Gitead/DentalManagementE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

routes fixed - user based fixed done

Browse Source
This commit is contained in:
Potenz
2025-08-28 22:39:54 +05:30
parent 848e4362e5
commit 4c818d511b
4 changed files with 4 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
apps/Backend/src/routes/appointments.ts
View File

@@ -41,11 +41,6 @@ router.get(
return res.status(404).json({ message: "Appointment not found" }); return res.status(404).json({ message: "Appointment not found" });
} }
// Ensure the appointment belongs to the logged-in user
if (appointment.userId !== req.user!.id) {
return res.status(403).json({ message: "Forbidden" });
}
res.json(appointment); res.json(appointment);
} catch (error) { } catch (error) {
res.status(500).json({ message: "Failed to retrieve appointment" }); res.status(500).json({ message: "Failed to retrieve appointment" });
@@ -71,8 +66,6 @@ router.get(
const patient = await storage.getPatient(patientId); const patient = await storage.getPatient(patientId);
if (!patient) if (!patient)
return res.status(404).json({ message: "Patient not found" }); return res.status(404).json({ message: "Patient not found" });
if (patient.userId !== req.user!.id)
return res.status(403).json({ message: "Forbidden" });
const appointments = await storage.getAppointmentsByPatientId(patientId); const appointments = await storage.getAppointmentsByPatientId(patientId);
res.json(appointments); res.json(appointments);
@@ -132,7 +125,6 @@ router.post(
userId: req.user!.id, userId: req.user!.id,
}); });
const userId = req.user!.id;
const originalStartTime = appointmentData.startTime; const originalStartTime = appointmentData.startTime;
const MAX_END_TIME = "18:30"; const MAX_END_TIME = "18:30";
@@ -142,12 +134,6 @@ router.post(
return res.status(404).json({ message: "Patient not found" }); return res.status(404).json({ message: "Patient not found" });
} }
if (patient.userId !== userId) {
return res.status(403).json({
message: "Forbidden, You are not the user who created this patient.",
});
}
// 2. Attempt to find the next available slot // 2. Attempt to find the next available slot
let [hour, minute] = originalStartTime.split(":").map(Number); let [hour, minute] = originalStartTime.split(":").map(Number);
@@ -262,8 +248,6 @@ router.put(
userId: req.user!.id, userId: req.user!.id,
}); });
const userId = req.user!.id;
const appointmentIdParam = req.params.id; const appointmentIdParam = req.params.id;
if (!appointmentIdParam) { if (!appointmentIdParam) {
return res.status(400).json({ message: "Appointment ID is required" }); return res.status(400).json({ message: "Appointment ID is required" });
@@ -276,24 +260,12 @@ router.put(
return res.status(404).json({ message: "Patient not found" }); return res.status(404).json({ message: "Patient not found" });
} }
if (patient.userId !== userId) {
return res.status(403).json({
message: "Forbidden, You are not the user who created this patient.",
});
}
// 2. Check if appointment exists and belongs to user // 2. Check if appointment exists and belongs to user
const existingAppointment = await storage.getAppointment(appointmentId); const existingAppointment = await storage.getAppointment(appointmentId);
if (!existingAppointment) { if (!existingAppointment) {
console.log("Appointment not found:", appointmentId); console.log("Appointment not found:", appointmentId);
return res.status(404).json({ message: "Appointment not found" }); return res.status(404).json({ message: "Appointment not found" });
} }
if (existingAppointment.userId !== req.user!.id) {
return res.status(403).json({
message:
"Forbidden, You are not the user who created this appointment.",
});
}
// 4. Reject patientId change (not allowed) // 4. Reject patientId change (not allowed)
if ( if (

8
apps/Backend/src/routes/claims.ts
View File

@@ -237,10 +237,6 @@ router.get("/:id", async (req: Request, res: Response): Promise<any> => {
return res.status(404).json({ message: "Claim not found" }); return res.status(404).json({ message: "Claim not found" });
} }
if (claim.userId !== req.user!.id) {
return res.status(403).json({ message: "Forbidden" });
}
res.json(claim); res.json(claim);
} catch (error) { } catch (error) {
res.status(500).json({ message: "Failed to retrieve claim" }); res.status(500).json({ message: "Failed to retrieve claim" });
@@ -334,10 +330,6 @@ router.put("/:id", async (req: Request, res: Response): Promise<any> => {
return res.status(404).json({ message: "Claim not found" }); return res.status(404).json({ message: "Claim not found" });
} }
if (existingClaim.userId !== req.user!.id) {
return res.status(403).json({ message: "Forbidden" });
}
const claimData = updateClaimSchema.parse(req.body); const claimData = updateClaimSchema.parse(req.body);
const updatedClaim = await storage.updateClaim(claimId, claimData); const updatedClaim = await storage.updateClaim(claimId, claimData);
res.json(updatedClaim); res.json(updatedClaim);

18
apps/Backend/src/routes/patients.ts
View File

@@ -150,12 +150,6 @@ router.get(
if (!patient) { if (!patient) {
return res.status(404).json({ message: "Patient not found" }); return res.status(404).json({ message: "Patient not found" });
} }
// Ensure the patient belongs to the logged-in user
if (patient.userId !== req.user!.id) {
return res.status(403).json({ message: "Forbidden" });
}
res.json(patient); res.json(patient);
} catch (error) { } catch (error) {
res.status(500).json({ message: "Failed to retrieve patient" }); res.status(500).json({ message: "Failed to retrieve patient" });
@@ -220,10 +214,6 @@ router.put(
return res.status(404).json({ message: "Patient not found" }); return res.status(404).json({ message: "Patient not found" });
} }
if (existingPatient.userId !== req.user!.id) {
return res.status(403).json({ message: "Forbidden" });
}
// Validate request body // Validate request body
const patientData = updatePatientSchema.parse(req.body); const patientData = updatePatientSchema.parse(req.body);
@@ -282,9 +272,7 @@ router.delete(
} }
if (existingPatient.userId !== req.user!.id) { if (existingPatient.userId !== req.user!.id) {
return res return res.status(403).json({
.status(403)
.json({
message: message:
"Forbidden: Patient belongs to a different user, you can't delete this.", "Forbidden: Patient belongs to a different user, you can't delete this.",
}); });
@@ -320,10 +308,6 @@ router.get(
return res.status(404).json({ message: "Patient not found" }); return res.status(404).json({ message: "Patient not found" });
} }
if (patient.userId !== req.user!.id) {
return res.status(403).json({ message: "Forbidden" });
}
const appointments = await storage.getAppointmentsByPatientId(patientId); const appointments = await storage.getAppointmentsByPatientId(patientId);
res.json(appointments); res.json(appointments);
} catch (error) { } catch (error) {

5
readmeForMigration.txt
View File

@@ -1,5 +0,0 @@
for staff model migration:
after npm run db migrate,
either by sql or manually add userid to each row of staff model.