mirror of
https://github.com/sasjs/server.git
synced 2026-01-10 16:00:05 +00:00
chore: code fixes API + web
This commit is contained in:
Saad Jutt
@@ -5,7 +5,7 @@ import {
|
||||
fetchLatestAutoExec,
|
||||
ModeType,
|
||||
verifyTokenInDB,
|
||||
getAuthorizedRoutes
|
||||
isAuthorizingRoute
|
||||
} from '../utils'
|
||||
import { desktopUser } from './desktop'
|
||||
import { authorize } from './authorize'
|
||||
@@ -21,9 +21,7 @@ export const authenticateAccessToken: RequestHandler = async (
|
||||
return next()
|
||||
}
|
||||
|
||||
const authorizedRoutes = getAuthorizedRoutes()
|
||||
const uri = req.baseUrl + req.path
|
||||
const nextFunction = authorizedRoutes.includes(uri)
|
||||
const nextFunction = isAuthorizingRoute(req)
|
||||
? () => authorize(req, res, next)
|
||||
: next
|
||||
|
||||
|
||||
@@ -2,35 +2,35 @@ import { RequestHandler } from 'express'
|
||||
import User from '../model/User'
|
||||
import Permission from '../model/Permission'
|
||||
import { PermissionSetting } from '../controllers/permission'
|
||||
import { getUri } from '../utils'
|
||||
|
||||
export const authorize: RequestHandler = async (req, res, next) => {
|
||||
let permission
|
||||
const user = req.user || req.session.user
|
||||
if (user) {
|
||||
// no need to check for permissions when user is admin
|
||||
if (user.isAdmin) return next()
|
||||
|
||||
const dbUser = await User.findOne({ id: user.userId })
|
||||
if (!dbUser) return res.sendStatus(401)
|
||||
|
||||
const uri = req.baseUrl + req.path
|
||||
|
||||
// find permission w.r.t user
|
||||
permission = await Permission.findOne({ uri, user: dbUser._id })
|
||||
|
||||
if (permission) {
|
||||
if (permission.setting === PermissionSetting.grant) return next()
|
||||
else res.sendStatus(401)
|
||||
}
|
||||
|
||||
// find permission w.r.t user's groups
|
||||
for (const group of dbUser.groups) {
|
||||
permission = await Permission.findOne({ uri, group })
|
||||
if (permission && permission.setting === PermissionSetting.grant)
|
||||
return next()
|
||||
}
|
||||
const { user } = req
|
||||
|
||||
if (!user) {
|
||||
return res.sendStatus(401)
|
||||
}
|
||||
|
||||
// no need to check for permissions when user is admin
|
||||
if (user.isAdmin) return next()
|
||||
|
||||
const dbUser = await User.findOne({ id: user.userId })
|
||||
if (!dbUser) return res.sendStatus(401)
|
||||
|
||||
const uri = getUri(req)
|
||||
|
||||
// find permission w.r.t user
|
||||
const permission = await Permission.findOne({ uri, user: dbUser._id })
|
||||
|
||||
if (permission) {
|
||||
if (permission.setting === PermissionSetting.grant) return next()
|
||||
else return res.sendStatus(401)
|
||||
}
|
||||
|
||||
// find permission w.r.t user's groups
|
||||
for (const group of dbUser.groups) {
|
||||
const groupPermission = await Permission.findOne({ uri, group })
|
||||
if (groupPermission?.setting === PermissionSetting.grant) return next()
|
||||
}
|
||||
return res.sendStatus(401)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user