diff --git a/server/auth/actions.ts b/server/auth/actions.ts index 8fa8f441..01008722 100644 --- a/server/auth/actions.ts +++ b/server/auth/actions.ts @@ -1,10 +1,42 @@ import { Request } from 'express'; import { db } from '@server/db'; import { userActions, roleActions, userOrgs } from '@server/db/schema'; -import { and, eq, or } from 'drizzle-orm'; +import { and, eq } from 'drizzle-orm'; import createHttpError from 'http-errors'; import HttpCode from '@server/types/HttpCode'; +export const ActionsEnum = { + + createOrg: 1, + deleteOrg: 2, + getOrg: 3, + listOrgs: 4, + updateOrg: 5, + + createSite: 6, + deleteSite: 7, + getSite: 8, + listSites: 9, + updateSite: 10, + + createResource: 11, + deleteResource: 12, + getResource: 13, + listResources: 14, + updateResource: 15, + + createTarget: 16, + deleteTarget: 17, + getTarget: 18, + listTargets: 19, + updateTarget: 20, + + getUser: 21, + deleteUser: 22, + listUsers: 23 + +} + export async function checkUserActionPermission(actionId: number, req: Request): Promise { const userId = req.user?.id; @@ -12,11 +44,37 @@ export async function checkUserActionPermission(actionId: number, req: Request): throw createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'); } + if (!req.userOrgId) { + throw createHttpError(HttpCode.BAD_REQUEST, 'Organization ID is required'); + } + try { - // Check if the user has direct permission for the action + let userOrgRoleId = req.userOrgRoleId; + + // If userOrgRoleId is not available on the request, fetch it + if (userOrgRoleId === undefined) { + const userOrgRole = await db.select() + .from(userOrgs) + .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, req.userOrgId))) + .limit(1); + + if (userOrgRole.length === 0) { + throw createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'); + } + + userOrgRoleId = userOrgRole[0].roleId; + } + + // Check if the user has direct permission for the action in the current org const userActionPermission = await db.select() .from(userActions) - .where(and(eq(userActions.userId, userId), eq(userActions.actionId, actionId))) + .where( + and( + eq(userActions.userId, userId), + eq(userActions.actionId, actionId), + eq(userActions.orgId, req.userOrgId) + ) + ) .limit(1); if (userActionPermission.length > 0) { @@ -24,22 +82,13 @@ export async function checkUserActionPermission(actionId: number, req: Request): } // If no direct permission, check role-based permission - const userOrgRoles = await db.select() - .from(userOrgs) - .where(eq(userOrgs.userId, userId)); - - if (userOrgRoles.length === 0) { - return false; // User doesn't belong to any organization - } - - const roleIds = userOrgRoles.map(role => role.roleId); - const roleActionPermission = await db.select() .from(roleActions) .where( and( eq(roleActions.actionId, actionId), - or(...roleIds.map(roleId => eq(roleActions.roleId, roleId))) + eq(roleActions.roleId, userOrgRoleId), + eq(roleActions.orgId, req.userOrgId) ) ) .limit(1); diff --git a/server/index.ts b/server/index.ts index d5169bda..30ca673c 100644 --- a/server/index.ts +++ b/server/index.ts @@ -84,6 +84,7 @@ declare global { user?: User; userOrgRoleId?: number; userOrgId?: number; + userOrgIds?: number[]; } } } diff --git a/server/routers/org/createOrg.ts b/server/routers/org/createOrg.ts index f681ce42..5b22d284 100644 --- a/server/routers/org/createOrg.ts +++ b/server/routers/org/createOrg.ts @@ -5,6 +5,7 @@ import { orgs } from '@server/db/schema'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const createOrgSchema = z.object({ name: z.string().min(1).max(255), @@ -25,7 +26,7 @@ export async function createOrg(req: Request, res: Response, next: NextFunction) ); } - const userOrgIds = req.userOrgs; + const userOrgIds = req.userOrgIds; if (userOrgIds && userOrgIds.length > MAX_ORGS) { return next( createHttpError( @@ -35,6 +36,12 @@ export async function createOrg(req: Request, res: Response, next: NextFunction) ); } + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.createOrg, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + const { name, domain } = parsedBody.data; const newOrg = await db.insert(orgs).values({ diff --git a/server/routers/org/deleteOrg.ts b/server/routers/org/deleteOrg.ts index e4aaa819..59287e6a 100644 --- a/server/routers/org/deleteOrg.ts +++ b/server/routers/org/deleteOrg.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const deleteOrgSchema = z.object({ orgId: z.string().transform(Number).pipe(z.number().int().positive()) @@ -25,6 +26,12 @@ export async function deleteOrg(req: Request, res: Response, next: NextFunction) const { orgId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.deleteOrg, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + const deletedOrg = await db.delete(orgs) .where(eq(orgs.orgId, orgId)) .returning(); diff --git a/server/routers/org/getOrg.ts b/server/routers/org/getOrg.ts index 95d3f7d2..179190d8 100644 --- a/server/routers/org/getOrg.ts +++ b/server/routers/org/getOrg.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const getOrgSchema = z.object({ orgId: z.string().transform(Number).pipe(z.number().int().positive()) @@ -25,6 +26,12 @@ export async function getOrg(req: Request, res: Response, next: NextFunction): P const { orgId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.getOrg, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + const org = await db.select() .from(orgs) .where(eq(orgs.orgId, orgId)) diff --git a/server/routers/org/listOrgs.ts b/server/routers/org/listOrgs.ts index 37617a7d..8cd0131b 100644 --- a/server/routers/org/listOrgs.ts +++ b/server/routers/org/listOrgs.ts @@ -6,6 +6,7 @@ import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; import { sql, inArray } from 'drizzle-orm'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const listOrgsSchema = z.object({ limit: z.string().optional().transform(Number).pipe(z.number().int().positive().default(10)), @@ -26,8 +27,14 @@ export async function listOrgs(req: Request, res: Response, next: NextFunction): const { limit, offset } = parsedQuery.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.listOrgs, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + // Use the userOrgs passed from the middleware - const userOrgIds = req.userOrgs; + const userOrgIds = req.userOrgIds; if (!userOrgIds || userOrgIds.length === 0) { return res.status(HttpCode.OK).send( diff --git a/server/routers/org/updateOrg.ts b/server/routers/org/updateOrg.ts index cfd8bdac..d21b79bf 100644 --- a/server/routers/org/updateOrg.ts +++ b/server/routers/org/updateOrg.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const updateOrgParamsSchema = z.object({ orgId: z.string().transform(Number).pipe(z.number().int().positive()) @@ -43,6 +44,13 @@ export async function updateOrg(req: Request, res: Response, next: NextFunction) const { orgId } = parsedParams.data; const updateData = parsedBody.data; + + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.updateOrg, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + const updatedOrg = await db.update(orgs) .set(updateData) .where(eq(orgs.orgId, orgId)) diff --git a/server/routers/resource/createResource.ts b/server/routers/resource/createResource.ts index 44e04c38..2b723682 100644 --- a/server/routers/resource/createResource.ts +++ b/server/routers/resource/createResource.ts @@ -5,6 +5,7 @@ import { resources } from '@server/db/schema'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const createResourceParamsSchema = z.object({ siteId: z.number().int().positive(), @@ -45,6 +46,12 @@ export async function createResource(req: Request, res: Response, next: NextFunc const { siteId, orgId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.createResource, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + // Generate a unique resourceId const resourceId = "subdomain" // TODO: create the subdomain here diff --git a/server/routers/resource/deleteResource.ts b/server/routers/resource/deleteResource.ts index 43e28094..5c6a7dc3 100644 --- a/server/routers/resource/deleteResource.ts +++ b/server/routers/resource/deleteResource.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; // Define Zod schema for request parameters validation const deleteResourceSchema = z.object({ @@ -27,6 +28,12 @@ export async function deleteResource(req: Request, res: Response, next: NextFunc const { resourceId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.deleteResource, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + // Delete the resource from the database const deletedResource = await db.delete(resources) .where(eq(resources.resourceId, resourceId)) diff --git a/server/routers/resource/getResource.ts b/server/routers/resource/getResource.ts index 8343056c..4feac131 100644 --- a/server/routers/resource/getResource.ts +++ b/server/routers/resource/getResource.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; // Define Zod schema for request parameters validation const getResourceSchema = z.object({ @@ -27,6 +28,12 @@ export async function getResource(req: Request, res: Response, next: NextFunctio const { resourceId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.getResource, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + // Fetch the resource from the database const resource = await db.select() .from(resources) diff --git a/server/routers/resource/listResources.ts b/server/routers/resource/listResources.ts index 6441f681..52cfa487 100644 --- a/server/routers/resource/listResources.ts +++ b/server/routers/resource/listResources.ts @@ -6,6 +6,7 @@ import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; import { sql, eq, and, or, inArray } from 'drizzle-orm'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const listResourcesParamsSchema = z.object({ siteId: z.coerce.number().int().positive().optional(), @@ -26,13 +27,6 @@ interface RequestWithOrgAndRole extends Request { export async function listResources(req: RequestWithOrgAndRole, res: Response, next: NextFunction): Promise { try { - // Check if the user has permission to list resources - // const LIST_RESOURCES_ACTION_ID = 3; // Assume 3 is the action ID for listing resources - // const hasPermission = await checkUserActionPermission(LIST_RESOURCES_ACTION_ID, req); - // if (!hasPermission) { - // return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list resources')); - // } - const parsedQuery = listResourcesSchema.safeParse(req.query); if (!parsedQuery.success) { return next(createHttpError(HttpCode.BAD_REQUEST, parsedQuery.error.errors.map(e => e.message).join(', '))); @@ -45,6 +39,12 @@ export async function listResources(req: RequestWithOrgAndRole, res: Response, n } const { siteId, orgId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.listResources, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + if (orgId && orgId !== req.orgId) { return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization')); } diff --git a/server/routers/resource/updateResource.ts b/server/routers/resource/updateResource.ts index 96b14152..02d6bb12 100644 --- a/server/routers/resource/updateResource.ts +++ b/server/routers/resource/updateResource.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; // Define Zod schema for request parameters validation const updateResourceParamsSchema = z.object({ @@ -47,6 +48,12 @@ export async function updateResource(req: Request, res: Response, next: NextFunc const { resourceId } = parsedParams.data; const updateData = parsedBody.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.updateResource, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + // Update the resource in the database const updatedResource = await db.update(resources) .set(updateData) diff --git a/server/routers/site/createSite.ts b/server/routers/site/createSite.ts index c54d530b..69e5bc51 100644 --- a/server/routers/site/createSite.ts +++ b/server/routers/site/createSite.ts @@ -6,6 +6,7 @@ import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; import fetch from 'node-fetch'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const API_BASE_URL = "http://localhost:3000"; @@ -33,7 +34,7 @@ export async function createSite(req: Request, res: Response, next: NextFunction ) ); } - + const { name, subdomain, pubKey, subnet } = parsedBody.data; // Validate request params @@ -49,6 +50,12 @@ export async function createSite(req: Request, res: Response, next: NextFunction const { orgId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.createSite, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + // Create new site in the database const newSite = await db.insert(sites).values({ orgId, diff --git a/server/routers/site/deleteSite.ts b/server/routers/site/deleteSite.ts index 29861719..413671fa 100644 --- a/server/routers/site/deleteSite.ts +++ b/server/routers/site/deleteSite.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const API_BASE_URL = "http://localhost:3000"; @@ -27,9 +28,15 @@ export async function deleteSite(req: Request, res: Response, next: NextFunction ) ); } - + const { siteId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.deleteSite, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + // Delete the site from the database const deletedSite = await db.delete(sites) .where(eq(sites.siteId, siteId)) diff --git a/server/routers/site/getSite.ts b/server/routers/site/getSite.ts index 5ceead1c..968aa7ff 100644 --- a/server/routers/site/getSite.ts +++ b/server/routers/site/getSite.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; // Define Zod schema for request parameters validation const getSiteSchema = z.object({ @@ -27,6 +28,12 @@ export async function getSite(req: Request, res: Response, next: NextFunction): const { siteId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.updateSite, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + // Fetch the site from the database const site = await db.select() .from(sites) diff --git a/server/routers/site/listSites.ts b/server/routers/site/listSites.ts index 1d72bbb1..010548ca 100644 --- a/server/routers/site/listSites.ts +++ b/server/routers/site/listSites.ts @@ -6,7 +6,7 @@ import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; import { sql, eq, and, or, inArray } from 'drizzle-orm'; -// import { checkUserActionPermission } from './checkUserActionPermission'; // Import the function we created earlier +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const listSitesParamsSchema = z.object({ orgId: z.string().optional().transform(Number).pipe(z.number().int().positive()), @@ -19,25 +19,25 @@ const listSitesSchema = z.object({ export async function listSites(req: Request, res: Response, next: NextFunction): Promise { try { - // Check if the user has permission to list sites - // const LIST_SITES_ACTION_ID = 1; // Assume 1 is the action ID for listing sites - // const hasPermission = await checkUserActionPermission(LIST_SITES_ACTION_ID, req); - // if (!hasPermission) { - // return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); - // } - const parsedQuery = listSitesSchema.safeParse(req.query); if (!parsedQuery.success) { return next(createHttpError(HttpCode.BAD_REQUEST, parsedQuery.error.errors.map(e => e.message).join(', '))); } const { limit, offset } = parsedQuery.data; + const parsedParams = listSitesParamsSchema.safeParse(req.params); if (!parsedParams.success) { return next(createHttpError(HttpCode.BAD_REQUEST, parsedParams.error.errors.map(e => e.message).join(', '))); } const { orgId } = parsedParams.data; - + + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.listSites, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + if (orgId && orgId !== req.userOrgId) { return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization')); } diff --git a/server/routers/site/updateSite.ts b/server/routers/site/updateSite.ts index 66b1e5aa..38cce4b4 100644 --- a/server/routers/site/updateSite.ts +++ b/server/routers/site/updateSite.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; // Define Zod schema for request parameters validation const updateSiteParamsSchema = z.object({ @@ -52,6 +53,12 @@ export async function updateSite(req: Request, res: Response, next: NextFunction const { siteId } = parsedParams.data; const updateData = parsedBody.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.updateSite, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + // Update the site in the database const updatedSite = await db.update(sites) .set(updateData) diff --git a/server/routers/target/createTarget.ts b/server/routers/target/createTarget.ts index f668ca20..53215c2a 100644 --- a/server/routers/target/createTarget.ts +++ b/server/routers/target/createTarget.ts @@ -5,6 +5,7 @@ import { targets } from '@server/db/schema'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const createTargetParamsSchema = z.object({ resourceId: z.string().uuid(), @@ -44,6 +45,12 @@ export async function createTarget(req: Request, res: Response, next: NextFuncti const { resourceId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.createTarget, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + const newTarget = await db.insert(targets).values({ resourceId, ...targetData diff --git a/server/routers/target/deleteTarget.ts b/server/routers/target/deleteTarget.ts index a684fcec..46a7212f 100644 --- a/server/routers/target/deleteTarget.ts +++ b/server/routers/target/deleteTarget.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const deleteTargetSchema = z.object({ targetId: z.string().transform(Number).pipe(z.number().int().positive()) @@ -25,6 +26,12 @@ export async function deleteTarget(req: Request, res: Response, next: NextFuncti const { targetId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.deleteTarget, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + const deletedTarget = await db.delete(targets) .where(eq(targets.targetId, targetId)) .returning(); diff --git a/server/routers/target/getTarget.ts b/server/routers/target/getTarget.ts index 96ce352e..be0025a3 100644 --- a/server/routers/target/getTarget.ts +++ b/server/routers/target/getTarget.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const getTargetSchema = z.object({ targetId: z.string().transform(Number).pipe(z.number().int().positive()) @@ -25,6 +26,12 @@ export async function getTarget(req: Request, res: Response, next: NextFunction) const { targetId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.getTarget, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + const target = await db.select() .from(targets) .where(eq(targets.targetId, targetId)) diff --git a/server/routers/target/listTargets.ts b/server/routers/target/listTargets.ts index caa75683..1e4ecc73 100644 --- a/server/routers/target/listTargets.ts +++ b/server/routers/target/listTargets.ts @@ -6,6 +6,7 @@ import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; import { sql, eq } from 'drizzle-orm'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const listTargetsParamsSchema = z.object({ resourceId: z.string().optional() @@ -41,6 +42,12 @@ export async function listTargets(req: Request, res: Response, next: NextFunctio } const { resourceId } = parsedParams.data; + + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.listTargets, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } let baseQuery: any = db .select({ diff --git a/server/routers/target/updateTarget.ts b/server/routers/target/updateTarget.ts index 1654264c..ad9a41d9 100644 --- a/server/routers/target/updateTarget.ts +++ b/server/routers/target/updateTarget.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const updateTargetParamsSchema = z.object({ targetId: z.string().transform(Number).pipe(z.number().int().positive()) @@ -46,6 +47,12 @@ export async function updateTarget(req: Request, res: Response, next: NextFuncti const { targetId } = parsedParams.data; const updateData = parsedBody.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.updateTarget, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + const updatedTarget = await db.update(targets) .set(updateData) .where(eq(targets.targetId, targetId)) diff --git a/server/routers/user/deleteUser.ts b/server/routers/user/deleteUser.ts index 6a241ece..b835199c 100644 --- a/server/routers/user/deleteUser.ts +++ b/server/routers/user/deleteUser.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const deleteUserSchema = z.object({ userId: z.string().uuid() @@ -25,6 +26,12 @@ export async function deleteUser(req: Request, res: Response, next: NextFunction const { userId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.deleteUser, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + const deletedUser = await db.delete(users) .where(eq(users.id, userId)) .returning(); diff --git a/server/routers/user/getUser.ts b/server/routers/user/getUser.ts index 6286819d..70a3cffc 100644 --- a/server/routers/user/getUser.ts +++ b/server/routers/user/getUser.ts @@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'; import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const getUserSchema = z.object({ userId: z.string().uuid() @@ -25,6 +26,12 @@ export async function getUser(req: Request, res: Response, next: NextFunction): const { userId } = parsedParams.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.getUser, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + const user = await db.select() .from(users) .where(eq(users.id, userId)) diff --git a/server/routers/user/listUsers.ts b/server/routers/user/listUsers.ts index 43d636a5..8f19186e 100644 --- a/server/routers/user/listUsers.ts +++ b/server/routers/user/listUsers.ts @@ -6,6 +6,7 @@ import response from "@server/utils/response"; import HttpCode from '@server/types/HttpCode'; import createHttpError from 'http-errors'; import { sql } from 'drizzle-orm'; +import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions'; const listUsersSchema = z.object({ limit: z.string().optional().transform(Number).pipe(z.number().int().positive().default(10)), @@ -26,6 +27,12 @@ export async function listUsers(req: Request, res: Response, next: NextFunction) const { limit, offset } = parsedQuery.data; + // Check if the user has permission to list sites + const hasPermission = await checkUserActionPermission(ActionsEnum.listUsers, req); + if (!hasPermission) { + return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites')); + } + const usersList = await db.select() .from(users) .limit(limit)