Merge pull request #127 from frankhereford/query-on-userId

Query-on-userId

Author: frankhereford

src/server/trpc/router/availablePenta.ts

@@ -52,6 +52,7 @@ export const availablePentaRouter = router({
 
     }),
 
+
   count: publicProcedure.query(async ({ ctx }) => {
     const pentas = await ctx.prisma.availablePenta.findMany();
     return pentas.length

src/server/trpc/router/block.ts

@@ -1,33 +1,25 @@
-import { router, publicProcedure, protectedProcedure } from "../trpc";
+import { router, protectedProcedure } from "../trpc";
 import { z } from "zod";
 
+import { isBlockOwner } from "../../../utils/database";
+
 export const blockRouter = router({
-  list: protectedProcedure.query(async ({ ctx, input }) => {
-    return await ctx.prisma.block.findMany({ // this should filter on user id - any many other places!
-      include: {
-        piece: {
-          include: {
-            color: true
-          }
-        }
-      }
-    });
-  }),
-
-  get: protectedProcedure
-    .input(z.object({ id: z.string() }))
-    .query(async ({ ctx, input }) => {
-      const block = await ctx.prisma.block.findUnique({
-        where: {
-          id: input.id
-        }
-      });
-      return block;
-    }),
 
   set_rotation: protectedProcedure
     .input(z.object({ id: z.string(), clockwise: z.number() }))
     .mutation(async ({ ctx, input }) => {
+
+      const blockOriginal = await ctx.prisma.block.findUnique({
+        where: {
+          id: input.id
+        },
+        include: {
+          penta: true
+        } 
+      })
+
+      if (!isBlockOwner(blockOriginal, ctx.session.user.id)) { return false }
+
       const block = await ctx.prisma.block.update({
         where: {
           id: input.id
@@ -44,6 +36,18 @@ export const blockRouter = router({
   set_reflection: protectedProcedure
     .input(z.object({ id: z.string(), reflection: z.boolean() }))
     .mutation(async ({ ctx, input }) => {
+      
+      const blockOriginal = await ctx.prisma.block.findUnique({
+        where: {
+          id: input.id
+        },
+        include: {
+          penta: true
+        }
+      })
+
+      if (!isBlockOwner(blockOriginal, ctx.session.user.id)) { return false }
+
       const block = await ctx.prisma.block.update({
         where: {
           id: input.id
@@ -58,6 +62,18 @@ export const blockRouter = router({
   set_translation: protectedProcedure
     .input(z.object({ id: z.string(), translation: z.any() }))
     .mutation(async ({ ctx, input }) => {
+      
+      const blockOriginal = await ctx.prisma.block.findUnique({
+        where: {
+          id: input.id
+        },
+        include: {
+          penta: true
+        }
+      })
+
+      if (!isBlockOwner(blockOriginal, ctx.session.user.id)) { return false }
+
       const block = await ctx.prisma.block.update({
         where: {
           id: input.id
@@ -72,6 +88,18 @@ export const blockRouter = router({
   set_visibility: protectedProcedure
     .input(z.object({ id: z.string(), visible: z.boolean() }))
     .mutation(async ({ ctx, input }) => {
+      
+      const blockOriginal = await ctx.prisma.block.findUnique({
+        where: {
+          id: input.id
+        },
+        include: {
+          penta: true
+        }
+      })
+
+      if (!isBlockOwner(blockOriginal, ctx.session.user.id)) { return false }
+
       const block = await ctx.prisma.block.update({
         where: {
           id: input.id

src/server/trpc/router/color.ts

@@ -1,17 +1,15 @@
-import { Color } from '@prisma/client'
+import { type Color } from '@prisma/client'
 import { router, publicProcedure } from "../trpc";
 
 export const colorRouter = router({
 
   randomColor: publicProcedure
-    //.input(z.object({ text: z.string().nullish() }).nullish())
     .query(async ({ ctx }) => {
       const randomColors = await ctx.prisma.$queryRaw<Color[]>`SELECT * FROM colors order by random() limit 1;`
       return randomColors[0]
     }),
 
   getColorLookup: publicProcedure
-    //.input(z.object({ text: z.string().nullish() }).nullish())
     .query(async ({ ctx }) => {
       const colors = await ctx.prisma.color.findMany()
 

src/server/trpc/router/penta.ts

@@ -1,15 +1,25 @@
 import { z } from "zod";
 import { router, protectedProcedure } from "../trpc";
+import { isPentaOwner } from "../../../utils/database";
 
 export const pentaRouter = router({
 
   setComplete: protectedProcedure
     .input(z.object({ id: z.string() }))
     .mutation(async ({ ctx, input }) => {
-      const penta = await ctx.prisma.penta.update({
+      
+      const pentaOriginal = await ctx.prisma.penta.findUnique({
         where: {
           id: input.id
         },
+      })
+
+      if (!isPentaOwner(pentaOriginal, ctx.session.user.id)) { return false }
+
+      const penta = await ctx.prisma.penta.update({
+        where: {
+          id: input.id,
+        },
         data: {
           completed: true
         }
@@ -25,7 +35,8 @@ export const pentaRouter = router({
           availablePenta: true
         },
         where: {
-          completed: true
+          completed: true,
+          userId: ctx.session.user.id
         }
       });
       return pentas.map((penta) => penta.availablePenta.id) || []

src/server/trpc/router/piece.ts

@@ -4,7 +4,6 @@ import { router, publicProcedure } from "../trpc";
 export const pieceRouter = router({
 
   randomPiece: publicProcedure
-    //.input(z.object({ text: z.string().nullish() }).nullish())
     .query(async ({ ctx }) => {
       const pieces = await ctx.prisma.piece.findMany({ include: { color: true } })
       // select a random piece from pieces array

src/utils/database.ts

@@ -0,0 +1,8 @@
+
+export function isBlockOwner(block: any, userId: string) {
+  return block.penta.userId === userId;
+}
+
+export function isPentaOwner(penta: any, userId: string) {
+  return penta.userId === userId;
+}