Maxim Dolgolyov
840bb823b9
- courses: requireOwnership(created_by) на PUT/DELETE/duplicate/publish-all и все мутации секций — учитель больше не может править/удалять чужой курс. - lessonController.create: проверка владения курсом перед вставкой урока. - assign/unassign курса классу: проверка владения классом (_ownsClass). - materials.share по userId: получатель должен быть учеником учителя (класс или teacher_students), иначе 403. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
39 lines
2.2 KiB
JavaScript
39 lines
2.2 KiB
JavaScript
const express = require('express');
|
|
const router = express.Router();
|
|
const { authMiddleware, requireRole, requirePermission } = require('../middleware/auth');
|
|
const { requireOwnership } = require('../middleware/ownership');
|
|
const c = require('../controllers/courseController');
|
|
|
|
// Владение курсом по :id (created_by). Закрывает IDOR на правки/удаление/секции.
|
|
const ownCourse = requireOwnership({ table: 'courses', ownerField: 'created_by' });
|
|
|
|
router.use(authMiddleware);
|
|
|
|
// Course listing & special
|
|
router.get('/', c.list);
|
|
router.get('/search', c.search);
|
|
router.get('/continue', c.continueLesson);
|
|
router.get('/:id', c.get);
|
|
router.get('/:id/stats', requireRole('teacher','admin'), c.stats);
|
|
router.get('/:id/analytics', requireRole('teacher','admin'), c.analytics);
|
|
|
|
// Course mutations
|
|
router.post('/', requireRole('teacher','admin'), requirePermission('courses.manage'), c.create);
|
|
router.post('/:id/duplicate', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.duplicate);
|
|
router.patch('/:id/publish-all', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.publishAll);
|
|
router.put('/:id', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.update);
|
|
router.delete('/:id', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.remove);
|
|
|
|
// Sections (владение родительским курсом по :id)
|
|
router.get('/:id/sections', requireRole('teacher','admin'), c.listSections);
|
|
router.post('/:id/sections', requireRole('teacher','admin'), ownCourse, c.createSection);
|
|
router.put('/:id/sections/:sid', requireRole('teacher','admin'), ownCourse, c.updateSection);
|
|
router.delete('/:id/sections/:sid', requireRole('teacher','admin'), ownCourse, c.deleteSection);
|
|
|
|
// Class courses
|
|
router.get('/class/:classId', c.listClassCourses);
|
|
router.post('/class/:classId/assign', requireRole('teacher','admin'), c.assignCourseToClass);
|
|
router.delete('/class/:classId/:courseId', requireRole('teacher','admin'), c.unassignCourseFromClass);
|
|
|
|
module.exports = router;
|