mirror/fosrl.pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2025-08-18 08:18:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add org owner check to deleteOrg and removeUser endpoints

Browse source
This commit is contained in:
Milo Schwartz 2024-11-06 00:05:19 -05:00
parent 372e51c0a5
commit 458de04fcf
No known key found for this signature in database
3 changed files with 94 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

68
server/routers/auth/verifyUserIsOrgOwner.ts Normal file
View file

@ -0,0 +1,68 @@
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { userOrgs } from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
export async function verifyUserIsOrgOwner(
req: Request,
res: Response,
next: NextFunction
) {
const userId = req.user!.userId;
const orgId = req.params.orgId;
let userOrg = req.userOrg;
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
if (!orgId) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Organization ID not provided"
)
);
}
try {
if (!userOrg) {
const res = await db
.select()
.from(userOrgs)
.where(
and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
);
userOrg = res[0];
}
if (!userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this organization"
)
);
}
if (!userOrg.isOwner) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User is not an organization owner"
)
);
}
} catch (e) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Error verifying organization access"
)
);
}
}

8
server/routers/external.ts
View file

@ -25,6 +25,7 @@ import {
} from "./auth"; } from "./auth";
import { verifyUserHasAction } from "./auth/verifyUserHasAction"; import { verifyUserHasAction } from "./auth/verifyUserHasAction";
import { ActionsEnum } from "@server/auth/actions"; import { ActionsEnum } from "@server/auth/actions";
import { verifyUserIsOrgOwner } from "./auth/verifyUserIsOrgOwner";
// Root routes // Root routes
export const unauthenticated = Router(); export const unauthenticated = Router();
@ -52,7 +53,12 @@ authenticated.post(
verifyUserHasAction(ActionsEnum.updateOrg), verifyUserHasAction(ActionsEnum.updateOrg),
org.updateOrg org.updateOrg
); );
// authenticated.delete("/org/:orgId", verifyOrgAccess, org.deleteOrg); // authenticated.delete(
// "/org/:orgId",
// verifyOrgAccess,
// verifyUserIsOrgOwner,
// org.deleteOrg
// );
authenticated.put( authenticated.put(
"/org/:orgId/site", "/org/:orgId/site",

19
server/routers/user/removeUserOrg.ts
View file

@ -32,6 +32,25 @@ export async function removeUserOrg(
const { userId, orgId } = parsedParams.data; const { userId, orgId } = parsedParams.data;
// get the user first
const user = await db
.select()
.from(userOrgs)
.where(eq(userOrgs.userId, userId));
if (!user || user.length === 0) {
return next(createHttpError(HttpCode.NOT_FOUND, "User not found"));
}
if (user[0].isOwner) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Cannot remove owner from org"
)
);
}
// remove the user from the userOrgs table // remove the user from the userOrgs table
await db await db
.delete(userOrgs) .delete(userOrgs)