Save and check user ID for every order.

2 files changed, 5 insertions, 1 deletions

diff --git a/server/controllers/transaction.js b/server/controllers/transaction.js
index 5143c2d..356672b 100644
--- a/server/controllers/transaction.js
+++ b/server/controllers/transaction.js
@@ -10,6 +10,7 @@ module.exports = {
     let newOrderObj = {
       status: 'ordered',
       paypalOrderId: null,
+      userId: req.user._id,
       items: []
     };
     let transactionSetupData = {
@@ -107,6 +108,9 @@ module.exports = {
     if (!dbOrder)
       return res.status(400).json({status: "Couldn't find given order in database!"});
 
+    if (!dbOrder.userId.equals(req.user._id))
+      return res.sendStatus(403);
+
     const request = new paypal.orders.OrdersCaptureRequest(req.body.orderId);
     request.requestBody({});
 
diff --git a/server/models/Order.js b/server/models/Order.js
index a4b2508..8520abf 100644
--- a/server/models/Order.js
+++ b/server/models/Order.js
@@ -26,7 +26,7 @@ const OrderSchema = new mongoose.Schema({
   },
   userId: {
     type: mongoose.Schema.Types.ObjectId,
-    required: false
+    required: true
   },
   items: {
     type: [ItemSchema],