From 4a64e016935736f0a60fec6b56b44e57053e402b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Y=C3=BBki=20Vachot?= <yuki@vachot.fr>
Date: Sat, 11 Dec 2021 11:00:39 +0100
Subject: [PATCH] Update: findAll can only be retrieve by a Advertiser or above

---
 app-backend/controllers/ad.controller.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app-backend/controllers/ad.controller.js b/app-backend/controllers/ad.controller.js
index 273415a..3571b1f 100644
--- a/app-backend/controllers/ad.controller.js
+++ b/app-backend/controllers/ad.controller.js
@@ -48,7 +48,7 @@ exports.create = (req, res) => {
 
 // Retrieve all Ad from id if admin or session id
 exports.findAll = (req, res) => {
-  const token = checkLogin(req, res);
+  const token = checkLogin(req, res, roles.Advertiser);
   if(token){
     let query = {};
     let condition;
@@ -229,7 +229,7 @@ exports.delete = (req, res) => {
   if(token && typeof req.params.id !== 'undefined') {
     const id =  req.params.id;
     if(id && ObjectId.isValid(id)){
-      Ad.findByIdAndUpdate(id, {isActive: false}, {useFindAndModify: false})
+      Ad.updateOne({_id: id, userId: token.id}, {isActive: false}, {useFindAndModify: false})
         .then(data => {
           if(data) {
             return sendMessage(res, 45, {message: `Ad ${id} was successfully deleted.`}, token);