Sử dụng antigravity cli để sửa lỗi người dùng public không nhìn thấy tour chia sẻ
This commit is contained in:
@@ -137,14 +137,15 @@ router.get('/:id', optionalAuth, async (req, res) => {
|
||||
|
||||
if (!tour) return res.status(404).json({ message: 'Tour không tồn tại.' });
|
||||
|
||||
const isOwner = req.user && tour.createdBy._id.toString() === req.user._id.toString();
|
||||
const tourCreatedById = tour.createdBy?._id || tour.createdBy;
|
||||
const isOwner = req.user && req.user._id && tourCreatedById && tourCreatedById.toString() === req.user._id.toString();
|
||||
const isAdmin = req.user && req.user.role === 'admin';
|
||||
const isTokenValid = tour.shareToken && (!tour.shareTokenExpires || new Date() < tour.shareTokenExpires);
|
||||
const userEmail = req.user ? req.user.email : null;
|
||||
|
||||
let hasAccess = tour.privacy === 'public' || isOwner || isAdmin ||
|
||||
(tour.privacy === 'shared' && req.query.token === tour.shareToken && isTokenValid) ||
|
||||
(tour.privacy === 'member' && req.user && (
|
||||
(tour.privacy === 'member' && req.user && req.user._id && (
|
||||
tour.sharedWith.some(u => u.toString() === req.user._id.toString()) ||
|
||||
(userEmail && tour.sharedEmails.includes(userEmail))
|
||||
));
|
||||
|
||||
@@ -64,6 +64,7 @@ router.get('/assets/view/:assetId', verifyReferer, optionalAuth, async (req, res
|
||||
|
||||
let hasAccess = isAdmin ||
|
||||
scene.privacy === 'public' ||
|
||||
(tour && tour.privacy === 'public') ||
|
||||
(scene.privacy === 'member' && userIdStr && (scene.sharedWith.some(id => id.toString() === userIdStr) || (userEmail && scene.sharedEmails.includes(userEmail)))) ||
|
||||
isOwner ||
|
||||
(scene.privacy === 'shared' && req.query.token === scene.shareToken && isSceneTokenValid) ||
|
||||
|
||||
@@ -111,10 +111,14 @@ router.get('/', optionalAuth, async (req, res) => {
|
||||
try {
|
||||
const { token } = req.query;
|
||||
|
||||
// [FIX] Lấy danh sách ID của các Tour đang ở chế độ công khai
|
||||
const publicTours = await Tour.find({ privacy: 'public' }).select('_id');
|
||||
const publicTourIds = publicTours.map(t => t._id);
|
||||
|
||||
// Quyền cơ bản: Công khai hoặc là chủ sở hữu/thành viên được chia sẻ
|
||||
let baseQuery = req.user && req.user.role !== 'guest'
|
||||
? { $or: [{ privacy: 'public' }, { createdBy: req.user._id }, { sharedWith: req.user._id }, { sharedEmails: req.user.email }] }
|
||||
: { privacy: 'public' };
|
||||
? { $or: [{ privacy: 'public' }, { tourId: { $in: publicTourIds } }, { createdBy: req.user._id }, { sharedWith: req.user._id }, { sharedEmails: req.user.email }] }
|
||||
: { $or: [{ privacy: 'public' }, { tourId: { $in: publicTourIds } }] };
|
||||
|
||||
let finalQuery = baseQuery;
|
||||
|
||||
@@ -130,7 +134,11 @@ router.get('/', optionalAuth, async (req, res) => {
|
||||
};
|
||||
}
|
||||
|
||||
const scenes = await Scene.find(finalQuery).populate('createdBy', 'username').lean();
|
||||
console.log(`[SceneRoutes] GET /api/scenes - Final Query for user ${req.user?._id || 'Guest'}:`, JSON.stringify(finalQuery));
|
||||
const scenes = await Scene.find(finalQuery)
|
||||
.populate('createdBy', 'username')
|
||||
.populate('tourId') // Nạp thông tin Tour để Frontend nhận diện
|
||||
.lean();
|
||||
res.json(scenes);
|
||||
} catch (error) {
|
||||
res.status(500).json({ message: error.message });
|
||||
@@ -150,7 +158,7 @@ router.get('/:id', optionalAuth, async (req, res) => {
|
||||
const tour = scene.tourId; // tourId is populated
|
||||
if (!tour) return res.status(404).json({ message: 'Tour liên kết không tồn tại.' });
|
||||
|
||||
const isOwner = req.user && tour.createdBy?.toString() === req.user._id.toString();
|
||||
const isOwner = req.user && req.user._id && tour.createdBy?.toString() === req.user._id.toString();
|
||||
const isAdmin = req.user && req.user.role === 'admin';
|
||||
|
||||
const isSceneTokenValid = scene.shareToken && (!scene.shareTokenExpires || new Date() < scene.shareTokenExpires);
|
||||
@@ -160,7 +168,7 @@ router.get('/:id', optionalAuth, async (req, res) => {
|
||||
let hasAccess = tour.privacy === 'public' || isOwner || isAdmin ||
|
||||
(scene.privacy === 'shared' && req.query.token === scene.shareToken && isSceneTokenValid) || // Access via scene's token
|
||||
(tour.privacy === 'shared' && req.query.token === tour.shareToken && isTourTokenValid) || // Access via tour's token
|
||||
(tour.privacy === 'member' && req.user && ( // Access for members
|
||||
(tour.privacy === 'member' && req.user && req.user._id && ( // Access for members
|
||||
tour.sharedWith.some(u => u.toString() === req.user._id.toString()) ||
|
||||
(userEmail && tour.sharedEmails.includes(userEmail))
|
||||
));
|
||||
|
||||
@@ -35,6 +35,8 @@ describe('TourController - updateTourCenter', () => {
|
||||
// Trung bình: lat (10+20+30)/3 = 20, lng (20+40+60)/3 = 40
|
||||
expect(Tour.findByIdAndUpdate).toHaveBeenCalledWith(tourId, {
|
||||
location: { lat: 20.0, lng: 40.0 }
|
||||
}, {
|
||||
returnDocument: 'after'
|
||||
});
|
||||
});
|
||||
|
||||
@@ -56,6 +58,8 @@ describe('TourController - updateTourCenter', () => {
|
||||
// Chỉ tính 2 cảnh hợp lệ: lat (10+20)/2 = 15, lng (20+40)/2 = 30
|
||||
expect(Tour.findByIdAndUpdate).toHaveBeenCalledWith(tourId, {
|
||||
location: { lat: 15.0, lng: 30.0 }
|
||||
}, {
|
||||
returnDocument: 'after'
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user