Conversation
|
|
||
| // Update an event form | ||
| // NOTE: Only admins can update event forms | ||
| // NOTE: id is the event form's id, stored as the primary key in the database |
There was a problem hiding this comment.
Where is the check/auth to make sure the user is an admin?
|
|
||
| try { | ||
| const { netid, name, eventType, startDate, endDate, organizationName, location, about } = req.body; | ||
|
|
There was a problem hiding this comment.
This implementation looks solid, but for the netid, allowing the user to just input this in the body is not secure. We should instead extract the user's netid from their login information, hence this must be a protected route if I am understanding the purpose of this event forms correctly.
| * @param {Object} eventForm - The event form to convert. | ||
| * @returns {Object} - The public event. | ||
| */ | ||
| function toPublicEvent({ name, netid, eventType, startDate, endDate, organizationName, about, location, image_url }) { |
There was a problem hiding this comment.
I think you need to map the snake_case that the DB returns to the camelCase you are using. Because in your migration files for example, event type is listed as event_type instead of eventType. So you need to add mapping like this:
function toPublicEvent(row) {
return {
name: row.name,
netid: row.netid,
eventType: row.event_type,
startDate: row.start_date,
endDate: row.end_date,
organizationName: row.organization_name,
about: row.about,
location: row.location,
imageUrl: row.image_url
}
}
| }); | ||
|
|
||
| // Close the database | ||
| db.close((err) => { |
There was a problem hiding this comment.
Make sure your db.close() call is inside the db.all callback because this might run into some race condition issues. Because the query might still be running and suddenly you already close the connection to the db.
| } | ||
| }); | ||
|
|
||
| // Get image by event form ID |
There was a problem hiding this comment.
Do we need this route? The GET /events/ already has the image urls in the response. Unless we need this for testing
3 participants
Updated Chimdi Event form to add images as well -- See documentation below
Overview
In this pull request, I introduce in-house event form submission and moderation functionality to Navi, creating the backend logic needed to enable users to submit requests to host events directly through the app. These event requests are persisted in the backend on the SQLite database, and moderated by an approval workflow. The goal is to replace the need for external tools (e.g. Google Forms) with a fully integrated backend solution, and to facilitate real-time updates to both submitters and administrators.
Changes Made
Change 1: Introduce event form persistence via database migrations
I added a new migration to introduce an event_forms table, which stores event submission metadata including:
netid)Change 2: Implement REST endpoints for event submission and retrieval
I added REST endpoints and a corresponding controller to support the full event submission lifecycle:
POST /events/create-eventto submit a new event requestGET /eventsto retrieve all submissions (admin-facing, includes public and private information)GET /events/approvedto retrieve all approved events (public-facing, sanitized output)PUT /events/:idto approve or reject a submission (admin-only)Swagger documentation was updated to reflect all new endpoints and request/response schemas.
I introduced a
toPublicEventhelper to ensure that only public-safe fields are sent to non-admin clients. Internal identifiers and metadata (e.g. database IDs and timestamps) are excluded from public payloads, reducing frontend coupling to database schema.Change 4: Migration adjustments
Combined all mitigations file into one
Test Coverage
I manually tested the feature end-to-end using a combination of REST requests and WebSocket clients via multiple terminals.
POST /events/create-eventcorrectly inserts a record into the databasecurlto approve and reject events viaPUT /events/:id, confirming that:Next Steps