Lỗi có thể di chuyển tù sharedlink sang public nhưng không có hotspot quay lại

2026-06-11 16:27:37 +07:00
parent be149f26ca
commit 0434837026
7 changed files with 1055 additions and 47 deletions
@@ -142,13 +142,29 @@ router.get('/:id', optionalAuth, async (req, res) => {
        const isAdmin = req.user && req.user.role === 'admin';
        const isTokenValid = tour.shareToken && (!tour.shareTokenExpires || new Date() < tour.shareTokenExpires);
        const userEmail = req.user ? req.user.email : null;
+        const token = req.query.token;
        
-        let hasAccess = tour.privacy === 'public' || isOwner || isAdmin ||
-            (tour.privacy === 'shared' && req.query.token === tour.shareToken && isTokenValid) ||
-            (tour.privacy === 'member' && req.user && req.user._id && (
-                tour.sharedWith.some(u => u.toString() === req.user._id.toString()) || 
-                (userEmail && tour.sharedEmails.includes(userEmail))
-            ));
+        // [Security] Check permissions based on tour privacy
+        let hasAccess = tour.privacy === 'public' || isOwner || isAdmin;
+        
+        // Shared link access - check token validity
+        if (!hasAccess && tour.privacy === 'shared' && token && isTokenValid) {
+            hasAccess = token === tour.shareToken;
+        }
+        
+        // Member access - check if user is in sharedWith or sharedEmails
+        if (!hasAccess && tour.privacy === 'member' && req.user && req.user._id && req.user.role !== 'guest') {
+            hasAccess = true;
+        }
+        
+        // Fallback for specific shared members
+        if (!hasAccess && tour.privacy === 'member' && req.user && req.user._id) {
+            hasAccess = tour.sharedWith.some(u => u.toString() === req.user._id.toString()) || 
+                        (userEmail && tour.sharedEmails.some(email => email.toLowerCase() === userEmail.toLowerCase()));
+        }
+        
+        // Private tours - only owner and admin
+        // (hasAccess already set above if owner/admin)

        if (!hasAccess) return res.status(403).json({ message: 'Bạn không có quyền truy cập Tour này.' });

@@ -159,16 +175,18 @@ router.get('/:id', optionalAuth, async (req, res) => {
 });

 // @route   GET /api/tours
-// @desc    Lấy danh sách Tour công khai hoặc của chính mình
+// @desc    Lấy danh sách Tour công khai, member, shared (với token), hoặc của chính mình
 // @access  Public/Private
 router.get('/', optionalAuth, async (req, res) => {
    try {
+        const { token } = req.query;
        let query = { privacy: 'public' };

        if (req.user && req.user.role !== 'guest') {
            query = {
                $or: [
                    { privacy: 'public' },
+                    { privacy: 'member' },
                    { createdBy: req.user._id },
                    { privacy: 'member', sharedWith: req.user._id },
                    { privacy: 'member', sharedEmails: req.user.email }
@@ -176,6 +194,24 @@ router.get('/', optionalAuth, async (req, res) => {
            };
        }

+        // [Task 4.1] Support shared tours via token for guests
+        if (token) {
+            const tourWithToken = await Tour.findOne({
+                shareToken: token,
+                privacy: 'shared',
+                $or: [{ shareTokenExpires: null }, { shareTokenExpires: { $gt: new Date() } }]
+            }).select('_id');
+            
+            if (tourWithToken) {
+                query = {
+                    $or: [
+                        query,
+                        { _id: tourWithToken._id }
+                    ]
+                };
+            }
+        }
+
        const tours = await Tour.find(query)
            .populate('createdBy', 'username')
            .populate({