Add actions check to all endpoints

server/routers/resource/createResource.ts

@@ -5,6 +5,7 @@ import { resources } from '@server/db/schema';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const createResourceParamsSchema = z.object({
   siteId: z.number().int().positive(),
@@ -45,6 +46,12 @@ export async function createResource(req: Request, res: Response, next: NextFunc
 
     const { siteId, orgId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.createResource, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }    
+
     // Generate a unique resourceId
     const resourceId = "subdomain" // TODO: create the subdomain here
 

server/routers/resource/deleteResource.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 // Define Zod schema for request parameters validation
 const deleteResourceSchema = z.object({
@@ -27,6 +28,12 @@ export async function deleteResource(req: Request, res: Response, next: NextFunc
 
     const { resourceId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.deleteResource, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }    
+
     // Delete the resource from the database
     const deletedResource = await db.delete(resources)
       .where(eq(resources.resourceId, resourceId))

server/routers/resource/getResource.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 // Define Zod schema for request parameters validation
 const getResourceSchema = z.object({
@@ -27,6 +28,12 @@ export async function getResource(req: Request, res: Response, next: NextFunctio
 
     const { resourceId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.getResource, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }    
+
     // Fetch the resource from the database
     const resource = await db.select()
       .from(resources)

server/routers/resource/listResources.ts

@@ -6,6 +6,7 @@ import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
 import { sql, eq, and, or, inArray } from 'drizzle-orm';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const listResourcesParamsSchema = z.object({
     siteId: z.coerce.number().int().positive().optional(),
@@ -26,13 +27,6 @@ interface RequestWithOrgAndRole extends Request {
 
 export async function listResources(req: RequestWithOrgAndRole, res: Response, next: NextFunction): Promise<any> {
   try {
-    // Check if the user has permission to list resources
-    // const LIST_RESOURCES_ACTION_ID = 3; // Assume 3 is the action ID for listing resources
-    // const hasPermission = await checkUserActionPermission(LIST_RESOURCES_ACTION_ID, req);
-    // if (!hasPermission) {
-    //   return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list resources'));
-    // }
-
     const parsedQuery = listResourcesSchema.safeParse(req.query);
     if (!parsedQuery.success) {
       return next(createHttpError(HttpCode.BAD_REQUEST, parsedQuery.error.errors.map(e => e.message).join(', ')));
@@ -45,6 +39,12 @@ export async function listResources(req: RequestWithOrgAndRole, res: Response, n
     }
     const { siteId, orgId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.listResources, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+    
     if (orgId && orgId !== req.orgId) {
       return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
     }

server/routers/resource/updateResource.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 // Define Zod schema for request parameters validation
 const updateResourceParamsSchema = z.object({
@@ -47,6 +48,12 @@ export async function updateResource(req: Request, res: Response, next: NextFunc
     const { resourceId } = parsedParams.data;
     const updateData = parsedBody.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.updateResource, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }    
+
     // Update the resource in the database
     const updatedResource = await db.update(resources)
       .set(updateData)