add basic org policy check in middleware

2026-02-24 13:56:39 +00:00 · 2025-10-23 18:15:00 -07:00
parent 5a7b5d65a4
commit ddcf77a62d
6 changed files with 151 additions and 11 deletions
--- a/server/middlewares/verifyOrgAccess.ts
+++ b/server/middlewares/verifyOrgAccess.ts
@@ -1,9 +1,10 @@
 import { Request, Response, NextFunction } from "express";
-import { db } from "@server/db";
+import { db, orgs } from "@server/db";
 import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";

 export async function verifyOrgAccess(
    req: Request,
@@ -43,12 +44,27 @@ export async function verifyOrgAccess(
                    "User does not have access to this organization"
                )
            );
-        } else {
-            // User has access, attach the user's role to the request for potential future use
-            req.userOrgRoleId = req.userOrg.roleId;
-            req.userOrgId = orgId;
-            return next();
        }
+
+        const policyCheck = await checkOrgAccessPolicy({
+            orgId,
+            userId
+        });
+
+        if (!policyCheck.success || policyCheck.error) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Failed organization access policy check: " +
+                        (policyCheck.error || "Unknown error")
+                )
+            );
+        }
+
+        // User has access, attach the user's role to the request for potential future use
+        req.userOrgRoleId = req.userOrg.roleId;
+        req.userOrgId = orgId;
+        return next();
    } catch (e) {
        return next(
            createHttpError(