Update to verify middleware & lists agenst new permissions tables

2026-03-06 02:36:38 +00:00 · 2024-10-06 16:19:04 -04:00
parent 0838679120
commit 20db6d450c
12 changed files with 275 additions and 128 deletions
--- a/server/routers/auth/getUserOrgs.ts
+++ b/server/routers/auth/getUserOrgs.ts
@@ -21,7 +21,7 @@ export async function getUserOrgs(req: Request, res: Response, next: NextFunctio
      .where(eq(userOrgs.userId, userId));

    req.userOrgs = userOrganizations.map(org => org.orgId);
-    // req.userOrgRoles = userOrganizations.reduce((acc, org) => {
+    // req.userOrgRoleIds = userOrganizations.reduce((acc, org) => {
    //   acc[org.orgId] = org.role;
    //   return acc;
    // }, {} as Record<number, string>);
--- a/server/routers/auth/verifyOrgAccess.ts
+++ b/server/routers/auth/verifyOrgAccess.ts
@@ -26,7 +26,8 @@ export function verifyOrgAccess(req: Request, res: Response, next: NextFunction)
        next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
      } else {
        // User has access, attach the user's role to the request for potential future use
-        req.userOrgRole = result[0].role;
+        req.userOrgRoleId = result[0].roleId;
+        req.userOrgId = orgId;
        next();
      }
    })
--- a/server/routers/auth/verifyResourceAccess.ts
+++ b/server/routers/auth/verifyResourceAccess.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { db } from '@server/db';
-import { resources, userOrgs } from '@server/db/schema';
+import { resources, userOrgs, userResources, roleResources } from '@server/db/schema';
 import { and, eq } from 'drizzle-orm';
 import createHttpError from 'http-errors';
 import HttpCode from '@server/types/HttpCode';
@@ -13,42 +13,66 @@ export async function verifyResourceAccess(req: Request, res: Response, next: Ne
    return next(createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'));
  }

-  const resource = await db.select()
-    .from(resources)
-    .where(eq(resources.resourceId, resourceId))
-    .limit(1);
+  try {
+    // Get the resource
+    const resource = await db.select()
+      .from(resources)
+      .where(eq(resources.resourceId, resourceId))
+      .limit(1);

-  if (resource.length === 0) {
-    return next(
-      createHttpError(
-        HttpCode.NOT_FOUND,
-        `resource with ID ${resourceId} not found`
+    if (resource.length === 0) {
+      return next(createHttpError(HttpCode.NOT_FOUND, `Resource with ID ${resourceId} not found`));
+    }
+
+    if (!resource[0].orgId) {
+      return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, `Resource with ID ${resourceId} does not have an organization ID`));
+    }
+
+    // Get user's role ID in the organization
+    const userOrgRole = await db.select()
+      .from(userOrgs)
+      .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, resource[0].orgId)))
+      .limit(1);
+
+    if (userOrgRole.length === 0) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
+    }
+
+    const userOrgRoleId = userOrgRole[0].roleId;
+    req.userOrgRoleId = userOrgRoleId;
+    req.userOrgId = resource[0].orgId;
+
+    // Check role-based resource access first
+    const roleResourceAccess = await db.select()
+      .from(roleResources)
+      .where(
+        and(
+          eq(roleResources.resourceId, resourceId),
+          eq(roleResources.roleId, userOrgRoleId)
+        )
      )
-    );
-  }
+      .limit(1);

-  if (!resource[0].orgId) {
-    return next(
-      createHttpError(
-        HttpCode.INTERNAL_SERVER_ERROR,
-        `resource with ID ${resourceId} does not have an organization ID`
-      )
-    );
-  }
+    if (roleResourceAccess.length > 0) {
+      // User's role has access to the resource
+      return next();
+    }

-  db.select()
-    .from(userOrgs)
-    .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, resource[0].orgId)))
-    .then((result) => {
-      if (result.length === 0) {
-        next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
-      } else {
-        // User has access, attach the user's role to the request for potential future use
-        req.userOrgRole = result[0].role;
-        next();
-      }
-    })
-    .catch((error) => {
-      next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying organization access'));
-    });
+    // If role doesn't have access, check user-specific resource access
+    const userResourceAccess = await db.select()
+      .from(userResources)
+      .where(and(eq(userResources.userId, userId), eq(userResources.resourceId, resourceId)))
+      .limit(1);
+
+    if (userResourceAccess.length > 0) {
+      // User has direct access to the resource
+      return next();
+    }
+
+    // If we reach here, the user doesn't have access to the resource
+    return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this resource'));
+
+  } catch (error) {
+    return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying resource access'));
+  }
 }
--- a/server/routers/auth/verifySiteAccess.ts
+++ b/server/routers/auth/verifySiteAccess.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from 'express';
 import { db } from '@server/db';
-import { sites, userOrgs } from '@server/db/schema';
-import { and, eq } from 'drizzle-orm';
+import { sites, userOrgs, userSites, roleSites, roles } from '@server/db/schema';
+import { and, eq, or } from 'drizzle-orm';
 import createHttpError from 'http-errors';
 import HttpCode from '@server/types/HttpCode';

@@ -14,45 +14,66 @@ export async function verifySiteAccess(req: Request, res: Response, next: NextFu
  }

  if (isNaN(siteId)) {
-    return next(createHttpError(HttpCode.BAD_REQUEST, 'Invalid organization ID'));
+    return next(createHttpError(HttpCode.BAD_REQUEST, 'Invalid site ID'));
  }

-  const site = await db.select()
-    .from(sites)
-    .where(eq(sites.siteId, siteId))
-    .limit(1);
+  try {
+    // Get the site
+    const site = await db.select().from(sites).where(eq(sites.siteId, siteId)).limit(1);

-  if (site.length === 0) {
-    return next(
-      createHttpError(
-        HttpCode.NOT_FOUND,
-        `Site with ID ${siteId} not found`
+    if (site.length === 0) {
+      return next(createHttpError(HttpCode.NOT_FOUND, `Site with ID ${siteId} not found`));
+    }
+
+    if (!site[0].orgId) {
+      return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, `Site with ID ${siteId} does not have an organization ID`));
+    }
+
+    // Get user's role ID in the organization
+    const userOrgRole = await db.select()
+      .from(userOrgs)
+      .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, site[0].orgId)))
+      .limit(1);
+
+    if (userOrgRole.length === 0) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
+    }
+
+    const userOrgRoleId = userOrgRole[0].roleId;
+    req.userOrgRoleId = userOrgRoleId;
+    req.userOrgId = site[0].orgId;
+
+    // Check role-based site access first
+    const roleSiteAccess = await db.select()
+      .from(roleSites)
+      .where(
+        and(
+          eq(roleSites.siteId, siteId),
+          eq(roleSites.roleId, userOrgRoleId)
+        )
      )
-    );
-  }
+      .limit(1);

-  if (!site[0].orgId) {
-    return next(
-      createHttpError(
-        HttpCode.INTERNAL_SERVER_ERROR,
-        `Site with ID ${siteId} does not have an organization ID`
-      )
-    );
-  }
+    if (roleSiteAccess.length > 0) {
+      // User's role has access to the site
+      return next();
+    }

-  db.select()
-    .from(userOrgs)
-    .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, site[0].orgId)))
-    .then((result) => {
-      if (result.length === 0) {
-        next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
-      } else {
-        // User has access, attach the user's role to the request for potential future use
-        req.userOrgRole = result[0].role;
-        next();
-      }
-    })
-    .catch((error) => {
-      next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying organization access'));
-    });
+    // If role doesn't have access, check user-specific site access
+    const userSiteAccess = await db.select()
+      .from(userSites)
+      .where(and(eq(userSites.userId, userId), eq(userSites.siteId, siteId)))
+      .limit(1);
+
+    if (userSiteAccess.length > 0) {
+      // User has direct access to the site
+      return next();
+    }
+
+    // If we reach here, the user doesn't have access to the site
+    return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this site'));
+
+  } catch (error) {
+    return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying site access'));
+  }
 }
--- a/server/routers/auth/verifyTargetAccess.ts
+++ b/server/routers/auth/verifyTargetAccess.ts
@@ -73,7 +73,8 @@ export async function verifyTargetAccess(req: Request, res: Response, next: Next
        next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
      } else {
        // User has access, attach the user's role to the request for potential future use
-        req.userOrgRole = result[0].role;
+        req.userOrgRoleId = result[0].roleId;
+        req.userOrgId = resource[0].orgId!;
        next();
      }
    })