verifying if user is admin when adding member

server/db/db.js

@@ -1033,4 +1033,5 @@ module.exports = {
   getMembers,
   removeUserFromGroupById,
   isConversationMember,
+  isAdmin,
 };

server/server.js

@@ -42,6 +42,8 @@ const {
   deleteMessage,
   getMembers,
   insertContactByUsername,
+  isConversationMember,
+  isAdmin,
 } = require("./db/db");
 const { extname } = require("node:path");
 
@@ -368,15 +370,22 @@ app.post("/api/chat/groups/create", authorizeUser, async (req, res) => {
   });
 });
 
-app.post("/api/chat/groups/addMember", async (req, res) => {
+app.post("/api/chat/groups/addMember", authorizeUser, async (req, res) => {
   const username = req.body.username;
   const group_id = req.body.group_id;
+  const user_id = req.user.user_id;
   if (!username) {
     return res.status(400).json({ message: "Username not provided" });
   }
   if (!group_id) {
     return res.status(400).json({ message: "group_id not provided" });
   }
+
+  const isUserAdmin = await isAdmin(user_id, group_id);
+  if (!isUserAdmin) {
+    return res.status(401).json({ message: "You are not group administrator" });
+  }
+
   const result = await addMemberToGroupByUsername(group_id, username);
   if (result !== null) {
     io.to(result).to(group_id).emit("added to group", {
@@ -417,6 +426,17 @@ app.get(
     if (!conversation_id) {
       return res.status(400).json({ message: "No conversation_id provided" });
     }
+
+    const isMember = await isConversationMember(
+      req.user.user_id,
+      conversation_id,
+    );
+    if (!isMember) {
+      return res
+        .status(401)
+        .json({ message: "You are not member of this conversation" });
+    }
+
     const participants = await getMembers(conversation_id);
     console.log(
       `getMemers for conversation: ${conversation_id}, participants: ${participants} `,