Merge pull request #3834 from Iron-56/fix-idor-asset-delete

Update docs for setting up google auth

Author: raclim

client/modules/IDE/actions/assets.js

@@ -30,7 +30,10 @@ export function getAssets() {
 export function deleteAssetRequest(assetKey) {
   return async (dispatch) => {
     try {
-      await apiClient.delete(`/S3/${assetKey}`);
+      const path = assetKey.split('/').pop();
+      await apiClient.delete(
+        `/S3/delete?objectKey=${encodeURIComponent(path)}`
+      );
       dispatch(deleteAsset(assetKey));
     } catch (error) {
       dispatch({

server/controllers/aws.controller.js

@@ -65,8 +65,9 @@ export async function deleteObjectsFromS3(keyList) {
 }
 
 export async function deleteObjectFromS3(req, res) {
-  const { objectKey, userId } = req.params;
-  const fullObjectKey = userId ? `${userId}/${objectKey}` : objectKey;
+  const userId = req.user.id;
+  const { objectKey } = req.query;
+  const fullObjectKey = `${userId}/${objectKey}`;
 
   try {
     await deleteObjectsFromS3([fullObjectKey]);

server/routes/aws.routes.ts

@@ -10,11 +10,7 @@ router.post(
   isAuthenticated,
   AWSController.copyObjectInS3RequestHandler
 );
-router.delete(
-  '/S3/:userId?/:objectKey',
-  isAuthenticated,
-  AWSController.deleteObjectFromS3
-);
+router.delete('/S3/delete', isAuthenticated, AWSController.deleteObjectFromS3);
 router.get('/S3/objects', AWSController.listObjectsInS3ForUserRequestHandler);
 
 // eslint-disable-next-line import/no-default-export