routes fixed - user based fixed done
This commit is contained in:
@@ -41,11 +41,6 @@ router.get(
|
||||
return res.status(404).json({ message: "Appointment not found" });
|
||||
}
|
||||
|
||||
// Ensure the appointment belongs to the logged-in user
|
||||
if (appointment.userId !== req.user!.id) {
|
||||
return res.status(403).json({ message: "Forbidden" });
|
||||
}
|
||||
|
||||
res.json(appointment);
|
||||
} catch (error) {
|
||||
res.status(500).json({ message: "Failed to retrieve appointment" });
|
||||
@@ -71,8 +66,6 @@ router.get(
|
||||
const patient = await storage.getPatient(patientId);
|
||||
if (!patient)
|
||||
return res.status(404).json({ message: "Patient not found" });
|
||||
if (patient.userId !== req.user!.id)
|
||||
return res.status(403).json({ message: "Forbidden" });
|
||||
|
||||
const appointments = await storage.getAppointmentsByPatientId(patientId);
|
||||
res.json(appointments);
|
||||
@@ -132,7 +125,6 @@ router.post(
|
||||
userId: req.user!.id,
|
||||
});
|
||||
|
||||
const userId = req.user!.id;
|
||||
const originalStartTime = appointmentData.startTime;
|
||||
const MAX_END_TIME = "18:30";
|
||||
|
||||
@@ -142,12 +134,6 @@ router.post(
|
||||
return res.status(404).json({ message: "Patient not found" });
|
||||
}
|
||||
|
||||
if (patient.userId !== userId) {
|
||||
return res.status(403).json({
|
||||
message: "Forbidden, You are not the user who created this patient.",
|
||||
});
|
||||
}
|
||||
|
||||
// 2. Attempt to find the next available slot
|
||||
let [hour, minute] = originalStartTime.split(":").map(Number);
|
||||
|
||||
@@ -262,8 +248,6 @@ router.put(
|
||||
userId: req.user!.id,
|
||||
});
|
||||
|
||||
const userId = req.user!.id;
|
||||
|
||||
const appointmentIdParam = req.params.id;
|
||||
if (!appointmentIdParam) {
|
||||
return res.status(400).json({ message: "Appointment ID is required" });
|
||||
@@ -276,24 +260,12 @@ router.put(
|
||||
return res.status(404).json({ message: "Patient not found" });
|
||||
}
|
||||
|
||||
if (patient.userId !== userId) {
|
||||
return res.status(403).json({
|
||||
message: "Forbidden, You are not the user who created this patient.",
|
||||
});
|
||||
}
|
||||
|
||||
// 2. Check if appointment exists and belongs to user
|
||||
const existingAppointment = await storage.getAppointment(appointmentId);
|
||||
if (!existingAppointment) {
|
||||
console.log("Appointment not found:", appointmentId);
|
||||
return res.status(404).json({ message: "Appointment not found" });
|
||||
}
|
||||
if (existingAppointment.userId !== req.user!.id) {
|
||||
return res.status(403).json({
|
||||
message:
|
||||
"Forbidden, You are not the user who created this appointment.",
|
||||
});
|
||||
}
|
||||
|
||||
// 4. Reject patientId change (not allowed)
|
||||
if (
|
||||
|
||||
@@ -237,10 +237,6 @@ router.get("/:id", async (req: Request, res: Response): Promise<any> => {
|
||||
return res.status(404).json({ message: "Claim not found" });
|
||||
}
|
||||
|
||||
if (claim.userId !== req.user!.id) {
|
||||
return res.status(403).json({ message: "Forbidden" });
|
||||
}
|
||||
|
||||
res.json(claim);
|
||||
} catch (error) {
|
||||
res.status(500).json({ message: "Failed to retrieve claim" });
|
||||
@@ -334,10 +330,6 @@ router.put("/:id", async (req: Request, res: Response): Promise<any> => {
|
||||
return res.status(404).json({ message: "Claim not found" });
|
||||
}
|
||||
|
||||
if (existingClaim.userId !== req.user!.id) {
|
||||
return res.status(403).json({ message: "Forbidden" });
|
||||
}
|
||||
|
||||
const claimData = updateClaimSchema.parse(req.body);
|
||||
const updatedClaim = await storage.updateClaim(claimId, claimData);
|
||||
res.json(updatedClaim);
|
||||
|
||||
@@ -150,12 +150,6 @@ router.get(
|
||||
if (!patient) {
|
||||
return res.status(404).json({ message: "Patient not found" });
|
||||
}
|
||||
|
||||
// Ensure the patient belongs to the logged-in user
|
||||
if (patient.userId !== req.user!.id) {
|
||||
return res.status(403).json({ message: "Forbidden" });
|
||||
}
|
||||
|
||||
res.json(patient);
|
||||
} catch (error) {
|
||||
res.status(500).json({ message: "Failed to retrieve patient" });
|
||||
@@ -220,10 +214,6 @@ router.put(
|
||||
return res.status(404).json({ message: "Patient not found" });
|
||||
}
|
||||
|
||||
if (existingPatient.userId !== req.user!.id) {
|
||||
return res.status(403).json({ message: "Forbidden" });
|
||||
}
|
||||
|
||||
// Validate request body
|
||||
const patientData = updatePatientSchema.parse(req.body);
|
||||
|
||||
@@ -282,9 +272,7 @@ router.delete(
|
||||
}
|
||||
|
||||
if (existingPatient.userId !== req.user!.id) {
|
||||
return res
|
||||
.status(403)
|
||||
.json({
|
||||
return res.status(403).json({
|
||||
message:
|
||||
"Forbidden: Patient belongs to a different user, you can't delete this.",
|
||||
});
|
||||
@@ -320,10 +308,6 @@ router.get(
|
||||
return res.status(404).json({ message: "Patient not found" });
|
||||
}
|
||||
|
||||
if (patient.userId !== req.user!.id) {
|
||||
return res.status(403).json({ message: "Forbidden" });
|
||||
}
|
||||
|
||||
const appointments = await storage.getAppointmentsByPatientId(patientId);
|
||||
res.json(appointments);
|
||||
} catch (error) {
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
for staff model migration:
|
||||
|
||||
after npm run db migrate,
|
||||
|
||||
either by sql or manually add userid to each row of staff model.
|
||||
Reference in New Issue
Block a user