aboutsummaryrefslogtreecommitdiff
path: root/server
diff options
context:
space:
mode:
authorMateja <mail@matejamaric.com>2021-07-29 03:16:51 +0200
committerMateja <mail@matejamaric.com>2021-07-29 03:16:51 +0200
commitaec70cba2579088d0f8a9cac2ba33030c5c17d22 (patch)
treea3741f85fe08992ddc312efe852970e8a16cfc23 /server
parent015d67cf738e4ad6d397824dc09a44d85d643b75 (diff)
downloadmevn-ecommerce-aec70cba2579088d0f8a9cac2ba33030c5c17d22.tar.gz
mevn-ecommerce-aec70cba2579088d0f8a9cac2ba33030c5c17d22.zip
Save and check user ID for every order.
Diffstat (limited to 'server')
-rw-r--r--server/controllers/transaction.js4
-rw-r--r--server/models/Order.js2
2 files changed, 5 insertions, 1 deletions
diff --git a/server/controllers/transaction.js b/server/controllers/transaction.js
index 5143c2d..356672b 100644
--- a/server/controllers/transaction.js
+++ b/server/controllers/transaction.js
@@ -10,6 +10,7 @@ module.exports = {
let newOrderObj = {
status: 'ordered',
paypalOrderId: null,
+ userId: req.user._id,
items: []
};
let transactionSetupData = {
@@ -107,6 +108,9 @@ module.exports = {
if (!dbOrder)
return res.status(400).json({status: "Couldn't find given order in database!"});
+ if (!dbOrder.userId.equals(req.user._id))
+ return res.sendStatus(403);
+
const request = new paypal.orders.OrdersCaptureRequest(req.body.orderId);
request.requestBody({});
diff --git a/server/models/Order.js b/server/models/Order.js
index a4b2508..8520abf 100644
--- a/server/models/Order.js
+++ b/server/models/Order.js
@@ -26,7 +26,7 @@ const OrderSchema = new mongoose.Schema({
},
userId: {
type: mongoose.Schema.Types.ObjectId,
- required: false
+ required: true
},
items: {
type: [ItemSchema],