fosrl.pangolin/server/routers/resource/listResources.ts

import { Request, Response, NextFunction } from 'express';
import { z } from 'zod';
import { db } from '@server/db';
import { resources, sites, userResources, roleResources } from '@server/db/schema';
import response from "@server/utils/response";
import HttpCode from '@server/types/HttpCode';
import createHttpError from 'http-errors';
import { sql, eq, and, or, inArray } from 'drizzle-orm';
import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';

const listResourcesParamsSchema = z.object({
    siteId: z.coerce.number().int().positive().optional(),
    orgId: z.coerce.number().int().positive().optional(),
}).refine(data => !!data.siteId !== !!data.orgId, {
    message: "Either siteId or orgId must be provided, but not both",
});

const listResourcesSchema = z.object({
  limit: z.coerce.number().int().positive().default(10),
  offset: z.coerce.number().int().nonnegative().default(0),
});

interface RequestWithOrgAndRole extends Request {
  userOrgRoleId?: number;
  orgId?: number;
}

export async function listResources(req: RequestWithOrgAndRole, res: Response, next: NextFunction): Promise<any> {
  try {
    const parsedQuery = listResourcesSchema.safeParse(req.query);
    if (!parsedQuery.success) {
      return next(createHttpError(HttpCode.BAD_REQUEST, parsedQuery.error.errors.map(e => e.message).join(', ')));
    }
    const { limit, offset } = parsedQuery.data;

    const parsedParams = listResourcesParamsSchema.safeParse(req.params);
    if (!parsedParams.success) {
      return next(createHttpError(HttpCode.BAD_REQUEST, parsedParams.error.errors.map(e => e.message).join(', ')));
    }
    const { siteId, orgId } = parsedParams.data;

    // Check if the user has permission to list sites
    const hasPermission = await checkUserActionPermission(ActionsEnum.listResources, req);
    if (!hasPermission) {
      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
    }
    
    if (orgId && orgId !== req.orgId) {
      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
    }

    // Get the list of resources the user has access to
    const accessibleResources = await db
      .select({ resourceId: sql<string>`COALESCE(${userResources.resourceId}, ${roleResources.resourceId})` })
      .from(userResources)
      .fullJoin(roleResources, eq(userResources.resourceId, roleResources.resourceId))
      .where(
        or(
          eq(userResources.userId, req.user!.id),
          eq(roleResources.roleId, req.userOrgRoleId!)
        )
      );

    const accessibleResourceIds = accessibleResources.map(resource => resource.resourceId);

    let baseQuery: any = db
      .select({
        resourceId: resources.resourceId,
        name: resources.name,
        subdomain: resources.subdomain,
        siteName: sites.name,
      })
      .from(resources)
      .leftJoin(sites, eq(resources.siteId, sites.siteId))
      .where(inArray(resources.resourceId, accessibleResourceIds));

    let countQuery: any = db
      .select({ count: sql<number>`cast(count(*) as integer)` })
      .from(resources)
      .where(inArray(resources.resourceId, accessibleResourceIds));

    if (siteId) {
      baseQuery = baseQuery.where(eq(resources.siteId, siteId));
      countQuery = countQuery.where(eq(resources.siteId, siteId));
    } else {
      // If orgId is provided, it's already checked to match req.orgId
      baseQuery = baseQuery.where(eq(resources.orgId, req.orgId!));
      countQuery = countQuery.where(eq(resources.orgId, req.orgId!));
    }

    const resourcesList = await baseQuery.limit(limit).offset(offset);
    const totalCountResult = await countQuery;
    const totalCount = totalCountResult[0].count;

    return res.status(HttpCode.OK).send(
      response(res, {
        data: {
          resources: resourcesList,
          pagination: {
            total: totalCount,
            limit,
            offset,
          },
        },
        success: true,
        error: false,
        message: "Resources retrieved successfully",
        status: HttpCode.OK,
      })
    );
  } catch (error) {
    next(error);
  }
}
Fix return response and add list 2024-10-02 21:17:38 -04:00			`import { Request, Response, NextFunction } from 'express';`
			`import { z } from 'zod';`
			`import { db } from '@server/db';`
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`import { resources, sites, userResources, roleResources } from '@server/db/schema';`
Fix return response and add list 2024-10-02 21:17:38 -04:00			`import response from "@server/utils/response";`
			`import HttpCode from '@server/types/HttpCode';`
			`import createHttpError from 'http-errors';`
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`import { sql, eq, and, or, inArray } from 'drizzle-orm';`
Add actions check to all endpoints 2024-10-06 16:43:59 -04:00			`import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';`
Fix return response and add list 2024-10-02 21:17:38 -04:00
Move nessicary info to url params 2024-10-02 22:05:21 -04:00			`const listResourcesParamsSchema = z.object({`
Tested list endpoints 2024-10-02 22:17:43 -04:00			`siteId: z.coerce.number().int().positive().optional(),`
			`orgId: z.coerce.number().int().positive().optional(),`
			`}).refine(data => !!data.siteId !== !!data.orgId, {`
			`message: "Either siteId or orgId must be provided, but not both",`
Move nessicary info to url params 2024-10-02 22:05:21 -04:00			`});`

Fix return response and add list 2024-10-02 21:17:38 -04:00			`const listResourcesSchema = z.object({`
Tested list endpoints 2024-10-02 22:17:43 -04:00			`limit: z.coerce.number().int().positive().default(10),`
			`offset: z.coerce.number().int().nonnegative().default(0),`
Fix return response and add list 2024-10-02 21:17:38 -04:00			`});`

Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`interface RequestWithOrgAndRole extends Request {`
			`userOrgRoleId?: number;`
			`orgId?: number;`
			`}`

			`export async function listResources(req: RequestWithOrgAndRole, res: Response, next: NextFunction): Promise<any> {`
Fix return response and add list 2024-10-02 21:17:38 -04:00			`try {`
			`const parsedQuery = listResourcesSchema.safeParse(req.query);`
			`if (!parsedQuery.success) {`
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`return next(createHttpError(HttpCode.BAD_REQUEST, parsedQuery.error.errors.map(e => e.message).join(', ')));`
Fix return response and add list 2024-10-02 21:17:38 -04:00			`}`
Move nessicary info to url params 2024-10-02 22:05:21 -04:00			`const { limit, offset } = parsedQuery.data;`
Fix return response and add list 2024-10-02 21:17:38 -04:00
Move nessicary info to url params 2024-10-02 22:05:21 -04:00			`const parsedParams = listResourcesParamsSchema.safeParse(req.params);`
			`if (!parsedParams.success) {`
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`return next(createHttpError(HttpCode.BAD_REQUEST, parsedParams.error.errors.map(e => e.message).join(', ')));`
Move nessicary info to url params 2024-10-02 22:05:21 -04:00			`}`
			`const { siteId, orgId } = parsedParams.data;`
Fix return response and add list 2024-10-02 21:17:38 -04:00
Add actions check to all endpoints 2024-10-06 16:43:59 -04:00			`// Check if the user has permission to list sites`
			`const hasPermission = await checkUserActionPermission(ActionsEnum.listResources, req);`
			`if (!hasPermission) {`
			`return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));`
			`}`

Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`if (orgId && orgId !== req.orgId) {`
			`return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));`
			`}`

			`// Get the list of resources the user has access to`
			`const accessibleResources = await db`
			.select({ resourceId: sql<string>`COALESCE(${userResources.resourceId}, ${roleResources.resourceId})` })
			`.from(userResources)`
			`.fullJoin(roleResources, eq(userResources.resourceId, roleResources.resourceId))`
			`.where(`
			`or(`
			`eq(userResources.userId, req.user!.id),`
			`eq(roleResources.roleId, req.userOrgRoleId!)`
			`)`
			`);`

			`const accessibleResourceIds = accessibleResources.map(resource => resource.resourceId);`

Move nessicary info to url params 2024-10-02 22:05:21 -04:00			`let baseQuery: any = db`
Fix return response and add list 2024-10-02 21:17:38 -04:00			`.select({`
			`resourceId: resources.resourceId,`
			`name: resources.name,`
			`subdomain: resources.subdomain,`
			`siteName: sites.name,`
			`})`
			`.from(resources)`
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`.leftJoin(sites, eq(resources.siteId, sites.siteId))`
			`.where(inArray(resources.resourceId, accessibleResourceIds));`
Fix return response and add list 2024-10-02 21:17:38 -04:00
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`let countQuery: any = db`
			.select({ count: sql<number>`cast(count(*) as integer)` })
			`.from(resources)`
			`.where(inArray(resources.resourceId, accessibleResourceIds));`
Fix return response and add list 2024-10-02 21:17:38 -04:00
			`if (siteId) {`
			`baseQuery = baseQuery.where(eq(resources.siteId, siteId));`
			`countQuery = countQuery.where(eq(resources.siteId, siteId));`
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`} else {`
			`// If orgId is provided, it's already checked to match req.orgId`
			`baseQuery = baseQuery.where(eq(resources.orgId, req.orgId!));`
			`countQuery = countQuery.where(eq(resources.orgId, req.orgId!));`
Fix return response and add list 2024-10-02 21:17:38 -04:00			`}`

			`const resourcesList = await baseQuery.limit(limit).offset(offset);`
			`const totalCountResult = await countQuery;`
			`const totalCount = totalCountResult[0].count;`

			`return res.status(HttpCode.OK).send(`
			`response(res, {`
			`data: {`
			`resources: resourcesList,`
			`pagination: {`
			`total: totalCount,`
			`limit,`
			`offset,`
			`},`
			`},`
			`success: true,`
			`error: false,`
			`message: "Resources retrieved successfully",`
			`status: HttpCode.OK,`
			`})`
			`);`
			`} catch (error) {`
			`next(error);`
			`}`
			`}`