add extra org policy checks to middlewares

2026-02-23 05:16:38 +00:00 · 2025-12-03 15:50:24 -05:00
parent 9be5a01173
commit 5afff3c662
18 changed files with 285 additions and 34 deletions
--- a/server/middlewares/verifySetResourceUsers.ts
+++ b/server/middlewares/verifySetResourceUsers.ts
@@ -4,6 +4,7 @@ import { userOrgs } from "@server/db";
 import { and, eq, inArray, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";

 export async function verifySetResourceUsers(
    req: Request,
@@ -28,6 +29,24 @@ export async function verifySetResourceUsers(
        );
    }

+    if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+        const policyCheck = await checkOrgAccessPolicy({
+            orgId: req.userOrg.orgId,
+            userId,
+            session: req.session
+        });
+        req.orgPolicyAllowed = policyCheck.allowed;
+        if (!policyCheck.allowed || policyCheck.error) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Failed organization access policy check: " +
+                        (policyCheck.error || "Unknown error")
+                )
+            );
+        }
+    }
+
    if (!userIds) {
        return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid user IDs"));
    }