marketing-shibata50/tududi
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tududi/backend/middleware/authorize.js
antanst e58ea08b7b Introduce RBAC scaffolding (roles, permissions, actions) and admin/shares endpoints. 
Adds initial models, migrations, and services to support role-based access and sharing; wires routes to prepare for permission-driven features.
2025-09-22 15:20:46 +03:00

31 lines
No EOL
1.2 KiB
JavaScript
Raw Blame History

const permissionsService = require('../services/permissionsService');
// requiredAccess: 'ro' | 'rw' | 'admin'
// resourceType: 'project' | 'task' | 'note'
// getResourceUid: function(req) => string | Promise<string>
function hasAccess(requiredAccess, resourceType, getResourceUid, options = {}) {
const notFoundMessage = options.notFoundMessage || 'Not found';
const forbiddenStatus = options.forbiddenStatus || 403; // 403 by default; can be 404 for legacy routes
const LEVELS = { none: 0, ro: 1, rw: 2, admin: 3 };
return async function (req, res, next) {
try {
const uid = await (typeof getResourceUid === 'function' ? getResourceUid(req) : getResourceUid);
if (!uid) return res.status(404).json({ error: notFoundMessage });
const access = await permissionsService.getAccess(
req.currentUser?.id || req.session?.userId,
resourceType,
uid
);
if (LEVELS[access] >= LEVELS[requiredAccess]) return next();
if (forbiddenStatus === 404) {
return res.status(404).json({ error: notFoundMessage });
}
return res.status(403).json({ error: 'Forbidden' });
} catch (err) {
next(err);
}
};
}
module.exports = { hasAccess };
Reference in a new issue View git blame Copy permalink