mirror of
https://github.com/fosrl/pangolin.git
synced 2026-03-06 02:36:38 +00:00
Add actions check to all endpoints
This commit is contained in:
Owen Schwartz
@@ -5,6 +5,7 @@ import { orgs } from '@server/db/schema';
|
||||
import response from "@server/utils/response";
|
||||
import HttpCode from '@server/types/HttpCode';
|
||||
import createHttpError from 'http-errors';
|
||||
import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
|
||||
|
||||
const createOrgSchema = z.object({
|
||||
name: z.string().min(1).max(255),
|
||||
@@ -25,7 +26,7 @@ export async function createOrg(req: Request, res: Response, next: NextFunction)
|
||||
);
|
||||
}
|
||||
|
||||
const userOrgIds = req.userOrgs;
|
||||
const userOrgIds = req.userOrgIds;
|
||||
if (userOrgIds && userOrgIds.length > MAX_ORGS) {
|
||||
return next(
|
||||
createHttpError(
|
||||
@@ -35,6 +36,12 @@ export async function createOrg(req: Request, res: Response, next: NextFunction)
|
||||
);
|
||||
}
|
||||
|
||||
// Check if the user has permission to list sites
|
||||
const hasPermission = await checkUserActionPermission(ActionsEnum.createOrg, req);
|
||||
if (!hasPermission) {
|
||||
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
|
||||
}
|
||||
|
||||
const { name, domain } = parsedBody.data;
|
||||
|
||||
const newOrg = await db.insert(orgs).values({
|
||||
|
||||
@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
|
||||
import response from "@server/utils/response";
|
||||
import HttpCode from '@server/types/HttpCode';
|
||||
import createHttpError from 'http-errors';
|
||||
import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
|
||||
|
||||
const deleteOrgSchema = z.object({
|
||||
orgId: z.string().transform(Number).pipe(z.number().int().positive())
|
||||
@@ -25,6 +26,12 @@ export async function deleteOrg(req: Request, res: Response, next: NextFunction)
|
||||
|
||||
const { orgId } = parsedParams.data;
|
||||
|
||||
// Check if the user has permission to list sites
|
||||
const hasPermission = await checkUserActionPermission(ActionsEnum.deleteOrg, req);
|
||||
if (!hasPermission) {
|
||||
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
|
||||
}
|
||||
|
||||
const deletedOrg = await db.delete(orgs)
|
||||
.where(eq(orgs.orgId, orgId))
|
||||
.returning();
|
||||
|
||||
@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
|
||||
import response from "@server/utils/response";
|
||||
import HttpCode from '@server/types/HttpCode';
|
||||
import createHttpError from 'http-errors';
|
||||
import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
|
||||
|
||||
const getOrgSchema = z.object({
|
||||
orgId: z.string().transform(Number).pipe(z.number().int().positive())
|
||||
@@ -25,6 +26,12 @@ export async function getOrg(req: Request, res: Response, next: NextFunction): P
|
||||
|
||||
const { orgId } = parsedParams.data;
|
||||
|
||||
// Check if the user has permission to list sites
|
||||
const hasPermission = await checkUserActionPermission(ActionsEnum.getOrg, req);
|
||||
if (!hasPermission) {
|
||||
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
|
||||
}
|
||||
|
||||
const org = await db.select()
|
||||
.from(orgs)
|
||||
.where(eq(orgs.orgId, orgId))
|
||||
|
||||
@@ -6,6 +6,7 @@ import response from "@server/utils/response";
|
||||
import HttpCode from '@server/types/HttpCode';
|
||||
import createHttpError from 'http-errors';
|
||||
import { sql, inArray } from 'drizzle-orm';
|
||||
import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
|
||||
|
||||
const listOrgsSchema = z.object({
|
||||
limit: z.string().optional().transform(Number).pipe(z.number().int().positive().default(10)),
|
||||
@@ -26,8 +27,14 @@ export async function listOrgs(req: Request, res: Response, next: NextFunction):
|
||||
|
||||
const { limit, offset } = parsedQuery.data;
|
||||
|
||||
// Check if the user has permission to list sites
|
||||
const hasPermission = await checkUserActionPermission(ActionsEnum.listOrgs, req);
|
||||
if (!hasPermission) {
|
||||
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
|
||||
}
|
||||
|
||||
// Use the userOrgs passed from the middleware
|
||||
const userOrgIds = req.userOrgs;
|
||||
const userOrgIds = req.userOrgIds;
|
||||
|
||||
if (!userOrgIds || userOrgIds.length === 0) {
|
||||
return res.status(HttpCode.OK).send(
|
||||
|
||||
@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
|
||||
import response from "@server/utils/response";
|
||||
import HttpCode from '@server/types/HttpCode';
|
||||
import createHttpError from 'http-errors';
|
||||
import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
|
||||
|
||||
const updateOrgParamsSchema = z.object({
|
||||
orgId: z.string().transform(Number).pipe(z.number().int().positive())
|
||||
@@ -43,6 +44,13 @@ export async function updateOrg(req: Request, res: Response, next: NextFunction)
|
||||
const { orgId } = parsedParams.data;
|
||||
const updateData = parsedBody.data;
|
||||
|
||||
|
||||
// Check if the user has permission to list sites
|
||||
const hasPermission = await checkUserActionPermission(ActionsEnum.updateOrg, req);
|
||||
if (!hasPermission) {
|
||||
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
|
||||
}
|
||||
|
||||
const updatedOrg = await db.update(orgs)
|
||||
.set(updateData)
|
||||
.where(eq(orgs.orgId, orgId))
|
||||
|
||||
Reference in New Issue
Block a user