topaLE
/
ghostfolio
mirror of https://github.com/ghostfolio/ghostfolio
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

chore: add security check to see if the accounts belong to user

pull/2455/head
Dhoni77 2 years ago
parent
6ef0c2075b
commit
a3de7b670b
1 changed files with 16 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 17
      apps/api/src/app/account/account.controller.ts

17
apps/api/src/app/account/account.controller.ts
View File

@ -170,12 +170,27 @@ export class AccountController {
); );
} }
const currentAccountIds = (
await this.accountService.getAccounts(this.request.user.id)
).map((account) => account.id);
if (
![accountIdFrom, accountIdTo].every((id) =>
currentAccountIds.includes(id)
)
) {
throw new HttpException(
getReasonPhrase(StatusCodes.NOT_FOUND),
StatusCodes.NOT_FOUND
);
}
const today = resetHours(new Date()); const today = resetHours(new Date());
const userCurrency = this.request.user.Settings.settings.baseCurrency; const userCurrency = this.request.user.Settings.settings.baseCurrency;
await this.accountService.updateAccountBalance({ await this.accountService.updateAccountBalance({
accountId: accountIdFrom, accountId: accountIdFrom,
amount: balance, amount: -balance,
currency: userCurrency, currency: userCurrency,
date: today, date: today,
userId: this.request.user.id userId: this.request.user.id

Write Preview
Loading…
Cancel
Save