Add actions check to all endpoints

server/auth/actions.ts

@@ -1,10 +1,42 @@
 import { Request } from 'express';
 import { db } from '@server/db';
 import { userActions, roleActions, userOrgs } from '@server/db/schema';
-import { and, eq, or } from 'drizzle-orm';
+import { and, eq } from 'drizzle-orm';
 import createHttpError from 'http-errors';
 import HttpCode from '@server/types/HttpCode';
 
+export const ActionsEnum = {
+
+    createOrg: 1,
+    deleteOrg: 2,
+    getOrg: 3,
+    listOrgs: 4,
+    updateOrg: 5,
+    
+    createSite: 6,
+    deleteSite: 7,
+    getSite: 8,
+    listSites: 9,
+    updateSite: 10,
+
+    createResource: 11,
+    deleteResource: 12,
+    getResource: 13,
+    listResources: 14,
+    updateResource: 15,
+
+    createTarget: 16,
+    deleteTarget: 17,
+    getTarget: 18,
+    listTargets: 19,
+    updateTarget: 20,
+
+    getUser: 21,
+    deleteUser: 22,
+    listUsers: 23
+
+}
+
 export async function checkUserActionPermission(actionId: number, req: Request): Promise<boolean> {
   const userId = req.user?.id;
 
@@ -12,11 +44,37 @@ export async function checkUserActionPermission(actionId: number, req: Request):
     throw createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated');
   }
 
+  if (!req.userOrgId) {
+    throw createHttpError(HttpCode.BAD_REQUEST, 'Organization ID is required');
+  }
+
   try {
-    // Check if the user has direct permission for the action
+    let userOrgRoleId = req.userOrgRoleId;
+
+    // If userOrgRoleId is not available on the request, fetch it
+    if (userOrgRoleId === undefined) {
+      const userOrgRole = await db.select()
+        .from(userOrgs)
+        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, req.userOrgId)))
+        .limit(1);
+
+      if (userOrgRole.length === 0) {
+        throw createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization');
+      }
+
+      userOrgRoleId = userOrgRole[0].roleId;
+    }
+
+    // Check if the user has direct permission for the action in the current org
     const userActionPermission = await db.select()
       .from(userActions)
-      .where(and(eq(userActions.userId, userId), eq(userActions.actionId, actionId)))
+      .where(
+        and(
+          eq(userActions.userId, userId),
+          eq(userActions.actionId, actionId),
+          eq(userActions.orgId, req.userOrgId)
+        )
+      )
       .limit(1);
 
     if (userActionPermission.length > 0) {
@@ -24,22 +82,13 @@ export async function checkUserActionPermission(actionId: number, req: Request):
     }
 
     // If no direct permission, check role-based permission
-    const userOrgRoles = await db.select()
-      .from(userOrgs)
-      .where(eq(userOrgs.userId, userId));
-
-    if (userOrgRoles.length === 0) {
-      return false; // User doesn't belong to any organization
-    }
-
-    const roleIds = userOrgRoles.map(role => role.roleId);
-
     const roleActionPermission = await db.select()
       .from(roleActions)
       .where(
         and(
           eq(roleActions.actionId, actionId),
-          or(...roleIds.map(roleId => eq(roleActions.roleId, roleId)))
+          eq(roleActions.roleId, userOrgRoleId),
+          eq(roleActions.orgId, req.userOrgId)
         )
       )
       .limit(1);

server/index.ts

@@ -84,6 +84,7 @@ declare global {
             user?: User;
             userOrgRoleId?: number;
             userOrgId?: number;
+            userOrgIds?: number[];
         }
     }
 }

server/routers/org/createOrg.ts

@@ -5,6 +5,7 @@ import { orgs } from '@server/db/schema';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const createOrgSchema = z.object({
   name: z.string().min(1).max(255),
@@ -25,7 +26,7 @@ export async function createOrg(req: Request, res: Response, next: NextFunction)
       );
     }
 
-    const userOrgIds = req.userOrgs;
+    const userOrgIds = req.userOrgIds;
     if (userOrgIds && userOrgIds.length > MAX_ORGS) {
       return next(
         createHttpError(
@@ -35,6 +36,12 @@ export async function createOrg(req: Request, res: Response, next: NextFunction)
       );
     }
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.createOrg, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     const { name, domain } = parsedBody.data;
 
     const newOrg = await db.insert(orgs).values({

server/routers/org/deleteOrg.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const deleteOrgSchema = z.object({
   orgId: z.string().transform(Number).pipe(z.number().int().positive())
@@ -25,6 +26,12 @@ export async function deleteOrg(req: Request, res: Response, next: NextFunction)
 
     const { orgId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.deleteOrg, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     const deletedOrg = await db.delete(orgs)
       .where(eq(orgs.orgId, orgId))
       .returning();

server/routers/org/getOrg.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const getOrgSchema = z.object({
   orgId: z.string().transform(Number).pipe(z.number().int().positive())
@@ -25,6 +26,12 @@ export async function getOrg(req: Request, res: Response, next: NextFunction): P
 
     const { orgId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.getOrg, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     const org = await db.select()
       .from(orgs)
       .where(eq(orgs.orgId, orgId))

server/routers/org/listOrgs.ts

@@ -6,6 +6,7 @@ import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
 import { sql, inArray } from 'drizzle-orm';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const listOrgsSchema = z.object({
   limit: z.string().optional().transform(Number).pipe(z.number().int().positive().default(10)),
@@ -26,8 +27,14 @@ export async function listOrgs(req: Request, res: Response, next: NextFunction):
 
     const { limit, offset } = parsedQuery.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.listOrgs, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     // Use the userOrgs passed from the middleware
-    const userOrgIds = req.userOrgs;
+    const userOrgIds = req.userOrgIds;
 
     if (!userOrgIds || userOrgIds.length === 0) {
       return res.status(HttpCode.OK).send(

server/routers/org/updateOrg.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const updateOrgParamsSchema = z.object({
   orgId: z.string().transform(Number).pipe(z.number().int().positive())
@@ -43,6 +44,13 @@ export async function updateOrg(req: Request, res: Response, next: NextFunction)
     const { orgId } = parsedParams.data;
     const updateData = parsedBody.data;
 
+
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.updateOrg, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     const updatedOrg = await db.update(orgs)
       .set(updateData)
       .where(eq(orgs.orgId, orgId))

server/routers/resource/createResource.ts

@@ -5,6 +5,7 @@ import { resources } from '@server/db/schema';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const createResourceParamsSchema = z.object({
   siteId: z.number().int().positive(),
@@ -45,6 +46,12 @@ export async function createResource(req: Request, res: Response, next: NextFunc
 
     const { siteId, orgId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.createResource, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }    
+
     // Generate a unique resourceId
     const resourceId = "subdomain" // TODO: create the subdomain here
 

server/routers/resource/deleteResource.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 // Define Zod schema for request parameters validation
 const deleteResourceSchema = z.object({
@@ -27,6 +28,12 @@ export async function deleteResource(req: Request, res: Response, next: NextFunc
 
     const { resourceId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.deleteResource, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }    
+
     // Delete the resource from the database
     const deletedResource = await db.delete(resources)
       .where(eq(resources.resourceId, resourceId))

server/routers/resource/getResource.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 // Define Zod schema for request parameters validation
 const getResourceSchema = z.object({
@@ -27,6 +28,12 @@ export async function getResource(req: Request, res: Response, next: NextFunctio
 
     const { resourceId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.getResource, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }    
+
     // Fetch the resource from the database
     const resource = await db.select()
       .from(resources)

server/routers/resource/listResources.ts

@@ -6,6 +6,7 @@ import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
 import { sql, eq, and, or, inArray } from 'drizzle-orm';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const listResourcesParamsSchema = z.object({
     siteId: z.coerce.number().int().positive().optional(),
@@ -26,13 +27,6 @@ interface RequestWithOrgAndRole extends Request {
 
 export async function listResources(req: RequestWithOrgAndRole, res: Response, next: NextFunction): Promise<any> {
   try {
-    // Check if the user has permission to list resources
-    // const LIST_RESOURCES_ACTION_ID = 3; // Assume 3 is the action ID for listing resources
-    // const hasPermission = await checkUserActionPermission(LIST_RESOURCES_ACTION_ID, req);
-    // if (!hasPermission) {
-    //   return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list resources'));
-    // }
-
     const parsedQuery = listResourcesSchema.safeParse(req.query);
     if (!parsedQuery.success) {
       return next(createHttpError(HttpCode.BAD_REQUEST, parsedQuery.error.errors.map(e => e.message).join(', ')));
@@ -45,6 +39,12 @@ export async function listResources(req: RequestWithOrgAndRole, res: Response, n
     }
     const { siteId, orgId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.listResources, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+    
     if (orgId && orgId !== req.orgId) {
       return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
     }

server/routers/resource/updateResource.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 // Define Zod schema for request parameters validation
 const updateResourceParamsSchema = z.object({
@@ -47,6 +48,12 @@ export async function updateResource(req: Request, res: Response, next: NextFunc
     const { resourceId } = parsedParams.data;
     const updateData = parsedBody.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.updateResource, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }    
+
     // Update the resource in the database
     const updatedResource = await db.update(resources)
       .set(updateData)

server/routers/site/createSite.ts

@@ -6,6 +6,7 @@ import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
 import fetch from 'node-fetch';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const API_BASE_URL = "http://localhost:3000";
 
@@ -33,7 +34,7 @@ export async function createSite(req: Request, res: Response, next: NextFunction
         )
       );
     }
-
+    
     const { name, subdomain, pubKey, subnet } = parsedBody.data;
 
     // Validate request params
@@ -49,6 +50,12 @@ export async function createSite(req: Request, res: Response, next: NextFunction
 
     const { orgId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.createSite, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     // Create new site in the database
     const newSite = await db.insert(sites).values({
       orgId,

server/routers/site/deleteSite.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 
 const API_BASE_URL = "http://localhost:3000";
@@ -27,9 +28,15 @@ export async function deleteSite(req: Request, res: Response, next: NextFunction
         )
       );
     }
-
+    
     const { siteId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.deleteSite, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     // Delete the site from the database
     const deletedSite = await db.delete(sites)
       .where(eq(sites.siteId, siteId))

server/routers/site/getSite.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 // Define Zod schema for request parameters validation
 const getSiteSchema = z.object({
@@ -27,6 +28,12 @@ export async function getSite(req: Request, res: Response, next: NextFunction):
 
     const { siteId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.updateSite, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     // Fetch the site from the database
     const site = await db.select()
       .from(sites)

server/routers/site/listSites.ts

@@ -6,7 +6,7 @@ import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
 import { sql, eq, and, or, inArray } from 'drizzle-orm';
-// import { checkUserActionPermission } from './checkUserActionPermission'; // Import the function we created earlier
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const listSitesParamsSchema = z.object({
     orgId: z.string().optional().transform(Number).pipe(z.number().int().positive()),
@@ -19,25 +19,25 @@ const listSitesSchema = z.object({
 
 export async function listSites(req: Request, res: Response, next: NextFunction): Promise<any> {
   try {
-    // Check if the user has permission to list sites
-    // const LIST_SITES_ACTION_ID = 1; // Assume 1 is the action ID for listing sites
-    // const hasPermission = await checkUserActionPermission(LIST_SITES_ACTION_ID, req);
-    // if (!hasPermission) {
-    //   return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
-    // }
-
     const parsedQuery = listSitesSchema.safeParse(req.query);
     if (!parsedQuery.success) {
       return next(createHttpError(HttpCode.BAD_REQUEST, parsedQuery.error.errors.map(e => e.message).join(', ')));
     }
     const { limit, offset } = parsedQuery.data;
 
+    
     const parsedParams = listSitesParamsSchema.safeParse(req.params);
     if (!parsedParams.success) {
       return next(createHttpError(HttpCode.BAD_REQUEST, parsedParams.error.errors.map(e => e.message).join(', ')));
     }
     const { orgId } = parsedParams.data;
-
+    
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.listSites, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+    
     if (orgId && orgId !== req.userOrgId) {
       return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
     }

server/routers/site/updateSite.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 // Define Zod schema for request parameters validation
 const updateSiteParamsSchema = z.object({
@@ -52,6 +53,12 @@ export async function updateSite(req: Request, res: Response, next: NextFunction
     const { siteId } = parsedParams.data;
     const updateData = parsedBody.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.updateSite, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     // Update the site in the database
     const updatedSite = await db.update(sites)
       .set(updateData)

server/routers/target/createTarget.ts

@@ -5,6 +5,7 @@ import { targets } from '@server/db/schema';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const createTargetParamsSchema = z.object({
   resourceId: z.string().uuid(),
@@ -44,6 +45,12 @@ export async function createTarget(req: Request, res: Response, next: NextFuncti
 
     const { resourceId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.createTarget, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     const newTarget = await db.insert(targets).values({
       resourceId,
       ...targetData

server/routers/target/deleteTarget.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const deleteTargetSchema = z.object({
   targetId: z.string().transform(Number).pipe(z.number().int().positive())
@@ -25,6 +26,12 @@ export async function deleteTarget(req: Request, res: Response, next: NextFuncti
 
     const { targetId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.deleteTarget, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     const deletedTarget = await db.delete(targets)
       .where(eq(targets.targetId, targetId))
       .returning();

server/routers/target/getTarget.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const getTargetSchema = z.object({
   targetId: z.string().transform(Number).pipe(z.number().int().positive())
@@ -25,6 +26,12 @@ export async function getTarget(req: Request, res: Response, next: NextFunction)
 
     const { targetId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.getTarget, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     const target = await db.select()
       .from(targets)
       .where(eq(targets.targetId, targetId))

server/routers/target/listTargets.ts

@@ -6,6 +6,7 @@ import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
 import { sql, eq } from 'drizzle-orm';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const listTargetsParamsSchema = z.object({
     resourceId: z.string().optional()
@@ -41,6 +42,12 @@ export async function listTargets(req: Request, res: Response, next: NextFunctio
     }
 
     const { resourceId } = parsedParams.data;
+    
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.listTargets, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
 
     let baseQuery: any = db
       .select({

server/routers/target/updateTarget.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const updateTargetParamsSchema = z.object({
   targetId: z.string().transform(Number).pipe(z.number().int().positive())
@@ -46,6 +47,12 @@ export async function updateTarget(req: Request, res: Response, next: NextFuncti
     const { targetId } = parsedParams.data;
     const updateData = parsedBody.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.updateTarget, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     const updatedTarget = await db.update(targets)
       .set(updateData)
       .where(eq(targets.targetId, targetId))

server/routers/user/deleteUser.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const deleteUserSchema = z.object({
   userId: z.string().uuid()
@@ -25,6 +26,12 @@ export async function deleteUser(req: Request, res: Response, next: NextFunction
 
     const { userId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.deleteUser, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     const deletedUser = await db.delete(users)
       .where(eq(users.id, userId))
       .returning();

server/routers/user/getUser.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm';
 import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const getUserSchema = z.object({
   userId: z.string().uuid()
@@ -25,6 +26,12 @@ export async function getUser(req: Request, res: Response, next: NextFunction):
 
     const { userId } = parsedParams.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.getUser, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     const user = await db.select()
       .from(users)
       .where(eq(users.id, userId))

server/routers/user/listUsers.ts

@@ -6,6 +6,7 @@ import response from "@server/utils/response";
 import HttpCode from '@server/types/HttpCode';
 import createHttpError from 'http-errors';
 import { sql } from 'drizzle-orm';
+import { ActionsEnum, checkUserActionPermission } from '@server/auth/actions';
 
 const listUsersSchema = z.object({
   limit: z.string().optional().transform(Number).pipe(z.number().int().positive().default(10)),
@@ -26,6 +27,12 @@ export async function listUsers(req: Request, res: Response, next: NextFunction)
 
     const { limit, offset } = parsedQuery.data;
 
+    // Check if the user has permission to list sites
+    const hasPermission = await checkUserActionPermission(ActionsEnum.listUsers, req);
+    if (!hasPermission) {
+      return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have permission to list sites'));
+    }
+
     const usersList = await db.select()
       .from(users)
       .limit(limit)