feat: restrict cv

app/api/uploads/[...path]/route.ts

@@ -1,11 +1,54 @@
 import { auth } from "@/auth"
+import prisma from "@/lib/db"
 import { validateFilePath } from "@/lib/files/saveFile"
 
 import fs from "fs/promises"
 import mime from "mime-types"
+import { Session } from "next-auth"
 import { NextRequest } from "next/server"
 import path from "path"
 
+/**
+ * @param session The user's session
+ * @param suffix The suffix of the file path
+ * @returns A response if the user is unauthorised to view the requested CV, or "authorised" if they are authorised
+ */
+const checkAuthorisedForCV = async (session: Session, suffix: string): Promise<Response | "authorised"> => {
+  // Only check for CVs
+  if (suffix.split("/")[0] !== "cvs") {
+    return "authorised"
+  }
+
+  // Only companies and admins can view any CV
+  if (session.user.role === "COMPANY" || session.user.role === "ADMIN") {
+    return "authorised"
+  }
+
+  // Students can only view their own CV
+  if (session.user.role === "STUDENT") {
+    const studentProfile = await prisma.studentProfile.findUnique({
+      select: {
+        cv: true,
+      },
+      where: {
+        userId: session.user.id,
+      },
+    })
+
+    if (!studentProfile) {
+      return new Response("Student profile not found", { status: 404 })
+    }
+
+    if (suffix !== "/" + studentProfile.cv) {
+      return new Response("Unauthorised to view this CV", { status: 403 })
+    }
+
+    return "authorised"
+  }
+
+  return new Response("Unexpected error", { status: 500 })
+}
+
 /**
  * Upon request: return the file provided at the path in the volume
  * @example GET /api/uploads/banner/myCompanyBanner.png
@@ -29,6 +72,12 @@ export const GET = async (req: NextRequest) => {
     return new Response("Invalid path", { status: 400 })
   }
 
+  const res = await checkAuthorisedForCV(session, suffix)
+
+  if (res !== "authorised") {
+    return res
+  }
+
   const filePath = path.join(process.env.UPLOAD_DIR, suffix)
 
   try {

app/auth/login/page.tsx

@@ -1,12 +1,12 @@
 import { auth, signIn } from "@/auth"
 import Link from "@/components/Link"
+import ThemedLogo from "@/components/ThemedLogo"
 
 import styles from "./page.module.scss"
 
 import { Button, Flex, Separator, Text } from "@radix-ui/themes"
 import { Heading } from "@react-email/components"
 import { AuthError } from "next-auth"
-import Image from "next/image"
 import { redirect } from "next/navigation"
 import React from "react"
 
@@ -36,7 +36,7 @@ const LoginPage = async () => {
   return (
     <Flex gap="6" direction="column">
       <Flex className={styles.logosContainer}>
-        <Image src="/images/imperial-logo-blue.svg" alt="imperial logo in blue" width={0} height={0} />
+        <ThemedLogo />
       </Flex>
       <Flex pl="9" pr="9" direction="column" gap="5">
         <Flex direction="column" justify="center" align="center">

app/auth/login/partner/page.tsx

@@ -63,7 +63,7 @@ const LoginPage = () => {
         </TextField.Root>
 
         <Button size="3" style={{ width: "100%" }}>
-          {isPending ? <Spinner /> : "Sign In With Magic Link"}
+          {isPending ? <Spinner /> : "Sign in with magic link"}
         </Button>
       </form>
     </Flex>

app/students/[shortcode]/page.tsx

@@ -94,12 +94,20 @@ const StudentProfilePage = async ({ params }: { params: { shortcode: string } })
             )}
 
             {studentProfile.cv && (
-              <Flex align="center" gap="2" asChild>
-                <Link href={`/api/uploads/${studentProfile.cv}`} target="_blank" underline="none">
-                  <BsFileEarmarkText title="download cv" color="black" />
-                  <Text>{studentProfile.user.name?.split(",").reverse()[0].trim()}&apos;s CV</Text>
-                </Link>
-              </Flex>
+              <RestrictedArea
+                showMessage={false}
+                allowedRoles={["COMPANY", "STUDENT"]}
+                additionalCheck={async session =>
+                  session.user.role === "COMPANY" || session.user.id === studentProfile.userId
+                }
+              >
+                <Flex align="center" gap="2" asChild>
+                  <Link href={`/api/uploads/${studentProfile.cv}`} target="_blank" underline="none">
+                    <BsFileEarmarkText title="download cv" color="var(--gray-12)" />
+                    <Text>{studentProfile.user.name?.split(",").reverse()[0].trim()}&apos;s CV</Text>
+                  </Link>
+                </Flex>
+              </RestrictedArea>
             )}
             <Flex align="center" gap="2">
               <BsEnvelope />

components/ThemedLogo.tsx

@@ -0,0 +1,19 @@
+"use client"
+
+import { useTheme } from "next-themes"
+import Image from "next/image"
+
+const ThemedLogo = () => {
+  const { resolvedTheme } = useTheme()
+  let src
+
+  if (resolvedTheme === "dark") {
+    src = "/images/imperial-logo.svg"
+  } else {
+    src = "/images/imperial-logo-blue.svg"
+  }
+
+  return <Image src={src} alt="imperial logo" width={0} height={0} />
+}
+
+export default ThemedLogo