add extra org policy checks to middlewares

2026-03-02 08:46:38 +00:00 · 2025-12-03 15:50:24 -05:00
parent 9be5a01173
commit 5afff3c662
18 changed files with 285 additions and 34 deletions
--- a/server/middlewares/verifyResourceAccess.ts
+++ b/server/middlewares/verifyResourceAccess.ts
@@ -1,14 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
-import {
-    resources,
-    userOrgs,
-    userResources,
-    roleResources,
-} from "@server/db";
+import { resources, userOrgs, userResources, roleResources } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";

 export async function verifyResourceAccess(
    req: Request,
@@ -73,6 +69,24 @@ export async function verifyResourceAccess(
            );
        }

+        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: req.userOrg.orgId,
+                userId,
+                session: req.session
+            });
+            req.orgPolicyAllowed = policyCheck.allowed;
+            if (!policyCheck.allowed || policyCheck.error) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Failed organization access policy check: " +
+                            (policyCheck.error || "Unknown error")
+                    )
+                );
+            }
+        }
+
        const userOrgRoleId = req.userOrg.roleId;
        req.userOrgRoleId = userOrgRoleId;
        req.userOrgId = resource[0].orgId;