fosrl.pangolin/server/auth/actions.ts

import { Request } from "express";
import { db } from "@server/db";
import { userActions, roleActions, userOrgs } from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";

export enum ActionsEnum {
    createOrg = "createOrg",
    // deleteOrg = "deleteOrg",
    getOrg = "getOrg",
    updateOrg = "updateOrg",
    deleteOrg = "deleteOrg",
    createSite = "createSite",
    deleteSite = "deleteSite",
    getSite = "getSite",
    listSites = "listSites",
    updateSite = "updateSite",
    createResource = "createResource",
    deleteResource = "deleteResource",
    getResource = "getResource",
    listResources = "listResources",
    updateResource = "updateResource",
    createTarget = "createTarget",
    deleteTarget = "deleteTarget",
    getTarget = "getTarget",
    listTargets = "listTargets",
    updateTarget = "updateTarget",
    createRole = "createRole",
    deleteRole = "deleteRole",
    getRole = "getRole",
    listRoles = "listRoles",
    updateRole = "updateRole",
    inviteUser = "inviteUser",
    removeUser = "removeUser",
    listUsers = "listUsers",
    listSiteRoles = "listSiteRoles",
    listResourceRoles = "listResourceRoles",
    setResourceUsers = "setResourceUsers",
    setResourceRoles = "setResourceRoles",
    listResourceUsers = "listResourceUsers",
    // removeRoleSite = "removeRoleSite",
    // addRoleAction = "addRoleAction",
    // removeRoleAction = "removeRoleAction",
    // listRoleSites = "listRoleSites",
    listRoleResources = "listRoleResources",
    // listRoleActions = "listRoleActions",
    addUserRole = "addUserRole",
    // addUserSite = "addUserSite",
    // addUserAction = "addUserAction",
    // removeUserAction = "removeUserAction",
    // removeUserSite = "removeUserSite",
    getOrgUser = "getOrgUser",
    setResourcePassword = "setResourcePassword",
    setResourcePincode = "setResourcePincode",
    setResourceWhitelist = "setResourceWhitelist",
    getResourceWhitelist = "getResourceWhitelist",
    generateAccessToken = "generateAccessToken",
    deleteAcessToken = "deleteAcessToken",
    listAccessTokens = "listAccessTokens",
    createResourceRule = "createResourceRule",
    deleteResourceRule = "deleteResourceRule",
    listResourceRules = "listResourceRules",
    updateResourceRule = "updateResourceRule",
    listOrgDomains = "listOrgDomains",
}

export async function checkUserActionPermission(
    actionId: string,
    req: Request
): Promise<boolean> {
    const userId = req.user?.userId;

    if (!userId) {
        throw createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated");
    }

    if (!req.userOrgId) {
        throw createHttpError(
            HttpCode.BAD_REQUEST,
            "Organization ID is required"
        );
    }

    try {
        let userOrgRoleId = req.userOrgRoleId;

        // If userOrgRoleId is not available on the request, fetch it
        if (userOrgRoleId === undefined) {
            const userOrgRole = await db
                .select()
                .from(userOrgs)
                .where(
                    and(
                        eq(userOrgs.userId, userId),
                        eq(userOrgs.orgId, req.userOrgId!)
                    )
                )
                .limit(1);

            if (userOrgRole.length === 0) {
                throw createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this organization"
                );
            }

            userOrgRoleId = userOrgRole[0].roleId;
        }

        // Check if the user has direct permission for the action in the current org
        const userActionPermission = await db
            .select()
            .from(userActions)
            .where(
                and(
                    eq(userActions.userId, userId),
                    eq(userActions.actionId, actionId),
                    eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org
                )
            )
            .limit(1);

        if (userActionPermission.length > 0) {
            return true;
        }

        // If no direct permission, check role-based permission
        const roleActionPermission = await db
            .select()
            .from(roleActions)
            .where(
                and(
                    eq(roleActions.actionId, actionId),
                    eq(roleActions.roleId, userOrgRoleId!),
                    eq(roleActions.orgId, req.userOrgId!)
                )
            )
            .limit(1);

        return roleActionPermission.length > 0;

        return false;
    } catch (error) {
        console.error("Error checking user action permission:", error);
        throw createHttpError(
            HttpCode.INTERNAL_SERVER_ERROR,
            "Error checking action permission"
        );
    }
}
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`import { Request } from "express";`
			`import { db } from "@server/db";`
			`import { userActions, roleActions, userOrgs } from "@server/db/schema";`
			`import { and, eq } from "drizzle-orm";`
			`import createHttpError from "http-errors";`
			`import HttpCode from "@server/types/HttpCode";`
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00
Format files and fix http response 2024-10-06 18:05:20 -04:00			`export enum ActionsEnum {`
			`createOrg = "createOrg",`
list roles, make sidebar component, responsive mobile settings menu selector 2024-11-09 00:08:17 -05:00			`// deleteOrg = "deleteOrg",`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`getOrg = "getOrg",`
			`updateOrg = "updateOrg",`
Remove dangerous logging 2024-12-22 12:03:46 -05:00			`deleteOrg = "deleteOrg",`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`createSite = "createSite",`
			`deleteSite = "deleteSite",`
			`getSite = "getSite",`
			`listSites = "listSites",`
			`updateSite = "updateSite",`
			`createResource = "createResource",`
			`deleteResource = "deleteResource",`
			`getResource = "getResource",`
			`listResources = "listResources",`
			`updateResource = "updateResource",`
			`createTarget = "createTarget",`
			`deleteTarget = "deleteTarget",`
			`getTarget = "getTarget",`
			`listTargets = "listTargets",`
			`updateTarget = "updateTarget",`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00			`createRole = "createRole",`
			`deleteRole = "deleteRole",`
			`getRole = "getRole",`
			`listRoles = "listRoles",`
			`updateRole = "updateRole",`
create invite and accept invite endpoints 2024-11-02 18:12:17 -04:00			`inviteUser = "inviteUser",`
Add user endpoints 2024-10-12 22:31:24 -04:00			`removeUser = "removeUser",`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00			`listUsers = "listUsers",`
			`listSiteRoles = "listSiteRoles",`
			`listResourceRoles = "listResourceRoles",`
set users on resource working 2024-11-15 23:38:08 -05:00			`setResourceUsers = "setResourceUsers",`
add roles input on resource and make spacing more consistent 2024-11-15 18:25:27 -05:00			`setResourceRoles = "setResourceRoles",`
set users on resource working 2024-11-15 23:38:08 -05:00			`listResourceUsers = "listResourceUsers",`
			`// removeRoleSite = "removeRoleSite",`
list roles, make sidebar component, responsive mobile settings menu selector 2024-11-09 00:08:17 -05:00			`// addRoleAction = "addRoleAction",`
			`// removeRoleAction = "removeRoleAction",`
set users on resource working 2024-11-15 23:38:08 -05:00			`// listRoleSites = "listRoleSites",`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00			`listRoleResources = "listRoleResources",`
set users on resource working 2024-11-15 23:38:08 -05:00			`// listRoleActions = "listRoleActions",`
Add user endpoints 2024-10-12 22:31:24 -04:00			`addUserRole = "addUserRole",`
set users on resource working 2024-11-15 23:38:08 -05:00			`// addUserSite = "addUserSite",`
list roles, make sidebar component, responsive mobile settings menu selector 2024-11-09 00:08:17 -05:00			`// addUserAction = "addUserAction",`
			`// removeUserAction = "removeUserAction",`
set users on resource working 2024-11-15 23:38:08 -05:00			`// removeUserSite = "removeUserSite",`
access token endpoints and other backend support 2024-12-18 23:14:26 -05:00			`getOrgUser = "getOrgUser",`
rename to resource rules and add api endpoints 2025-02-08 17:02:22 -05:00			`setResourcePassword = "setResourcePassword",`
			`setResourcePincode = "setResourcePincode",`
			`setResourceWhitelist = "setResourceWhitelist",`
			`getResourceWhitelist = "getResourceWhitelist",`
			`generateAccessToken = "generateAccessToken",`
			`deleteAcessToken = "deleteAcessToken",`
			`listAccessTokens = "listAccessTokens",`
			`createResourceRule = "createResourceRule",`
			`deleteResourceRule = "deleteResourceRule",`
Add update 2025-02-08 17:10:37 -05:00			`listResourceRules = "listResourceRules",`
			`updateResourceRule = "updateResourceRule",`
add list domains for org endpoint 2025-02-16 18:09:17 -05:00			`listOrgDomains = "listOrgDomains",`
Add actions check to all endpoints 2024-10-06 16:43:59 -04:00			`}`

fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`export async function checkUserActionPermission(`
			`actionId: string,`
create invite and accept invite endpoints 2024-11-02 18:12:17 -04:00			`req: Request`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`): Promise<boolean> {`
remove lucia 2024-10-13 17:13:47 -04:00			`const userId = req.user?.userId;`
Add stepper 2024-10-14 19:30:38 -04:00
Format files and fix http response 2024-10-06 18:05:20 -04:00			`if (!userId) {`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`throw createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated");`
Add actions check to all endpoints 2024-10-06 16:43:59 -04:00			`}`

fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`if (!req.userOrgId) {`
			`throw createHttpError(`
			`HttpCode.BAD_REQUEST,`
create invite and accept invite endpoints 2024-11-02 18:12:17 -04:00			`"Organization ID is required"`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`);`
Update to verify middleware & lists agenst new permissions tables 2024-10-06 16:19:04 -04:00			`}`

Format files and fix http response 2024-10-06 18:05:20 -04:00			`try {`
			`let userOrgRoleId = req.userOrgRoleId;`

			`// If userOrgRoleId is not available on the request, fetch it`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`if (userOrgRoleId === undefined) {`
			`const userOrgRole = await db`
			`.select()`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`.from(userOrgs)`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`.where(`
			`and(`
			`eq(userOrgs.userId, userId),`
create invite and accept invite endpoints 2024-11-02 18:12:17 -04:00			`eq(userOrgs.orgId, req.userOrgId!)`
			`)`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`)`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`.limit(1);`

			`if (userOrgRole.length === 0) {`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`throw createHttpError(`
			`HttpCode.FORBIDDEN,`
create invite and accept invite endpoints 2024-11-02 18:12:17 -04:00			`"User does not have access to this organization"`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`);`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`}`

			`userOrgRoleId = userOrgRole[0].roleId;`
			`}`

			`// Check if the user has direct permission for the action in the current org`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`const userActionPermission = await db`
			`.select()`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`.from(userActions)`
			`.where(`
			`and(`
			`eq(userActions.userId, userId),`
			`eq(userActions.actionId, actionId),`
create invite and accept invite endpoints 2024-11-02 18:12:17 -04:00			`eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org`
			`)`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`)`
			`.limit(1);`

			`if (userActionPermission.length > 0) {`
			`return true;`
			`}`

fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`// If no direct permission, check role-based permission`
			`const roleActionPermission = await db`
			`.select()`
			`.from(roleActions)`
			`.where(`
			`and(`
			`eq(roleActions.actionId, actionId),`
			`eq(roleActions.roleId, userOrgRoleId!),`
create invite and accept invite endpoints 2024-11-02 18:12:17 -04:00			`eq(roleActions.orgId, req.userOrgId!)`
			`)`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`)`
			`.limit(1);`
Add stepper 2024-10-14 19:30:38 -04:00
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`return roleActionPermission.length > 0;`
Format files and fix http response 2024-10-06 18:05:20 -04:00
Add stepper 2024-10-14 19:30:38 -04:00			`return false;`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`} catch (error) {`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`console.error("Error checking user action permission:", error);`
			`throw createHttpError(`
			`HttpCode.INTERNAL_SERVER_ERROR,`
create invite and accept invite endpoints 2024-11-02 18:12:17 -04:00			`"Error checking action permission"`
fixed listSites endpoint 2024-10-14 21:54:43 -04:00			`);`
Format files and fix http response 2024-10-06 18:05:20 -04:00			`}`
remove lucia 2024-10-13 17:13:47 -04:00			`}`