add extra org policy checks to middlewares

2026-02-27 15:26:41 +00:00 · 2025-12-03 15:50:24 -05:00
parent 9be5a01173
commit 5afff3c662
18 changed files with 285 additions and 34 deletions
--- a/server/middlewares/verifyClientAccess.ts
+++ b/server/middlewares/verifyClientAccess.ts
@@ -4,6 +4,7 @@ import { userOrgs, clients, roleClients, userClients } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";

 export async function verifyClientAccess(
    req: Request,
@@ -75,6 +76,24 @@ export async function verifyClientAccess(
            );
        }

+        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: req.userOrg.orgId,
+                userId,
+                session: req.session
+            });
+            req.orgPolicyAllowed = policyCheck.allowed;
+            if (!policyCheck.allowed || policyCheck.error) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Failed organization access policy check: " +
+                            (policyCheck.error || "Unknown error")
+                    )
+                );
+            }
+        }
+
        const userOrgRoleId = req.userOrg.roleId;
        req.userOrgRoleId = userOrgRoleId;
        req.userOrgId = client.orgId;