Add role aware updates & endpoints

2026-03-05 18:26:40 +00:00 · 2024-10-12 21:36:14 -04:00
parent 41cbde1474
commit 364b2c26c3
49 changed files with 1587 additions and 79 deletions
--- a/server/routers/resource/createResource.ts
+++ b/server/routers/resource/createResource.ts
@@ -1,12 +1,13 @@
 import { Request, Response, NextFunction } from 'express';
 import { z } from 'zod';
 import { db } from '@server/db';
-import { resources } from '@server/db/schema';
+import { resources, roleResources, roles, userResources } from '@server/db/schema';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
 import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 import logger from '@server/logger';
+import { eq, and } from 'drizzle-orm';

 const createResourceParamsSchema = z.object({
    siteId: z.number().int().positive(),
@@ -50,7 +51,11 @@ export async function createResource(req: Request, res: Response, next: NextFunc
        // Check if the user has permission to list sites
        const hasPermission = await checkUserActionPermission(ActionsEnum.createResource, req);
        if (!hasPermission) {
-            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to perform this action'));
+        }
+
+        if (!req.userOrgRoleId) {
+            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have a role'));
        }

        // Generate a unique resourceId
@@ -65,6 +70,36 @@ export async function createResource(req: Request, res: Response, next: NextFunc
            subdomain,
        }).returning();

+
+
+        // find the superuser roleId and also add the resource to the superuser role
+        const superuserRole = await db.select()
+            .from(roles)
+            .where(and(eq(roles.isSuperuserRole, true), eq(roles.orgId, orgId)))
+            .limit(1);
+
+        if (superuserRole.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Superuser role not found`
+                )
+            );
+        }
+
+        await db.insert(roleResources).values({
+            roleId: superuserRole[0].roleId,
+            resourceId: newResource[0].resourceId,
+        });
+
+        if (req.userOrgRoleId != superuserRole[0].roleId) {
+            // make sure the user can access the resource
+            await db.insert(userResources).values({
+                userId: req.user?.id!,
+                resourceId: newResource[0].resourceId,
+            });
+        }
+
        response(res, {
            data: newResource[0],
            success: true,
--- a/server/routers/resource/deleteResource.ts
+++ b/server/routers/resource/deleteResource.ts
@@ -32,7 +32,7 @@ export async function deleteResource(req: Request, res: Response, next: NextFunc
        // Check if the user has permission to list sites
        const hasPermission = await checkUserActionPermission(ActionsEnum.deleteResource, req);
        if (!hasPermission) {
-            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to perform this action'));
        }

        // Delete the resource from the database
--- a/server/routers/resource/getResource.ts
+++ b/server/routers/resource/getResource.ts
@@ -32,7 +32,7 @@ export async function getResource(req: Request, res: Response, next: NextFunctio
        // Check if the user has permission to list sites
        const hasPermission = await checkUserActionPermission(ActionsEnum.getResource, req);
        if (!hasPermission) {
-            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to perform this action'));
        }

        // Fetch the resource from the database
--- a/server/routers/resource/index.ts
+++ b/server/routers/resource/index.ts
@@ -2,4 +2,5 @@ export * from "./getResource";
 export * from "./createResource";
 export * from "./deleteResource";
 export * from "./updateResource";
-export * from "./listResources";
+export * from "./listResources";
+export * from "./listResourceRoles";
--- a/server/routers/resource/listResourceRoles.ts
+++ b/server/routers/resource/listResourceRoles.ts
@@ -0,0 +1,58 @@
+import { Request, Response, NextFunction } from 'express';
+import { z } from 'zod';
+import { db } from '@server/db';
+import { roleResources, roles } from '@server/db/schema';
+import { eq } from 'drizzle-orm';
+import response from "@server/utils/response";
+import HttpCode from '@server/types/HttpCode';
+import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
+import logger from '@server/logger';
+
+const listResourceRolesSchema = z.object({
+    resourceId: z.string(),
+});
+
+export async function listResourceRoles(req: Request, res: Response, next: NextFunction): Promise<any> {
+    try {
+        const parsedParams = listResourceRolesSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    parsedParams.error.errors.map(e => e.message).join(', ')
+                )
+            );
+        }
+
+        const { resourceId } = parsedParams.data;
+
+        // Check if the user has permission to list resource roles
+        const hasPermission = await checkUserActionPermission(ActionsEnum.listResourceRoles, req);
+        if (!hasPermission) {
+            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to perform this action'));
+        }
+
+        const resourceRolesList = await db
+            .select({
+                roleId: roles.roleId,
+                name: roles.name,
+                description: roles.description,
+                isSuperuserRole: roles.isSuperuserRole,
+            })
+            .from(roleResources)
+            .innerJoin(roles, eq(roleResources.roleId, roles.roleId))
+            .where(eq(roleResources.resourceId, resourceId));
+
+        return response(res, {
+            data: resourceRolesList,
+            success: true,
+            error: false,
+            message: "Resource roles retrieved successfully",
+            status: HttpCode.OK,
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred..."));
+    }
+}
--- a/server/routers/resource/listResources.ts
+++ b/server/routers/resource/listResources.ts
@@ -43,7 +43,7 @@ export async function listResources(req: RequestWithOrgAndRole, res: Response, n
        // Check if the user has permission to list sites
        const hasPermission = await checkUserActionPermission(ActionsEnum.listResources, req);
        if (!hasPermission) {
-            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to perform this action'));
        }

        if (orgId && orgId !== req.orgId) {
--- a/server/routers/resource/updateResource.ts
+++ b/server/routers/resource/updateResource.ts
@@ -52,7 +52,7 @@ export async function updateResource(req: Request, res: Response, next: NextFunc
        // Check if the user has permission to list sites
        const hasPermission = await checkUserActionPermission(ActionsEnum.updateResource, req);
        if (!hasPermission) {
-            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+            return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to perform this action'));
        }

        // Update the resource in the database