From aec70cba2579088d0f8a9cac2ba33030c5c17d22 Mon Sep 17 00:00:00 2001 From: Mateja Date: Thu, 29 Jul 2021 03:16:51 +0200 Subject: Save and check user ID for every order. --- server/controllers/transaction.js | 4 ++++ server/models/Order.js | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'server') diff --git a/server/controllers/transaction.js b/server/controllers/transaction.js index 5143c2d..356672b 100644 --- a/server/controllers/transaction.js +++ b/server/controllers/transaction.js @@ -10,6 +10,7 @@ module.exports = { let newOrderObj = { status: 'ordered', paypalOrderId: null, + userId: req.user._id, items: [] }; let transactionSetupData = { @@ -107,6 +108,9 @@ module.exports = { if (!dbOrder) return res.status(400).json({status: "Couldn't find given order in database!"}); + if (!dbOrder.userId.equals(req.user._id)) + return res.sendStatus(403); + const request = new paypal.orders.OrdersCaptureRequest(req.body.orderId); request.requestBody({}); diff --git a/server/models/Order.js b/server/models/Order.js index a4b2508..8520abf 100644 --- a/server/models/Order.js +++ b/server/models/Order.js @@ -26,7 +26,7 @@ const OrderSchema = new mongoose.Schema({ }, userId: { type: mongoose.Schema.Types.ObjectId, - required: false + required: true }, items: { type: [ItemSchema], -- cgit v1.2.3