Support multiple roles

server/middlewares/verifyResourcePolicyAccess.ts

@@ -5,6 +5,7 @@ import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyResourcePolicyAccess(
     req: Request,
@@ -16,10 +17,8 @@ export async function verifyResourcePolicyAccess(
         req.params?.resourcePolicyId ||
         req.body?.resourcePolicyId ||
         req.query?.resourcePolicyId;
-    const niceId =
-        req.params?.niceId || req.body?.niceId || req.query?.niceId;
-    const orgId =
-        req.params?.orgId || req.body?.orgId || req.query?.orgId;
+    const niceId = req.params?.niceId || req.body?.niceId || req.query?.niceId;
+    const orgId = req.params?.orgId || req.body?.orgId || req.query?.orgId;
 
     try {
         if (!userId) {
@@ -110,7 +109,10 @@ export async function verifyResourcePolicyAccess(
             }
         }
 
-        req.userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            orgId!
+        );
         req.userOrgId = policy.orgId;
 
         return next();

server/private/routers/policy/createResourcePolicy.ts

@@ -143,7 +143,7 @@ export async function createResourcePolicy(
         }
         const { orgId } = parsedParams.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && req.userOrgRoleIds?.length === 0) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -304,7 +304,10 @@ export async function createResourcePolicy(
 
             const usersToAdd: InferInsertModel<typeof userPolicies>[] = [];
 
-            if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+            if (
+                req.user &&
+                !req.userOrgRoleIds?.includes(adminRole[0].roleId)
+            ) {
                 // make sure the user can access the policy
                 usersToAdd.push({
                     userId: req.user?.userId!,

server/private/routers/policy/listResourcePolicies.ts

@@ -145,7 +145,7 @@ export async function listResourcePolicies(
                 .where(
                     or(
                         eq(userPolicies.userId, req.user!.userId),
-                        eq(rolePolicies.roleId, req.userOrgRoleId!)
+                        inArray(rolePolicies.roleId, req.userOrgRoleIds || [])
                     )
                 );
         } else {

server/routers/policy/updateResourcePolicy.ts

@@ -54,7 +54,7 @@ export async function updateResourcePolicy(
             );
         }
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && req.userOrgRoleIds?.length === 0) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );

server/routers/resource/createResource.ts

@@ -353,7 +353,7 @@ async function createHttpResource(
         });
 
         // make this policy visible by the current user
-        if (req.user && req.userOrgRoleId !== adminRole[0].roleId) {
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
             await trx.insert(userPolicies).values({
                 userId: req.user?.userId!,
                 resourcePolicyId: defaultPolicy.resourcePolicyId
@@ -479,7 +479,7 @@ async function createRawResource(
         });
 
         // make this policy visible by the current user
-        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
             await trx.insert(userPolicies).values({
                 userId: req.user?.userId!,
                 resourcePolicyId: defaultPolicy.resourcePolicyId