2024-10-06 16:19:04 -04:00
|
|
|
import { Request } from 'express';
|
|
|
|
|
import { db } from '@server/db';
|
|
|
|
|
import { userActions, roleActions, userOrgs } from '@server/db/schema';
|
2024-10-06 16:43:59 -04:00
|
|
|
import { and, eq } from 'drizzle-orm';
|
2024-10-06 16:19:04 -04:00
|
|
|
import createHttpError from 'http-errors';
|
|
|
|
|
import HttpCode from '@server/types/HttpCode';
|
|
|
|
|
|
2024-10-06 16:43:59 -04:00
|
|
|
export const ActionsEnum = {
|
|
|
|
|
|
|
|
|
|
createOrg: 1,
|
|
|
|
|
deleteOrg: 2,
|
|
|
|
|
getOrg: 3,
|
|
|
|
|
listOrgs: 4,
|
|
|
|
|
updateOrg: 5,
|
|
|
|
|
|
|
|
|
|
createSite: 6,
|
|
|
|
|
deleteSite: 7,
|
|
|
|
|
getSite: 8,
|
|
|
|
|
listSites: 9,
|
|
|
|
|
updateSite: 10,
|
|
|
|
|
|
|
|
|
|
createResource: 11,
|
|
|
|
|
deleteResource: 12,
|
|
|
|
|
getResource: 13,
|
|
|
|
|
listResources: 14,
|
|
|
|
|
updateResource: 15,
|
|
|
|
|
|
|
|
|
|
createTarget: 16,
|
|
|
|
|
deleteTarget: 17,
|
|
|
|
|
getTarget: 18,
|
|
|
|
|
listTargets: 19,
|
|
|
|
|
updateTarget: 20,
|
|
|
|
|
|
|
|
|
|
getUser: 21,
|
|
|
|
|
deleteUser: 22,
|
|
|
|
|
listUsers: 23
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-06 16:19:04 -04:00
|
|
|
export async function checkUserActionPermission(actionId: number, req: Request): Promise<boolean> {
|
|
|
|
|
const userId = req.user?.id;
|
|
|
|
|
|
|
|
|
|
if (!userId) {
|
|
|
|
|
throw createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated');
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-06 16:43:59 -04:00
|
|
|
if (!req.userOrgId) {
|
|
|
|
|
throw createHttpError(HttpCode.BAD_REQUEST, 'Organization ID is required');
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-06 16:19:04 -04:00
|
|
|
try {
|
2024-10-06 16:43:59 -04:00
|
|
|
let userOrgRoleId = req.userOrgRoleId;
|
|
|
|
|
|
|
|
|
|
// If userOrgRoleId is not available on the request, fetch it
|
|
|
|
|
if (userOrgRoleId === undefined) {
|
|
|
|
|
const userOrgRole = await db.select()
|
|
|
|
|
.from(userOrgs)
|
|
|
|
|
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, req.userOrgId)))
|
|
|
|
|
.limit(1);
|
|
|
|
|
|
|
|
|
|
if (userOrgRole.length === 0) {
|
|
|
|
|
throw createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
userOrgRoleId = userOrgRole[0].roleId;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if the user has direct permission for the action in the current org
|
2024-10-06 16:19:04 -04:00
|
|
|
const userActionPermission = await db.select()
|
|
|
|
|
.from(userActions)
|
2024-10-06 16:43:59 -04:00
|
|
|
.where(
|
|
|
|
|
and(
|
|
|
|
|
eq(userActions.userId, userId),
|
|
|
|
|
eq(userActions.actionId, actionId),
|
|
|
|
|
eq(userActions.orgId, req.userOrgId)
|
|
|
|
|
)
|
|
|
|
|
)
|
2024-10-06 16:19:04 -04:00
|
|
|
.limit(1);
|
|
|
|
|
|
|
|
|
|
if (userActionPermission.length > 0) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If no direct permission, check role-based permission
|
|
|
|
|
const roleActionPermission = await db.select()
|
|
|
|
|
.from(roleActions)
|
|
|
|
|
.where(
|
|
|
|
|
and(
|
|
|
|
|
eq(roleActions.actionId, actionId),
|
2024-10-06 16:43:59 -04:00
|
|
|
eq(roleActions.roleId, userOrgRoleId),
|
|
|
|
|
eq(roleActions.orgId, req.userOrgId)
|
2024-10-06 16:19:04 -04:00
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
.limit(1);
|
|
|
|
|
|
|
|
|
|
return roleActionPermission.length > 0;
|
|
|
|
|
|
|
|
|
|
} catch (error) {
|
|
|
|
|
console.error('Error checking user action permission:', error);
|
|
|
|
|
throw createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error checking action permission');
|
|
|
|
|
}
|
|
|
|
|
}
|
