mirror of
https://github.com/codeninjasllc/codecombat.git
synced 2024-11-27 17:45:40 -05:00
Log classroom forbidden errors for debugging
This commit is contained in:
parent
8f7e4e2278
commit
dfcbbb7c9c
2 changed files with 24 additions and 7 deletions
|
@ -5,6 +5,7 @@ Classroom = require './../models/Classroom'
|
|||
User = require '../models/User'
|
||||
sendwithus = require '../sendwithus'
|
||||
utils = require '../lib/utils'
|
||||
log = require 'winston'
|
||||
UserHandler = require './user_handler'
|
||||
|
||||
ClassroomHandler = class ClassroomHandler extends Handler
|
||||
|
@ -74,7 +75,9 @@ ClassroomHandler = class ClassroomHandler extends Handler
|
|||
Classroom.findById classroomID, (err, classroom) =>
|
||||
return @sendDatabaseError(res, err) if err
|
||||
return @sendNotFoundError(res) unless classroom
|
||||
return @sendForbiddenError(res) unless classroom.get('ownerID').equals(req.user.get('_id'))
|
||||
unless classroom.get('ownerID').equals(req.user.get('_id'))
|
||||
log.debug "classroom_handler.inviteStudents: Can't invite to classroom (#{classroom.id}) you (#{req.user.get('_id')}) don't own"
|
||||
return @sendForbiddenError(res)
|
||||
|
||||
for email in req.body.emails
|
||||
joinCode = (classroom.get('codeCamel') or classroom.get('code'))
|
||||
|
@ -91,13 +94,17 @@ ClassroomHandler = class ClassroomHandler extends Handler
|
|||
|
||||
get: (req, res) ->
|
||||
if ownerID = req.query.ownerID
|
||||
return @sendForbiddenError(res) unless req.user and (req.user.isAdmin() or ownerID is req.user.id)
|
||||
unless req.user and (req.user.isAdmin() or ownerID is req.user.id)
|
||||
log.debug "classroom_handler.get: ownerID (#{ownerID}) must be yourself (#{req.user.id})"
|
||||
return @sendForbiddenError(res)
|
||||
return @sendBadInputError(res, 'Bad ownerID') unless utils.isID ownerID
|
||||
Classroom.find {ownerID: mongoose.Types.ObjectId(ownerID)}, (err, classrooms) =>
|
||||
return @sendDatabaseError(res, err) if err
|
||||
return @sendSuccess(res, (@formatEntity(req, classroom) for classroom in classrooms))
|
||||
else if memberID = req.query.memberID
|
||||
return @sendForbiddenError(res) unless req.user and (req.user.isAdmin() or memberID is req.user.id)
|
||||
unless req.user and (req.user.isAdmin() or memberID is req.user.id)
|
||||
log.debug "classroom_handler.get: memberID (#{memberID}) must be yourself (#{req.user.id})"
|
||||
return @sendForbiddenError(res)
|
||||
return @sendBadInputError(res, 'Bad memberID') unless utils.isID memberID
|
||||
Classroom.find {members: mongoose.Types.ObjectId(memberID)}, (err, classrooms) =>
|
||||
return @sendDatabaseError(res, err) if err
|
||||
|
|
|
@ -3,6 +3,7 @@ utils = require '../lib/utils'
|
|||
errors = require '../commons/errors'
|
||||
schemas = require '../../app/schemas/schemas'
|
||||
wrap = require 'co-express'
|
||||
log = require 'winston'
|
||||
Promise = require 'bluebird'
|
||||
database = require '../commons/database'
|
||||
mongoose = require 'mongoose'
|
||||
|
@ -21,6 +22,7 @@ module.exports =
|
|||
return next() unless code
|
||||
classroom = yield Classroom.findOne({ code: code.toLowerCase() }).select('name ownerID aceConfig')
|
||||
if not classroom
|
||||
log.debug("classrooms.fetchByCode: Couldn't find Classroom with code: #{code}")
|
||||
throw new errors.NotFound('Classroom not found.')
|
||||
classroom = classroom.toObject()
|
||||
# Tack on the teacher's name for display to the user
|
||||
|
@ -33,7 +35,9 @@ module.exports =
|
|||
return next() unless ownerID
|
||||
throw new errors.UnprocessableEntity('Bad ownerID') unless utils.isID ownerID
|
||||
throw new errors.Unauthorized() unless req.user
|
||||
throw new errors.Forbidden('"ownerID" must be yourself') unless req.user.isAdmin() or ownerID is req.user.id
|
||||
unless req.user.isAdmin() or ownerID is req.user.id
|
||||
log.debug("classrooms.getByOwner: Can't fetch classroom you don't own. User: #{req.user.id} Owner: #{ownerID}")
|
||||
throw new errors.Forbidden('"ownerID" must be yourself')
|
||||
sanitizedOptions = {}
|
||||
unless _.isUndefined(options.archived)
|
||||
# Handles when .archived is true, vs false-or-null
|
||||
|
@ -114,6 +118,7 @@ module.exports =
|
|||
isOwner = classroom.get('ownerID').equals(req.user._id)
|
||||
isMember = req.user.id in (m.toString() for m in classroom.get('members'))
|
||||
unless req.user.isAdmin() or isOwner or isMember
|
||||
log.debug "classrooms.fetchMembers: Can't fetch members for class (#{classroom.id}) you (#{req.user.id}) don't own and aren't a member of."
|
||||
throw new errors.Forbidden('You do not own this classroom.')
|
||||
memberIDs = classroom.get('members') or []
|
||||
memberIDs = memberIDs.slice(memberSkip, memberSkip + memberLimit)
|
||||
|
@ -126,7 +131,9 @@ module.exports =
|
|||
|
||||
post: wrap (req, res) ->
|
||||
throw new errors.Unauthorized() unless req.user and not req.user.isAnonymous()
|
||||
throw new errors.Forbidden() unless req.user?.isTeacher()
|
||||
unless req.user?.isTeacher()
|
||||
console.log "classrooms.post: Can't create classroom if you (#{req.user?.id}) aren't a teacher."
|
||||
throw new errors.Forbidden()
|
||||
classroom = database.initDoc(req, Classroom)
|
||||
classroom.set 'ownerID', req.user._id
|
||||
classroom.set 'members', []
|
||||
|
@ -159,11 +166,13 @@ module.exports =
|
|||
unless req.body?.code
|
||||
throw new errors.UnprocessableEntity('Need a code')
|
||||
if req.user.isTeacher()
|
||||
log.debug("classrooms.join: Cannot join a classroom as a teacher: #{req.user.id}")
|
||||
throw new errors.Forbidden('Cannot join a classroom as a teacher')
|
||||
code = req.body.code.toLowerCase()
|
||||
classroom = yield Classroom.findOne({code: code})
|
||||
if not classroom
|
||||
throw new errors.NotFound('Classroom not found.')
|
||||
log.debug("classrooms.join: Classroom not found with code #{code}")
|
||||
throw new errors.NotFound("Classroom not found with code #{code}")
|
||||
members = _.clone(classroom.get('members'))
|
||||
if _.any(members, (memberID) -> memberID.equals(req.user._id))
|
||||
return res.send(classroom.toObject({req: req}))
|
||||
|
@ -199,7 +208,8 @@ module.exports =
|
|||
return next() unless memberID in ownedStudentIDs
|
||||
student = yield User.findById(memberID)
|
||||
if student.get('emailVerified')
|
||||
return next new errors.Forbidden("Can't reset password for a student that has verified their email address.")
|
||||
log.debug "classrooms.setStudentPassword: Can't reset password for a student (#{memberID}) that has verified their email address."
|
||||
throw new errors.Forbidden("Can't reset password for a student that has verified their email address.")
|
||||
{ valid, error } = tv4.validateResult(newPassword, schemas.passwordString)
|
||||
unless valid
|
||||
throw new errors.UnprocessableEntity(error.message)
|
||||
|
|
Loading…
Reference in a new issue