diff --git a/server/auth/actions.ts b/server/auth/actions.ts index 23a5d73e1..cbe65b8f6 100644 --- a/server/auth/actions.ts +++ b/server/auth/actions.ts @@ -5,6 +5,7 @@ import { and, eq, inArray } from "drizzle-orm"; import createHttpError from "http-errors"; import HttpCode from "@server/types/HttpCode"; import { getUserOrgRoleIds } from "@server/lib/userOrgRoles"; +import logger from "@server/logger"; export enum ActionsEnum { createOrgUser = "createOrgUser", @@ -199,6 +200,23 @@ export async function checkUserActionPermission( } } + // If no direct permission, check role-based permission (any of user's roles) + const roleActionPermission = await db + .select() + .from(roleActions) + .where( + and( + eq(roleActions.actionId, actionId), + inArray(roleActions.roleId, userOrgRoleIds), + eq(roleActions.orgId, req.userOrgId!) + ) + ) + .limit(1); + + if (roleActionPermission.length > 0) { + return true; + } + // Check if the user has direct permission for the action in the current org const userActionPermission = await db .select() @@ -216,20 +234,7 @@ export async function checkUserActionPermission( return true; } - // If no direct permission, check role-based permission (any of user's roles) - const roleActionPermission = await db - .select() - .from(roleActions) - .where( - and( - eq(roleActions.actionId, actionId), - inArray(roleActions.roleId, userOrgRoleIds), - eq(roleActions.orgId, req.userOrgId!) - ) - ) - .limit(1); - - return roleActionPermission.length > 0; + return false; } catch (error) { console.error("Error checking user action permission:", error); throw createHttpError( diff --git a/server/middlewares/verifyResourcePolicyAccess.ts b/server/middlewares/verifyResourcePolicyAccess.ts index 142468d15..30fe48e8c 100644 --- a/server/middlewares/verifyResourcePolicyAccess.ts +++ b/server/middlewares/verifyResourcePolicyAccess.ts @@ -111,7 +111,7 @@ export async function verifyResourcePolicyAccess( req.userOrgRoleIds = await getUserOrgRoleIds( req.userOrg.userId, - orgId! + policy.orgId ); req.userOrgId = policy.orgId; diff --git a/server/middlewares/verifyUserCanSetUserOrgRoles.ts b/server/middlewares/verifyUserCanSetUserOrgRoles.ts index 1a7554ab3..3b8687b96 100644 --- a/server/middlewares/verifyUserCanSetUserOrgRoles.ts +++ b/server/middlewares/verifyUserCanSetUserOrgRoles.ts @@ -38,7 +38,7 @@ export function verifyUserCanSetUserOrgRoles() { return next( createHttpError( HttpCode.FORBIDDEN, - "User does not have permission perform this action" + "User does not have permission to set user organization roles" ) ); } catch (error) { diff --git a/server/routers/external.ts b/server/routers/external.ts index 31c8fccfb..d9cb0e291 100644 --- a/server/routers/external.ts +++ b/server/routers/external.ts @@ -105,7 +105,6 @@ authenticated.put( site.createSite ); - authenticated.get( "/org/:orgId/sites", verifyOrgAccess, @@ -727,7 +726,7 @@ authenticated.put( "/resource-policy/:resourcePolicyId/access-control", verifyResourcePolicyAccess, verifyUserHasAction(ActionsEnum.setResourcePolicyUsers), - verifyUserHasAction(ActionsEnum.setResourcePolicyRoles), + logActionAudit(ActionsEnum.setResourcePolicyUsers), policy.setResourcePolicyAccessControl ); diff --git a/server/routers/user/getOrgUser.ts b/server/routers/user/getOrgUser.ts index c415e186c..552b55f8a 100644 --- a/server/routers/user/getOrgUser.ts +++ b/server/routers/user/getOrgUser.ts @@ -47,10 +47,7 @@ export async function queryUser(orgId: string, userId: string) { .from(userOrgRoles) .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId)) .where( - and( - eq(userOrgRoles.userId, userId), - eq(userOrgRoles.orgId, orgId) - ) + and(eq(userOrgRoles.userId, userId), eq(userOrgRoles.orgId, orgId)) ); const isAdmin = roleRows.some((r) => r.isAdmin); @@ -146,7 +143,7 @@ export async function getOrgUser( return next( createHttpError( HttpCode.FORBIDDEN, - "User does not have permission perform this action" + "User does not have permission to get organization user details" ) ); }