「🔨」 fix(user-management): fix the fact the no fucking route was protected

2025-12-31 21:56:41 +01:00 · 2025-10-23 15:49:35 +02:00
parent c4221d9463
commit 0c9f595047
19 changed files with 76 additions and 48 deletions
--- a/src/api/user/dMember.js
+++ b/src/api/user/dMember.js
@ -1,22 +1,19 @@
 export async function dMember(request, reply, fastify, getUserInfo, changeDisplayName) {
 	try {
-		if (!request.user) {
-			return reply.code(400).send({ error: "Please specify a user" });
-		}
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
 		const user = request.user;
 		const member = request.params.member;
-		if (user === 'admin' || user === request.params.userId) {
-			if (member === 'displayName') {
-				changeDisplayName.run("", request.params.userId);
-				return reply.code(200).send({ msg: "Display name deleted successfully" });
-			}
-			return reply.code(400).send({ msg: "Member does not exist" })
+		if (member === 'displayName') {
+			changeDisplayName.run("", request.params.userId);
+			return reply.code(200).send({ msg: "Display name deleted successfully" });
 		} else {
-			return reply.code(401).send({ error: 'You dont have the right to delete this' });
+			return reply.code(400).send({ msg: "Member does not exist" })
 		}
 	} catch (err) {
 		fastify.log.error(err);