Skip to content
Snippets Groups Projects
Commit 4206f367 authored by Federico Hurtado's avatar Federico Hurtado
Browse files

Basic functionality achieved of generalized search function. Need to define...

Basic functionality achieved of generalized search function. Need to define allowed fields and test it now.
parent 5b3e9c77
No related branches found
No related tags found
1 merge request!11Basic functionality achieved of generalized search function. Need to define...
......@@ -251,10 +251,69 @@ async function updatePerson(personId, personInfo) {
}
}
// Define a whitelist of allowed fields to prevent SQL injection
const allowedSearchFields = [
"gradYear",
"degreeYear",
"city",
"stateId",
"contactNumber",
"firstName",
"lastName",
];
async function search(filters) {
//begin by selecting all people
let baseQuery = `
SELECT p.*, pd.degreeYear, a.city, a.stateId, c.contactNumber
FROM people p
LEFT JOIN peopleDegree pd ON p.peopleId = pd.peopleId
LEFT JOIN peopleXAddress pa ON p.peopleId = pa.peopleId
LEFT JOIN address a ON pa.addressId = a.addressId
LEFT JOIN peopleContact c ON p.peopleId = c.peopleId
WHERE 1=1
`;
// add filters to the base query in order to keep refining the set of people returned
let queryValues = [];
for (const filter of filters) {
console.log("Filter: ", filter);
// extract field or value
let field = filter.field ? filter.field : null;
let value = filter.value ? filter.value : null;
// throw error if the field or value is missing
if (field == null || value == null) {
throw new Error(
`Missing field or value in filter: ${JSON.stringify(filter)}`
);
}
// make sure the search field is allowed
if (!allowedSearchFields.includes(field)) {
throw new Error(`Invalid field specified: ${field}`);
}
// Add condition and value to the query
baseQuery += ` AND ${field} = ?`;
queryValues.push(value);
}
try {
const [results] = await pool.query(baseQuery, queryValues);
return results;
} catch (error) {
console.log("Error in repository w/ base query");
throw error;
}
}
module.exports = {
addPerson,
searchPeopleByName,
deletePersonById,
updatePerson,
getPersonById,
search,
};
......@@ -260,7 +260,7 @@ peopleRouter.get("/fullInfo/:id", async (req, res) => {
peopleRouter.post("/search", async (req, res) => {
// filters is an array of { field, value } pairs
const filters = req.body.filters;
let filters = req.body.filters;
if (filters == null || !Array.isArray(filters) || filters.length == 0) {
res.status(400).json({ message: "Missing filters." });
......@@ -273,7 +273,7 @@ peopleRouter.post("/search", async (req, res) => {
res.status(200).json({ people: results });
} catch (error) {
console.log("Error in search route: ", error);
res.status(500).json({ message: "Internal service error." });
res.status(500).json({ message: `Internal service error: ${error}` });
}
});
......
......@@ -23,6 +23,7 @@ const {
deletePersonById,
updatePerson,
getPersonById,
search,
} = require("../repository/peopleRepository");
const {
addPeopleInvolvement,
......@@ -344,10 +345,15 @@ async function updateInvolvementsForPerson(personId, involevements) {
}
}
async function generalSearch(filters) {
return search(filters);
}
module.exports = {
createPerson,
findByName,
deleteById,
updatePersonById,
getPersonFullDetails,
generalSearch,
};
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment