From ec87a77dd2b9b59a622094528689c8afc14f7003 Mon Sep 17 00:00:00 2001
From: matt <matt@fiddaman.net>
Date: Fri, 4 Mar 2022 22:39:56 +0000
Subject: [PATCH] Added Class.hasAccess to validate user input and add security

---
 lib/Class.js    | 8 ++++++++
 routes/class.js | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/lib/Class.js b/lib/Class.js
index 7f11d84..69f6124 100644
--- a/lib/Class.js
+++ b/lib/Class.js
@@ -196,6 +196,14 @@ class Class {
 		return await Promise.all(testObjects);
 	}
 
+	async hasAccess(u) {
+		const userClasses = await u.getClasses();
+
+		return userClasses.filter(c => {
+			return c.id === this.id;
+		}).length;
+	}
+
 	addTeacher() {
 
 	}
diff --git a/routes/class.js b/routes/class.js
index b4d3456..7a47450 100644
--- a/routes/class.js
+++ b/routes/class.js
@@ -31,6 +31,9 @@ router.get('/class/:id', async (req, res) => {
 		});
 	}
 
+	if (!await c.hasAccess(await new User(null, req.session.userId)))
+		return res.redirect('/admin/classes');
+
 	const linkRoot = `/class/${c.id}`;
 
 	return res.render('class', {