marketing-shibata50/tududi
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tududi/backend/middleware/authorize.js
antanst b8611d9338 chore(lint): remove unnecessary try/catch and tighten error handling 
- Projects: remove superfluous try/catch around toast; keep explicit error path
- AdminUsers/Sidebar/ShareService: keep minimal catch blocks only to ignore non-JSON parse failures, without swallowing errors
- Lint/format pass remains green
2025-09-22 15:20:46 +03:00

33 lines
1.3 KiB
JavaScript
Raw Blame History

const permissionsService = require('../services/permissionsService');
// requiredAccess: 'ro' | 'rw' | 'admin'
// resourceType: 'project' | 'task' | 'note'
// getResourceUid: function(req) => string | Promise<string>
function hasAccess(requiredAccess, resourceType, getResourceUid, options = {}) {
const notFoundMessage = options.notFoundMessage || 'Not found';
const forbiddenStatus = options.forbiddenStatus || 403; // 403 by default; can be 404 for legacy routes
const LEVELS = { none: 0, ro: 1, rw: 2, admin: 3 };
return async function (req, res, next) {
try {
const uid = await (typeof getResourceUid === 'function'
? getResourceUid(req)
: getResourceUid);
if (!uid) return res.status(404).json({ error: notFoundMessage });
const access = await permissionsService.getAccess(
req.currentUser?.id || req.session?.userId,
resourceType,
uid
);
if (LEVELS[access] >= LEVELS[requiredAccess]) return next();
if (forbiddenStatus === 404) {
return res.status(404).json({ error: notFoundMessage });
}
return res.status(403).json({ error: 'Forbidden' });
} catch (err) {
next(err);
}
};
}
module.exports = { hasAccess };
Reference in a new issue View git blame Copy permalink