From 4c818d511b88a860b1c68e25609fc15ba9876f24 Mon Sep 17 00:00:00 2001 From: Potenz Date: Thu, 28 Aug 2025 22:39:54 +0530 Subject: [PATCH] routes fixed - user based fixed done --- apps/Backend/src/routes/appointments.ts | 28 ------------------------- apps/Backend/src/routes/claims.ts | 8 ------- apps/Backend/src/routes/patients.ts | 24 ++++----------------- readmeForMigration.txt | 5 ----- 4 files changed, 4 insertions(+), 61 deletions(-) delete mode 100644 readmeForMigration.txt diff --git a/apps/Backend/src/routes/appointments.ts b/apps/Backend/src/routes/appointments.ts index b3d4ead..f910f44 100644 --- a/apps/Backend/src/routes/appointments.ts +++ b/apps/Backend/src/routes/appointments.ts @@ -41,11 +41,6 @@ router.get( return res.status(404).json({ message: "Appointment not found" }); } - // Ensure the appointment belongs to the logged-in user - if (appointment.userId !== req.user!.id) { - return res.status(403).json({ message: "Forbidden" }); - } - res.json(appointment); } catch (error) { res.status(500).json({ message: "Failed to retrieve appointment" }); @@ -71,8 +66,6 @@ router.get( const patient = await storage.getPatient(patientId); if (!patient) return res.status(404).json({ message: "Patient not found" }); - if (patient.userId !== req.user!.id) - return res.status(403).json({ message: "Forbidden" }); const appointments = await storage.getAppointmentsByPatientId(patientId); res.json(appointments); @@ -132,7 +125,6 @@ router.post( userId: req.user!.id, }); - const userId = req.user!.id; const originalStartTime = appointmentData.startTime; const MAX_END_TIME = "18:30"; @@ -142,12 +134,6 @@ router.post( return res.status(404).json({ message: "Patient not found" }); } - if (patient.userId !== userId) { - return res.status(403).json({ - message: "Forbidden, You are not the user who created this patient.", - }); - } - // 2. Attempt to find the next available slot let [hour, minute] = originalStartTime.split(":").map(Number); @@ -262,8 +248,6 @@ router.put( userId: req.user!.id, }); - const userId = req.user!.id; - const appointmentIdParam = req.params.id; if (!appointmentIdParam) { return res.status(400).json({ message: "Appointment ID is required" }); @@ -276,24 +260,12 @@ router.put( return res.status(404).json({ message: "Patient not found" }); } - if (patient.userId !== userId) { - return res.status(403).json({ - message: "Forbidden, You are not the user who created this patient.", - }); - } - // 2. Check if appointment exists and belongs to user const existingAppointment = await storage.getAppointment(appointmentId); if (!existingAppointment) { console.log("Appointment not found:", appointmentId); return res.status(404).json({ message: "Appointment not found" }); } - if (existingAppointment.userId !== req.user!.id) { - return res.status(403).json({ - message: - "Forbidden, You are not the user who created this appointment.", - }); - } // 4. Reject patientId change (not allowed) if ( diff --git a/apps/Backend/src/routes/claims.ts b/apps/Backend/src/routes/claims.ts index 5090259..cb2e69e 100644 --- a/apps/Backend/src/routes/claims.ts +++ b/apps/Backend/src/routes/claims.ts @@ -237,10 +237,6 @@ router.get("/:id", async (req: Request, res: Response): Promise => { return res.status(404).json({ message: "Claim not found" }); } - if (claim.userId !== req.user!.id) { - return res.status(403).json({ message: "Forbidden" }); - } - res.json(claim); } catch (error) { res.status(500).json({ message: "Failed to retrieve claim" }); @@ -334,10 +330,6 @@ router.put("/:id", async (req: Request, res: Response): Promise => { return res.status(404).json({ message: "Claim not found" }); } - if (existingClaim.userId !== req.user!.id) { - return res.status(403).json({ message: "Forbidden" }); - } - const claimData = updateClaimSchema.parse(req.body); const updatedClaim = await storage.updateClaim(claimId, claimData); res.json(updatedClaim); diff --git a/apps/Backend/src/routes/patients.ts b/apps/Backend/src/routes/patients.ts index bfc5be9..528d382 100644 --- a/apps/Backend/src/routes/patients.ts +++ b/apps/Backend/src/routes/patients.ts @@ -150,12 +150,6 @@ router.get( if (!patient) { return res.status(404).json({ message: "Patient not found" }); } - - // Ensure the patient belongs to the logged-in user - if (patient.userId !== req.user!.id) { - return res.status(403).json({ message: "Forbidden" }); - } - res.json(patient); } catch (error) { res.status(500).json({ message: "Failed to retrieve patient" }); @@ -220,10 +214,6 @@ router.put( return res.status(404).json({ message: "Patient not found" }); } - if (existingPatient.userId !== req.user!.id) { - return res.status(403).json({ message: "Forbidden" }); - } - // Validate request body const patientData = updatePatientSchema.parse(req.body); @@ -282,12 +272,10 @@ router.delete( } if (existingPatient.userId !== req.user!.id) { - return res - .status(403) - .json({ - message: - "Forbidden: Patient belongs to a different user, you can't delete this.", - }); + return res.status(403).json({ + message: + "Forbidden: Patient belongs to a different user, you can't delete this.", + }); } // Delete patient @@ -320,10 +308,6 @@ router.get( return res.status(404).json({ message: "Patient not found" }); } - if (patient.userId !== req.user!.id) { - return res.status(403).json({ message: "Forbidden" }); - } - const appointments = await storage.getAppointmentsByPatientId(patientId); res.json(appointments); } catch (error) { diff --git a/readmeForMigration.txt b/readmeForMigration.txt deleted file mode 100644 index d3466e2..0000000 --- a/readmeForMigration.txt +++ /dev/null @@ -1,5 +0,0 @@ -for staff model migration: - -after npm run db migrate, - -either by sql or manually add userid to each row of staff model. \ No newline at end of file