You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In src/trpc/rotuer/todo.ts these procedures only checks if the user is authenticated but does not check if the task it wants to mutate belongs to him.
This allows any logged in user to see every other users tasks by modifying trpc requests and trying different task id's.
I just started learning trpc and prisma and this really confused me. The getTasks and createTask function does use ctx.session.user.id but these do not
getSingleTask: authedProcedure.input(getSingleTaskSchema).query(({ ctx, input })=>{// Used findFirst because findUnique doesn't allow userID?? I don't know whyreturnctx.prisma.task.findFirst({where: {id: input.taskId,// Check for userIDuserId: ctx.session.user.id,},});}),updateTask: authedProcedure.input(updateTaskSchema).mutation(async({ ctx, input })=>{// Check if THIS user actually has the taskif(!(awaitctx.prisma.task.findFirst({where: {id: input.taskId,userId: ctx.session.user.id,},})))thrownewError("Task not found");consttask=awaitctx.prisma.task.update({where: {id: input.taskId,},data: {title: input.title,body: input.body,},});returntask;}),deleteTask: authedProcedure.input(deleteTaskSchema).mutation(async({ ctx, input })=>{// Same as aboveif(!(awaitctx.prisma.task.findFirst({where: {id: input.taskId,userId: ctx.session.user.id,},})))thrownewError("Task not found");awaitctx.prisma.task.delete({where: {id: input.taskId,},});}),
Diff
diff --git a/src/server/trpc/router/todo.ts b/src/server/trpc/router/todo.ts
index e8a4aaa..8b7f60c 100644
--- a/src/server/trpc/router/todo.ts+++ b/src/server/trpc/router/todo.ts@@ -35,15 +35,28 @@ export const todoRouter = t.router({
getSingleTask: authedProcedure
.input(getSingleTaskSchema)
.query(({ ctx, input }) => {
- return ctx.prisma.task.findUnique({+ // Used findFirst because findUnique doesn't allow userID?? I don't know why+ return ctx.prisma.task.findFirst({
where: {
id: input.taskId,
+ // Check for userID+ userId: ctx.session.user.id,
},
});
}),
updateTask: authedProcedure
.input(updateTaskSchema)
.mutation(async ({ ctx, input }) => {
+ // Check if THIS user actually has the task+ if (+ !(await ctx.prisma.task.findFirst({+ where: {+ id: input.taskId,+ userId: ctx.session.user.id,+ },+ }))+ )+ throw new Error("Task not found");
const task = await ctx.prisma.task.update({
where: {
id: input.taskId,
@@ -58,6 +71,16 @@ export const todoRouter = t.router({
deleteTask: authedProcedure
.input(deleteTaskSchema)
.mutation(async ({ ctx, input }) => {
+ // Same as above+ if (+ !(await ctx.prisma.task.findFirst({+ where: {+ id: input.taskId,+ userId: ctx.session.user.id,+ },+ }))+ )+ throw new Error("Task not found");
await ctx.prisma.task.delete({
where: {
id: input.taskId,
The text was updated successfully, but these errors were encountered:
In
src/trpc/rotuer/todo.tsthese procedures only checks if the user is authenticated but does not check if the task it wants to mutate belongs to him.This allows any logged in user to see every other users tasks by modifying trpc requests and trying different task id's.
I just started learning trpc and prisma and this really confused me. The getTasks and createTask function does use
ctx.session.user.idbut these do notThe fixed code
Diff
The text was updated successfully, but these errors were encountered: