Lỗi có thể di chuyển tù sharedlink sang public nhưng không có hotspot quay lại
This commit is contained in:
@@ -142,13 +142,29 @@ router.get('/:id', optionalAuth, async (req, res) => {
|
||||
const isAdmin = req.user && req.user.role === 'admin';
|
||||
const isTokenValid = tour.shareToken && (!tour.shareTokenExpires || new Date() < tour.shareTokenExpires);
|
||||
const userEmail = req.user ? req.user.email : null;
|
||||
const token = req.query.token;
|
||||
|
||||
let hasAccess = tour.privacy === 'public' || isOwner || isAdmin ||
|
||||
(tour.privacy === 'shared' && req.query.token === tour.shareToken && isTokenValid) ||
|
||||
(tour.privacy === 'member' && req.user && req.user._id && (
|
||||
tour.sharedWith.some(u => u.toString() === req.user._id.toString()) ||
|
||||
(userEmail && tour.sharedEmails.includes(userEmail))
|
||||
));
|
||||
// [Security] Check permissions based on tour privacy
|
||||
let hasAccess = tour.privacy === 'public' || isOwner || isAdmin;
|
||||
|
||||
// Shared link access - check token validity
|
||||
if (!hasAccess && tour.privacy === 'shared' && token && isTokenValid) {
|
||||
hasAccess = token === tour.shareToken;
|
||||
}
|
||||
|
||||
// Member access - check if user is in sharedWith or sharedEmails
|
||||
if (!hasAccess && tour.privacy === 'member' && req.user && req.user._id && req.user.role !== 'guest') {
|
||||
hasAccess = true;
|
||||
}
|
||||
|
||||
// Fallback for specific shared members
|
||||
if (!hasAccess && tour.privacy === 'member' && req.user && req.user._id) {
|
||||
hasAccess = tour.sharedWith.some(u => u.toString() === req.user._id.toString()) ||
|
||||
(userEmail && tour.sharedEmails.some(email => email.toLowerCase() === userEmail.toLowerCase()));
|
||||
}
|
||||
|
||||
// Private tours - only owner and admin
|
||||
// (hasAccess already set above if owner/admin)
|
||||
|
||||
if (!hasAccess) return res.status(403).json({ message: 'Bạn không có quyền truy cập Tour này.' });
|
||||
|
||||
@@ -159,16 +175,18 @@ router.get('/:id', optionalAuth, async (req, res) => {
|
||||
});
|
||||
|
||||
// @route GET /api/tours
|
||||
// @desc Lấy danh sách Tour công khai hoặc của chính mình
|
||||
// @desc Lấy danh sách Tour công khai, member, shared (với token), hoặc của chính mình
|
||||
// @access Public/Private
|
||||
router.get('/', optionalAuth, async (req, res) => {
|
||||
try {
|
||||
const { token } = req.query;
|
||||
let query = { privacy: 'public' };
|
||||
|
||||
if (req.user && req.user.role !== 'guest') {
|
||||
query = {
|
||||
$or: [
|
||||
{ privacy: 'public' },
|
||||
{ privacy: 'member' },
|
||||
{ createdBy: req.user._id },
|
||||
{ privacy: 'member', sharedWith: req.user._id },
|
||||
{ privacy: 'member', sharedEmails: req.user.email }
|
||||
@@ -176,6 +194,24 @@ router.get('/', optionalAuth, async (req, res) => {
|
||||
};
|
||||
}
|
||||
|
||||
// [Task 4.1] Support shared tours via token for guests
|
||||
if (token) {
|
||||
const tourWithToken = await Tour.findOne({
|
||||
shareToken: token,
|
||||
privacy: 'shared',
|
||||
$or: [{ shareTokenExpires: null }, { shareTokenExpires: { $gt: new Date() } }]
|
||||
}).select('_id');
|
||||
|
||||
if (tourWithToken) {
|
||||
query = {
|
||||
$or: [
|
||||
query,
|
||||
{ _id: tourWithToken._id }
|
||||
]
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
const tours = await Tour.find(query)
|
||||
.populate('createdBy', 'username')
|
||||
.populate({
|
||||
|
||||
Reference in New Issue
Block a user