Save and check user ID for every order.

author: Mateja <mail@matejamaric.com> 2021-07-29 03:16:51 +0200
committer: Mateja <mail@matejamaric.com> 2021-07-29 03:16:51 +0200
commit: aec70cba2579088d0f8a9cac2ba33030c5c17d22 (patch)
tree: a3741f85fe08992ddc312efe852970e8a16cfc23
parent: 015d67cf738e4ad6d397824dc09a44d85d643b75 (diff)
download: mevn-ecommerce-aec70cba2579088d0f8a9cac2ba33030c5c17d22.tar.gz
mevn-ecommerce-aec70cba2579088d0f8a9cac2ba33030c5c17d22.zip
2 files changed, 5 insertions, 1 deletions
diff --git a/server/controllers/transaction.js b/server/controllers/transaction.js
index 5143c2d..356672b 100644
--- a/server/controllers/transaction.js
+++ b/server/controllers/transaction.js
@@ -10,6 +10,7 @@ module.exports = {
     let newOrderObj = {
       status: 'ordered',
       paypalOrderId: null,
+      userId: req.user._id,
       items: []
     };
     let transactionSetupData = {
@@ -107,6 +108,9 @@ module.exports = {
     if (!dbOrder)
       return res.status(400).json({status: "Couldn't find given order in database!"});
 
+    if (!dbOrder.userId.equals(req.user._id))
+      return res.sendStatus(403);
+
     const request = new paypal.orders.OrdersCaptureRequest(req.body.orderId);
     request.requestBody({});
 
diff --git a/server/models/Order.js b/server/models/Order.js
index a4b2508..8520abf 100644
--- a/server/models/Order.js
+++ b/server/models/Order.js
@@ -26,7 +26,7 @@ const OrderSchema = new mongoose.Schema({
   },
   userId: {
     type: mongoose.Schema.Types.ObjectId,
-    required: false
+    required: true
   },
   items: {
     type: [ItemSchema],
author	Mateja <mail@matejamaric.com>	2021-07-29 03:16:51 +0200
committer	Mateja <mail@matejamaric.com>	2021-07-29 03:16:51 +0200
commit	aec70cba2579088d0f8a9cac2ba33030c5c17d22 (patch)
tree	a3741f85fe08992ddc312efe852970e8a16cfc23
parent	015d67cf738e4ad6d397824dc09a44d85d643b75 (diff)
download	mevn-ecommerce-aec70cba2579088d0f8a9cac2ba33030c5c17d22.tar.gz mevn-ecommerce-aec70cba2579088d0f8a9cac2ba33030c5c17d22.zip