diff --git a/backend/src/controllers/authController.js b/backend/src/controllers/authController.js index 9dd968f..702a205 100644 --- a/backend/src/controllers/authController.js +++ b/backend/src/controllers/authController.js @@ -567,12 +567,12 @@ const removeSubUser = async (req, res) => { }; /** - * Update the role of a sub-user - * @route PUT /api/auth/sub-user/:subUserId/role + * Update the role of a sub-user for a specific pet + * @route PUT /api/auth/sub-user/:subUserId/pet/:petId/role */ const updateSubUserRole = async (req, res) => { try { - const { subUserId } = req.params; + const { subUserId, petId } = req.params; const { role } = req.body; const requestingUserId = req.user.userId; @@ -603,8 +603,8 @@ const updateSubUserRole = async (req, res) => { }); } - // Update the sub-user role - const updatedSubUser = await User.updateSubUserRole(subUserId, role); + // Update the sub-user role for the specific pet + const updatedSubUser = await User.updateSubUserRole(subUserId, parseInt(petId), requestingUserId, role); if (!updatedSubUser) { return res.status(500).json({ diff --git a/backend/src/middleware/validateSubUserRoleUpdate.js b/backend/src/middleware/validateSubUserRoleUpdate.js index 9ff8738..93ffb45 100644 --- a/backend/src/middleware/validateSubUserRoleUpdate.js +++ b/backend/src/middleware/validateSubUserRoleUpdate.js @@ -5,7 +5,7 @@ const validator = require('validator'); */ const validateSubUserRoleUpdate = (req, res, next) => { const { role } = req.body; - const { subUserId } = req.params; + const { subUserId, petId } = req.params; const errors = []; // Validate sub-user ID (must be UUID) @@ -15,6 +15,13 @@ const validateSubUserRoleUpdate = (req, res, next) => { errors.push('Invalid sub-user ID format'); } + // Validate pet ID (must be a positive integer) + if (!petId) { + errors.push('Pet ID is required'); + } else if (!validator.isInt(petId, { min: 1 })) { + errors.push('Invalid pet ID format'); + } + // Validate role (required) if (!role) { errors.push('Role is required'); diff --git a/backend/src/models/User.js b/backend/src/models/User.js index dbb8db9..fcd415b 100644 --- a/backend/src/models/User.js +++ b/backend/src/models/User.js @@ -255,21 +255,23 @@ class User { } /** - * Update the role of a sub-user + * Update the role of a sub-user for a specific pet * @param {string} subUserId - Sub-user UUID + * @param {number} petId - Pet ID + * @param {string} ownerId - Owner UUID * @param {string} newRole - New role value * @returns {Promise} Updated sub-user info */ - static async updateSubUserRole(subUserId, newRole) { + static async updateSubUserRole(subUserId, petId, ownerId, newRole) { const query = ` UPDATE pet_users SET role = $1 - WHERE user_id = $2 - RETURNING owner_id as parent_user_id, user_id as sub_user_id, role + WHERE user_id = $2 AND pet_id = $3 AND owner_id = $4 + RETURNING owner_id as parent_user_id, user_id as sub_user_id, pet_id, role `; try { - const result = await pool.query(query, [newRole, subUserId]); + const result = await pool.query(query, [newRole, subUserId, petId, ownerId]); return result.rows[0] || null; } catch (error) { throw error; diff --git a/backend/src/routes/userRoutes.js b/backend/src/routes/userRoutes.js index 56f94be..808b859 100644 --- a/backend/src/routes/userRoutes.js +++ b/backend/src/routes/userRoutes.js @@ -63,10 +63,10 @@ router.get('/sub-users', authenticateToken, getSubUsers); router.delete('/sub-user/:subUserId', authenticateToken, removeSubUser); /** - * @route PUT /api/auth/sub-user/:subUserId/role - * @desc Update the role of a sub-user + * @route PUT /api/auth/sub-user/:subUserId/pet/:petId/role + * @desc Update the role of a sub-user for a specific pet * @access Private (parent account owner only) */ -router.put('/sub-user/:subUserId/role', authenticateToken, validateSubUserRoleUpdate, updateSubUserRole); +router.put('/sub-user/:subUserId/pet/:petId/role', authenticateToken, validateSubUserRoleUpdate, updateSubUserRole); module.exports = router;