explained:

• created a temp seed function in the startup/db.js file so we can test
• created Lesson get/put/delete routes
• created LessonController that handles the logic for those routes

How to test:

1. check into current branch
2. do npm install and 'npm run dev'
3. log into the app on the front end and grab your token in local storage
4. add 'Authorization' to the header with your token as the value
5. make sure 'content-type' header with 'application/json' value is in the header as well!
6. test get /put/ delete routes for Lessons
7. get all route is localhost:4500/api/bm/lessons (grab the _id here to use for other routes)
8. get single/edit/delete is localhost:4500/api/bm/lesson/:id

Screenshots or videos of changes:

2023-12-20.22-31-13.mp4

GRAB TOKEN IN APP FRONT END LOCAL STORAGE

HEADER (I use insomnia)

Note:

I just hard coded a random user and project for the seed data and will not be merging the seedDatabase function in startup/db. Its just for testing.

[ChengyanOo]

Great job on implementing the API endpoints. One aspect worth considering is the authorization control for the deletion endpoint. Currently, anyone with access to the endpoint and the lesson ID can delete lesson data.

API testing tool used: Postman

PR review walk through:
https://github.com/OneCommunityGlobal/HGNRest/assets/69735000/d4413fc2-9089-49ad-a2f5-69c551d5bc58

Test scripts:
ModifySingleLessonTest.txt
DeleteSingleLessonTest.txt
GetAllLessonsTest.txt
GetSingleLessonTest.txt

[lacnoskillz]

@ChengyanOo
Thank you for your detailed review!
Your right and I totally forgot about auth. I will talk to jae and see who should have the permission (admin/owner etc.) and work on implementing our permissions utility's.

• cheers

[lacnoskillz]

@ChengyanOo
I talked to another Team Manager and was told we don't need to worry about auth/permissions for now. But I did add some code anyway for delete and put routes that check if user is either the lesson creator/admin or checks if user is lesson team manager/admin.
Feel free to test the code I pushed. If you use a token as an admin it should let you use the routes but if your a volunteer it should not.
It is commented out since it isn't required.
It should be lines 49-52 for put
and 77-80 for delete

[ChengyanOo]

@lacnoskillz

Will do! I just joined the team so my main task will just be reviewing prs for now, will take a look at your updated code again tomorrow!

Best wishes,
Chengyan

[ChengyanOo]

Just a quick explanation of reasons I approved this PR:

1. Successful Unit Testing: In my previous review, I ran unit tests for four different RESTful endpoints. The results of these tests were satisfactory and were detailed in my last comment.
2. Stability of Codebase: Since the last review, no major changes have been made to the code. This stability ensures that re-running the unit tests is not necessary for this set of changes.
3. Authorization Feature for Deletion Endpoint: @Kaikanes has confirmed that the deletion endpoint does not require an authorization check at this stage. Therefore, no additional authorization features need to be implemented currently.

[lacnoskillz]

@ChengyanOo

Thank you again for your thorough review. You went the extra mile and even conducted tests, which is awesome!