mirror of
https://github.com/fosrl/pangolin.git
synced 2025-08-04 18:14:53 +02:00
move action permission check to middleware
This commit is contained in:
parent
03051878ef
commit
372e51c0a5
48 changed files with 266 additions and 936 deletions
|
@ -5,7 +5,6 @@ import { userActions, users } from "@server/db/schema";
|
|||
import response from "@server/utils/response";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
|
||||
import logger from "@server/logger";
|
||||
import { eq } from "drizzle-orm";
|
||||
import { fromError } from "zod-validation-error";
|
||||
|
@ -34,21 +33,6 @@ export async function addUserAction(
|
|||
|
||||
const { userId, actionId, orgId } = parsedBody.data;
|
||||
|
||||
// Check if the user has permission to add user actions
|
||||
const hasPermission = await checkUserActionPermission(
|
||||
ActionsEnum.addUserAction,
|
||||
req
|
||||
);
|
||||
if (!hasPermission) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.FORBIDDEN,
|
||||
"User does not have permission to perform this action"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
// Check if the user exists
|
||||
const user = await db
|
||||
.select()
|
||||
.from(users)
|
||||
|
@ -82,10 +66,7 @@ export async function addUserAction(
|
|||
} catch (error) {
|
||||
logger.error(error);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"An error occurred..."
|
||||
)
|
||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -5,7 +5,6 @@ import { userResources } from "@server/db/schema";
|
|||
import response from "@server/utils/response";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
|
||||
import logger from "@server/logger";
|
||||
import { fromError } from "zod-validation-error";
|
||||
|
||||
|
@ -32,20 +31,6 @@ export async function addUserResource(
|
|||
|
||||
const { userId, resourceId } = parsedBody.data;
|
||||
|
||||
// Check if the user has permission to add user resources
|
||||
const hasPermission = await checkUserActionPermission(
|
||||
ActionsEnum.addUserResource,
|
||||
req
|
||||
);
|
||||
if (!hasPermission) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.FORBIDDEN,
|
||||
"User does not have permission to perform this action"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const newUserResource = await db
|
||||
.insert(userResources)
|
||||
.values({
|
||||
|
@ -64,10 +49,7 @@ export async function addUserResource(
|
|||
} catch (error) {
|
||||
logger.error(error);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"An error occurred..."
|
||||
)
|
||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -5,7 +5,6 @@ import { resources, userResources, userSites } from "@server/db/schema";
|
|||
import response from "@server/utils/response";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
|
||||
import logger from "@server/logger";
|
||||
import { eq } from "drizzle-orm";
|
||||
import { fromError } from "zod-validation-error";
|
||||
|
@ -33,20 +32,6 @@ export async function addUserSite(
|
|||
|
||||
const { userId, siteId } = parsedBody.data;
|
||||
|
||||
// Check if the user has permission to add user sites
|
||||
const hasPermission = await checkUserActionPermission(
|
||||
ActionsEnum.addUserSite,
|
||||
req
|
||||
);
|
||||
if (!hasPermission) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.FORBIDDEN,
|
||||
"User does not have permission to perform this action"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const newUserSite = await db
|
||||
.insert(userSites)
|
||||
.values({
|
||||
|
@ -55,7 +40,6 @@ export async function addUserSite(
|
|||
})
|
||||
.returning();
|
||||
|
||||
// Add all resources associated with the site to the user
|
||||
const siteResources = await db
|
||||
.select()
|
||||
.from(resources)
|
||||
|
@ -78,10 +62,7 @@ export async function addUserSite(
|
|||
} catch (error) {
|
||||
logger.error(error);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"An error occurred..."
|
||||
)
|
||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,7 +6,6 @@ import { eq } from "drizzle-orm";
|
|||
import response from "@server/utils/response";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
|
||||
import logger from "@server/logger";
|
||||
|
||||
export type GetUserResponse = {
|
||||
|
@ -18,14 +17,14 @@ export type GetUserResponse = {
|
|||
export async function getUser(
|
||||
req: Request,
|
||||
res: Response,
|
||||
next: NextFunction,
|
||||
next: NextFunction
|
||||
): Promise<any> {
|
||||
try {
|
||||
const userId = req.user?.userId;
|
||||
|
||||
if (!userId) {
|
||||
return next(
|
||||
createHttpError(HttpCode.UNAUTHORIZED, "User not found"),
|
||||
createHttpError(HttpCode.UNAUTHORIZED, "User not found")
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -39,8 +38,8 @@ export async function getUser(
|
|||
return next(
|
||||
createHttpError(
|
||||
HttpCode.NOT_FOUND,
|
||||
`User with ID ${userId} not found`,
|
||||
),
|
||||
`User with ID ${userId} not found`
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -60,8 +59,8 @@ export async function getUser(
|
|||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"An error occurred...",
|
||||
),
|
||||
"An error occurred..."
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -64,19 +64,6 @@ export async function inviteUser(
|
|||
const { orgId } = parsedParams.data;
|
||||
const { email, validHours, roleId } = parsedBody.data;
|
||||
|
||||
const hasPermission = await checkUserActionPermission(
|
||||
ActionsEnum.inviteUser,
|
||||
req
|
||||
);
|
||||
if (!hasPermission) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.FORBIDDEN,
|
||||
"User does not have permission to perform this action"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const currentTime = Date.now();
|
||||
const oneHourAgo = currentTime - 3600000;
|
||||
|
||||
|
@ -86,7 +73,7 @@ export async function inviteUser(
|
|||
|
||||
inviteTracker[email].timestamps = inviteTracker[
|
||||
email
|
||||
].timestamps.filter((timestamp) => timestamp > oneHourAgo);
|
||||
].timestamps.filter((timestamp) => timestamp > oneHourAgo); // TODO: this could cause memory increase over time if the object is never deleted
|
||||
|
||||
if (inviteTracker[email].timestamps.length >= 3) {
|
||||
return next(
|
||||
|
|
|
@ -6,7 +6,6 @@ import response from "@server/utils/response";
|
|||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import { sql } from "drizzle-orm";
|
||||
import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
|
||||
import logger from "@server/logger";
|
||||
|
||||
const listUsersParamsSchema = z.object({
|
||||
|
@ -81,27 +80,12 @@ export async function listUsers(
|
|||
|
||||
const { orgId } = parsedParams.data;
|
||||
|
||||
// Check if the user has permission to list users
|
||||
const hasPermission = await checkUserActionPermission(
|
||||
ActionsEnum.listUsers,
|
||||
req
|
||||
);
|
||||
if (!hasPermission) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.FORBIDDEN,
|
||||
"User does not have permission to perform this action"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const usersWithRoles = await queryUsers(
|
||||
orgId.toString(),
|
||||
limit,
|
||||
offset
|
||||
);
|
||||
|
||||
// Count total users
|
||||
const [{ count }] = await db
|
||||
.select({ count: sql<number>`count(*)` })
|
||||
.from(users);
|
||||
|
|
|
@ -6,7 +6,6 @@ import { and, eq } from "drizzle-orm";
|
|||
import response from "@server/utils/response";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
|
||||
import logger from "@server/logger";
|
||||
import { fromError } from "zod-validation-error";
|
||||
|
||||
|
@ -49,20 +48,6 @@ export async function removeUserAction(
|
|||
|
||||
const { actionId, orgId } = parsedBody.data;
|
||||
|
||||
// Check if the user has permission to remove user actions
|
||||
const hasPermission = await checkUserActionPermission(
|
||||
ActionsEnum.removeUserAction,
|
||||
req
|
||||
);
|
||||
if (!hasPermission) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.FORBIDDEN,
|
||||
"User does not have permission to perform this action"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const deletedUserAction = await db
|
||||
.delete(userActions)
|
||||
.where(
|
||||
|
@ -93,10 +78,7 @@ export async function removeUserAction(
|
|||
} catch (error) {
|
||||
logger.error(error);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"An error occurred..."
|
||||
)
|
||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,7 +6,6 @@ import { and, eq } from "drizzle-orm";
|
|||
import response from "@server/utils/response";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
|
||||
import logger from "@server/logger";
|
||||
import { fromError } from "zod-validation-error";
|
||||
|
||||
|
@ -33,19 +32,6 @@ export async function removeUserOrg(
|
|||
|
||||
const { userId, orgId } = parsedParams.data;
|
||||
|
||||
const hasPermission = await checkUserActionPermission(
|
||||
ActionsEnum.removeUser,
|
||||
req
|
||||
);
|
||||
if (!hasPermission) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.FORBIDDEN,
|
||||
"User does not have permission to perform this action"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
// remove the user from the userOrgs table
|
||||
await db
|
||||
.delete(userOrgs)
|
||||
|
@ -61,10 +47,7 @@ export async function removeUserOrg(
|
|||
} catch (error) {
|
||||
logger.error(error);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"An error occurred..."
|
||||
)
|
||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,7 +6,6 @@ import { and, eq } from "drizzle-orm";
|
|||
import response from "@server/utils/response";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
|
||||
import logger from "@server/logger";
|
||||
import { fromError } from "zod-validation-error";
|
||||
|
||||
|
@ -33,20 +32,6 @@ export async function removeUserResource(
|
|||
|
||||
const { userId, resourceId } = parsedParams.data;
|
||||
|
||||
// Check if the user has permission to remove user resources
|
||||
const hasPermission = await checkUserActionPermission(
|
||||
ActionsEnum.removeUserResource,
|
||||
req
|
||||
);
|
||||
if (!hasPermission) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.FORBIDDEN,
|
||||
"User does not have permission to perform this action"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const deletedUserResource = await db
|
||||
.delete(userResources)
|
||||
.where(
|
||||
|
@ -76,10 +61,7 @@ export async function removeUserResource(
|
|||
} catch (error) {
|
||||
logger.error(error);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"An error occurred..."
|
||||
)
|
||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,7 +6,6 @@ import { and, eq } from "drizzle-orm";
|
|||
import response from "@server/utils/response";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
|
||||
import logger from "@server/logger";
|
||||
import { fromError } from "zod-validation-error";
|
||||
|
||||
|
@ -48,20 +47,6 @@ export async function removeUserSite(
|
|||
|
||||
const { siteId } = parsedBody.data;
|
||||
|
||||
// Check if the user has permission to remove user sites
|
||||
const hasPermission = await checkUserActionPermission(
|
||||
ActionsEnum.removeUserSite,
|
||||
req
|
||||
);
|
||||
if (!hasPermission) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.FORBIDDEN,
|
||||
"User does not have permission to perform this action"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const deletedUserSite = await db
|
||||
.delete(userSites)
|
||||
.where(
|
||||
|
@ -105,10 +90,7 @@ export async function removeUserSite(
|
|||
} catch (error) {
|
||||
logger.error(error);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"An error occurred..."
|
||||
)
|
||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,7 +6,6 @@ import { eq, and } from "drizzle-orm";
|
|||
import response from "@server/utils/response";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import createHttpError from "http-errors";
|
||||
import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
|
||||
import logger from "@server/logger";
|
||||
import { fromError } from "zod-validation-error";
|
||||
|
||||
|
@ -34,21 +33,6 @@ export async function addUserRole(
|
|||
|
||||
const { userId, roleId, orgId } = parsedBody.data;
|
||||
|
||||
// Check if the user has permission to add user roles
|
||||
const hasPermission = await checkUserActionPermission(
|
||||
ActionsEnum.addUserRole,
|
||||
req
|
||||
);
|
||||
if (!hasPermission) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.FORBIDDEN,
|
||||
"User does not have permission to perform this action"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
// Check if the role exists and belongs to the specified org
|
||||
const roleExists = await db
|
||||
.select()
|
||||
.from(roles)
|
||||
|
@ -80,10 +64,7 @@ export async function addUserRole(
|
|||
} catch (error) {
|
||||
logger.error(error);
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.INTERNAL_SERVER_ERROR,
|
||||
"An error occurred..."
|
||||
)
|
||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue