more user role stuff

2026-02-27 07:16:40 +00:00 · 2024-11-09 23:59:19 -05:00
parent bb17d30c9e
commit 231e1d2e2d
32 changed files with 897 additions and 138 deletions
--- a/server/routers/auth/verifyRoleAccess.ts
+++ b/server/routers/auth/verifyRoleAccess.ts
@@ -15,7 +15,6 @@ export async function verifyRoleAccess(
    const roleId = parseInt(
        req.params.roleId || req.body.roleId || req.query.roleId
    );
-    let userOrg = req.userOrg;

    if (!userId) {
        return next(
@@ -43,7 +42,7 @@ export async function verifyRoleAccess(
            );
        }

-        if (!userOrg) {
+        if (!req.userOrg) {
            const userOrgRole = await db
                .select()
                .from(userOrgs)
@@ -54,10 +53,10 @@ export async function verifyRoleAccess(
                    )
                )
                .limit(1);
-            userOrg = userOrgRole[0];
+            req.userOrg = userOrgRole[0];
        }

-        if (!userOrg) {
+        if (!req.userOrg) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
@@ -66,8 +65,17 @@ export async function verifyRoleAccess(
            );
        }

-        req.userOrgRoleId = userOrg.roleId;
-        req.userOrgId = userOrg.orgId;
+        if (req.userOrg.orgId !== role[0].orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Role does not belong to the organization"
+                )
+            );
+        }
+
+        req.userOrgRoleId = req.userOrg.roleId;
+        req.userOrgId = req.userOrg.orgId;

        return next();
    } catch (error) {