65 lines
1.5 KiB
JavaScript
65 lines
1.5 KiB
JavaScript
const ValidationError = require('../services/notifications/errors/validation');
|
|
|
|
/**
|
|
* @param {string} permission
|
|
* @return {import("express").RequestHandler}
|
|
*/
|
|
function checkPermissions(permission) {
|
|
return (req, res, next) => {
|
|
const { currentUser } = req;
|
|
if (currentUser) {
|
|
if (currentUser.id === req.params.id || currentUser.id === req.body.id) {
|
|
next();
|
|
return;
|
|
}
|
|
const userPermission = currentUser.custom_permissions.find(
|
|
(cp) => cp.name === permission,
|
|
);
|
|
|
|
if (userPermission) {
|
|
next();
|
|
} else {
|
|
if (!currentUser.app_role) {
|
|
return next(new ValidationError('auth.forbidden'));
|
|
}
|
|
currentUser.app_role
|
|
.getPermissions()
|
|
.then((permissions) => {
|
|
if (permissions.find((p) => p.name === permission)) {
|
|
next();
|
|
} else {
|
|
next(new ValidationError('auth.forbidden'));
|
|
}
|
|
})
|
|
.catch((e) => next(e));
|
|
}
|
|
} else {
|
|
next(new ValidationError('auth.unauthorized'));
|
|
}
|
|
};
|
|
}
|
|
|
|
const METHOD_MAP = {
|
|
POST: 'CREATE',
|
|
GET: 'READ',
|
|
PUT: 'UPDATE',
|
|
PATCH: 'UPDATE',
|
|
DELETE: 'DELETE',
|
|
};
|
|
|
|
/**
|
|
* @param {string} name
|
|
* @return {import("express").RequestHandler}
|
|
*/
|
|
function checkCrudPermissions(name) {
|
|
return (req, res, next) => {
|
|
const permissionName = `${METHOD_MAP[req.method]}_${name.toUpperCase()}`;
|
|
checkPermissions(permissionName)(req, res, next);
|
|
};
|
|
}
|
|
|
|
module.exports = {
|
|
checkPermissions,
|
|
checkCrudPermissions,
|
|
};
|