From aec70cba2579088d0f8a9cac2ba33030c5c17d22 Mon Sep 17 00:00:00 2001 From: Mateja Date: Thu, 29 Jul 2021 03:16:51 +0200 Subject: Save and check user ID for every order. --- server/controllers/transaction.js | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'server/controllers') diff --git a/server/controllers/transaction.js b/server/controllers/transaction.js index 5143c2d..356672b 100644 --- a/server/controllers/transaction.js +++ b/server/controllers/transaction.js @@ -10,6 +10,7 @@ module.exports = { let newOrderObj = { status: 'ordered', paypalOrderId: null, + userId: req.user._id, items: [] }; let transactionSetupData = { @@ -107,6 +108,9 @@ module.exports = { if (!dbOrder) return res.status(400).json({status: "Couldn't find given order in database!"}); + if (!dbOrder.userId.equals(req.user._id)) + return res.sendStatus(403); + const request = new paypal.orders.OrdersCaptureRequest(req.body.orderId); request.requestBody({}); -- cgit v1.2.3