Add actions check to all endpoints

server/routers/site/createSite.ts

@@ -6,6 +6,7 @@ import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
 import fetch from 'node-fetch';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const API_BASE_URL = "http://localhost:3000";
 
@@ -33,7 +34,7 @@ export async function createSite(req: Request, res: Response, next: NextFunction
         )
       );
     }
-
+    
     const { name, subdomain, pubKey, subnet } = parsedBody.data;
 
     // Validate request params
@@ -49,6 +50,12 @@ export async function createSite(req: Request, res: Response, next: NextFunction
 
     const { orgId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.createSite, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     // Create new site in the database
     const newSite = await db.insert(sites).values({
       orgId,

server/routers/site/deleteSite.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 
 const API_BASE_URL = "http://localhost:3000";
@@ -27,9 +28,15 @@ export async function deleteSite(req: Request, res: Response, next: NextFunction
         )
       );
     }
-
+    
     const { siteId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.deleteSite, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     // Delete the site from the database
     const deletedSite = await db.delete(sites)
       .where(eq(sites.siteId, siteId))

server/routers/site/getSite.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 // Define Zod schema for request parameters validation
 const getSiteSchema = z.object({
@@ -27,6 +28,12 @@ export async function getSite(req: Request, res: Response, next: NextFunction):
 
     const { siteId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.updateSite, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     // Fetch the site from the database
     const site = await db.select()
       .from(sites)

server/routers/site/listSites.ts

@@ -6,7 +6,7 @@ import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
 import { sql, eq, and, or, inArray } from 'drizzle-orm';
-// import { checkUserActionPermission } from './checkUserActionPermission'; // Import the function we created earlier
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const listSitesParamsSchema = z.object({
     orgId: z.string().optional().transform(Number).pipe(z.number().int().positive()),
@@ -19,25 +19,25 @@ const listSitesSchema = z.object({
 
 export async function listSites(req: Request, res: Response, next: NextFunction): Promise<any> {
   try {
-    // Check if the user has permission to list sites
-    // const LIST_SITES_ACTION_ID = 1; // Assume 1 is the action ID for listing sites
-    // const hasPermission = await checkUserActionPermission(LIST_SITES_ACTION_ID, req);
-    // if (!hasPermission) {
-    //   return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
-    // }
-
     const parsedQuery = listSitesSchema.safeParse(req.query);
     if (!parsedQuery.success) {
       return next(createHttpError(HttpCode.BAD_REQUEST, parsedQuery.error.errors.map(e => e.message).join(', ')));
     }
     const { limit, offset } = parsedQuery.data;
 
+    
     const parsedParams = listSitesParamsSchema.safeParse(req.params);
     if (!parsedParams.success) {
       return next(createHttpError(HttpCode.BAD_REQUEST, parsedParams.error.errors.map(e => e.message).join(', ')));
     }
     const { orgId } = parsedParams.data;
-
+    
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.listSites, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+    
     if (orgId && orgId !== req.userOrgId) {
       return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
     }

server/routers/site/updateSite.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 // Define Zod schema for request parameters validation
 const updateSiteParamsSchema = z.object({
@@ -52,6 +53,12 @@ export async function updateSite(req: Request, res: Response, next: NextFunction
     const { siteId } = parsedParams.data;
     const updateData = parsedBody.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.updateSite, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     // Update the site in the database
     const updatedSite = await db.update(sites)
       .set(updateData)