From bda5602e9f03001f6b618b54f657c7aefbbd9ee9 Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Fri, 29 Jan 2021 23:03:05 +0100 Subject: [PATCH] Only safe transaction if user owns it --- src/plugins/balance/store/balance.ts | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/plugins/balance/store/balance.ts b/src/plugins/balance/store/balance.ts index 1fb3f17..1315e16 100644 --- a/src/plugins/balance/store/balance.ts +++ b/src/plugins/balance/store/balance.ts @@ -1,5 +1,5 @@ import { Module, MutationTree, ActionTree, GetterTree } from 'vuex'; -import { StateInterface } from 'src/store'; +import store, { StateInterface } from 'src/store'; import { axios } from 'src/boot/axios'; import { AxiosResponse } from 'axios'; @@ -170,14 +170,21 @@ const actions: ActionTree = { dispatch('getBalance').catch(err => console.warn(err)); }); }, - changeBalance({ dispatch, commit }, data: { amount: number; user: string; sender?: string }) { + changeBalance( + { dispatch, commit, rootState }, + data: { amount: number; user: string; sender?: string } + ) { commit('setLoading'); return axios .put(`/users/${data.user}/balance`, data) .then((response: AxiosResponse) => { const transaction = response.data; fixTransaction(transaction); - commit('addTransaction', transaction); + if ( + data.user == rootState.user.currentUser?.userid || + data.sender === rootState.user.currentUser?.userid + ) + commit('addTransaction', transaction); commit(state.balances.has(data.user) ? 'changeBalance' : 'setBalance', { userid: data.user, amount: data.amount