From 5e37c4e85fae68e756be5019a28ca903b161fdd5 Mon Sep 17 00:00:00 2001 From: Owen Date: Wed, 18 Feb 2026 13:55:04 -0800 Subject: [PATCH] Resolve potential issues with processing roleIds --- .../middlewares/integration/verifyApiKeyRoleAccess.ts | 11 ++++++++--- server/middlewares/verifyRoleAccess.ts | 10 ++++++++-- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/server/middlewares/integration/verifyApiKeyRoleAccess.ts b/server/middlewares/integration/verifyApiKeyRoleAccess.ts index ffe223a6..62bfb946 100644 --- a/server/middlewares/integration/verifyApiKeyRoleAccess.ts +++ b/server/middlewares/integration/verifyApiKeyRoleAccess.ts @@ -23,9 +23,14 @@ export async function verifyApiKeyRoleAccess( ); } - const { roleIds } = req.body; - const allRoleIds = - roleIds || (isNaN(singleRoleId) ? [] : [singleRoleId]); + let allRoleIds: number[] = []; + if (!isNaN(singleRoleId)) { + // If roleId is provided in URL params, query params, or body (single), use it exclusively + allRoleIds = [singleRoleId]; + } else if (req.body?.roleIds) { + // Only use body.roleIds if no single roleId was provided + allRoleIds = req.body.roleIds; + } if (allRoleIds.length === 0) { return next(); diff --git a/server/middlewares/verifyRoleAccess.ts b/server/middlewares/verifyRoleAccess.ts index 91adf07c..8858ab53 100644 --- a/server/middlewares/verifyRoleAccess.ts +++ b/server/middlewares/verifyRoleAccess.ts @@ -23,8 +23,14 @@ export async function verifyRoleAccess( ); } - const roleIds = req.body?.roleIds; - const allRoleIds = roleIds || (isNaN(singleRoleId) ? [] : [singleRoleId]); + let allRoleIds: number[] = []; + if (!isNaN(singleRoleId)) { + // If roleId is provided in URL params, query params, or body (single), use it exclusively + allRoleIds = [singleRoleId]; + } else if (req.body?.roleIds) { + // Only use body.roleIds if no single roleId was provided + allRoleIds = req.body.roleIds; + } if (allRoleIds.length === 0) { return next();