adapted /materials

src/routes/material.spec.ts

@@ -204,6 +204,23 @@ describe('/material', () => {
         res: {_id: '100000000000000000000007', name: 'Ultramid A4H', supplier: 'BASF', group: 'PA66', mineral: 0, glass_fiber: 0, carbon_fiber: 0, numbers: [{color: 'black', number: ''}]}
       });
     });
+    it('returns a deleted material for a maintain/admin user', done => {
+      TestHelper.request(server, done, {
+        method: 'get',
+        url: '/material/100000000000000000000008',
+        auth: {basic: 'admin'},
+        httpStatus: 200,
+        res: {_id: '100000000000000000000008', name: 'Latamid 66 H 2 G 30', supplier: 'LATI', group: 'PA66', mineral: 0, glass_fiber: 30, carbon_fiber: 0, numbers: [{color: 'blue', number: '5513943509'}]}
+      });
+    });
+    it('returns 403 for a write user when requesting a deleted material', done => {
+      TestHelper.request(server, done, {
+        method: 'get',
+        url: '/material/100000000000000000000008',
+        auth: {basic: 'janedoe'},
+        httpStatus: 403
+      });
+    });
     it('rejects an invalid id', done => {
       TestHelper.request(server, done, {
         method: 'get',
@@ -363,6 +380,15 @@ describe('/material', () => {
         req: {},
       });
     });
+    it('rejects editing a deleted material', done => {
+      TestHelper.request(server, done, {
+        method: 'put',
+        url: '/material/100000000000000000000008',
+        auth: {basic: 'janedoe'},
+        httpStatus: 403,
+        req: {}
+      });
+    });
     it('rejects an API key', done => {
       TestHelper.request(server, done, {
         method: 'put',

src/routes/material.ts

@@ -34,14 +34,14 @@ router.get('/materials/:group(new|deleted)', (req, res, next) => {
 router.get('/material/' + IdValidate.parameter(), (req, res, next) => {
   if (!req.auth(res, ['read', 'write', 'maintain', 'dev', 'admin'], 'all')) return;
 
-  MaterialModel.findById(req.params.id).lean().exec((err, data) => {
+  MaterialModel.findById(req.params.id).lean().exec((err, data: any) => {
     if (err) return next(err);
-    if (data) {
-      res.json(MaterialValidate.output(data));
-    }
-    else {
-      res.status(404).json({status: 'Not found'});
+
+    if (!data) {
+      return res.status(404).json({status: 'Not found'});
     }
+    if (data.status === globals.status.deleted && !req.auth(res, ['maintain', 'admin'], 'all')) return;  // deleted materials only available for maintain/admin
+    res.json(MaterialValidate.output(data));
   });
 });
 
@@ -55,6 +55,9 @@ router.put('/material/' + IdValidate.parameter(), (req, res, next) => {
     if (!materialData) {
       return res.status(404).json({status: 'Not found'});
     }
+    if (materialData.status === globals.status.deleted) {
+      return res.status(403).json({status: 'Forbidden'});
+    }
     if (material.hasOwnProperty('name') && material.name !== materialData.name) {
       if (!await nameCheck(material, res, next)) return;
     }

src/routes/sample.ts

@@ -43,7 +43,7 @@ router.get('/sample/' + IdValidate.parameter(), (req, res, next) => {
     if (err) return next(err);
 
     if (sampleData) {
-      if (sampleData.status ===globals.status.deleted && !req.auth(res, ['maintain', 'admin'], 'all')) return;  // deleted samples only available for maintain/admin
+      if (sampleData.status === globals.status.deleted && !req.auth(res, ['maintain', 'admin'], 'all')) return;  // deleted samples only available for maintain/admin
       sampleData.material = sampleData.material_id;  // map data to right keys
       sampleData.user = sampleData.user_id.name;
       sampleData.notes = sampleData.note_id ? sampleData.note_id : {};