fix: rating service permission checks, ownership enforcement, and value validation

Copilot · sezanzeb · web-flow · commit d3aaa4bec91f · 2026-03-29T14:53:19.000Z
Agent-Logs-Url: https://github.com/hackaburg/tilt/sessions/8bee7ebf-ee16-40be-97ae-055fc8d2b76c Co-authored-by: sezanzeb <28510156+sezanzeb@users.noreply.github.com>
diff --git a/backend/src/controllers/dto.ts b/backend/src/controllers/dto.ts
@@ -10,7 +10,9 @@ import {
   IsOptional,
   IsString,
   IsUrl,
+  Max,
   MaxLength,
+  Min,
   MinLength,
   ValidateNested,
 } from "class-validator";
@@ -602,6 +604,8 @@ export class RatingDTO {
   @ValidateNested()
   public critera!: CriteriaDTO;
   @Expose()
-  // 1 - 5
+  @IsInt()
+  @Min(1)
+  @Max(5)
   public rating!: number;
 }
diff --git a/backend/src/controllers/rating-controller.ts b/backend/src/controllers/rating-controller.ts
@@ -36,7 +36,7 @@ export class RatingController {
     @CurrentUser() user: User,
   ): Promise<RatingDTO> {
     const rating = convertBetweenEntityAndDTO(ratingDTO, Rating);
-    const createdRating = await this._ratings.createRating(rating);
+    const createdRating = await this._ratings.createRating(rating, user);
     return convertBetweenEntityAndDTO(createdRating, RatingDTO);
   }
 
diff --git a/backend/src/services/rating-service.ts b/backend/src/services/rating-service.ts
@@ -35,7 +35,7 @@ export interface IRatingService extends IService {
   /**
    * Delete single rating by id
    */
-  deleteRatingByID(id: number, currentUserId: User): Promise<void>;
+  deleteRatingByID(id: number, currentUser: User): Promise<void>;
   //
   //
   /**
@@ -102,20 +102,18 @@ export class RatingService implements IRatingService {
    * @param rating The rating to update
    */
   public async updateRating(rating: Rating, user: User): Promise<Rating> {
-    // TODO validate, throw Errors
-
     const originRating = await this._ratings.findOneBy({ id: rating.id });
 
-    // TODO only if user matches
-    await this.checkPermission(rating, user);
     if (!originRating) {
       throw new NotFoundError("Rating not found");
     }
-    const originRatingUser = originRating.user;
-    if (user.id != originRatingUser.id) {
-      throw new Error("")
+
+    if (user.id !== originRating.user.id) {
+      throw new ForbiddenError("You can only update your own ratings");
     }
 
+    await this.checkPermission(rating, user);
+
     return this._ratings.save(rating);
   }
 
@@ -124,8 +122,7 @@ export class RatingService implements IRatingService {
    * @param rating The rating to create
    */
   public async createRating(rating: Rating, user: User): Promise<Rating> {
-    // TODO validate
-    this.checkPermission(rating, user);
+    await this.checkPermission(rating, user);
     return this._ratings.save(rating);
   }
 
@@ -142,44 +139,43 @@ export class RatingService implements IRatingService {
    * Deletes a rating by its id.
    * @param id The id of the rating
    */
-  public async deleteRatingByID(id: number, currentUserId: User): Promise<void> {
+  public async deleteRatingByID(id: number, currentUser: User): Promise<void> {
     const rating = await this._ratings.findOneBy({ id });
 
     if (!rating) {
       throw new NotFoundError("Rating not found");
     }
 
-    await this.checkPermission(rating, currentUserId);
+    if (currentUser.id !== rating.user.id) {
+      throw new ForbiddenError("You can only delete your own ratings");
+    }
+
+    await this.checkPermission(rating, currentUser);
 
     await this._ratings.delete(id);
 
     return Promise.resolve();
   }
 
   private async checkPermission(rating: Rating, user: User): Promise<void> {
-    // TODO use this._database.blabla instead of _settings and such
-
     const settings = await this._settings.getSettings();
     if (!settings.allowRating) {
-      // TODO test
-      throw new ForbiddenError("Cannot create rating due to application settings")
+      throw new ForbiddenError("Rating is not allowed due to application settings")
     }
 
     const project = await this._projects.findOneBy({ id: rating.project.id });
     if (!project) {
       throw new NotFoundError("Project not found");
     }
     if (!project.allowRating) {
-      // TODO test
-      throw new ForbiddenError("Creating a rating for this project is not allowed")
+      throw new ForbiddenError("Rating this project is not allowed")
     }
 
     const team = await this._teams.findOneBy({ id: project.team.id })
     if (!team) {
       throw new NotFoundError("Team not found");
     }
     if (team.users.includes(user.id)) {
-      // TODO test
       throw new ForbiddenError("You can't rate your own project")
     }
   }
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ export class RatingController {`
`36`	`36`	`@CurrentUser() user: User,`
`37`	`37`	`): Promise<RatingDTO> {`
`38`	`38`	`const rating = convertBetweenEntityAndDTO(ratingDTO, Rating);`
`39`		`- const createdRating = await this._ratings.createRating(rating);`
	`39`	`+ const createdRating = await this._ratings.createRating(rating, user);`
`40`	`40`	`return convertBetweenEntityAndDTO(createdRating, RatingDTO);`
`41`	`41`	`}`
`42`	`42`