check resource policy in verifyResourceAccess middleware

2026-06-11 10:03:35 +00:00 · 2026-06-09 17:52:31 -07:00
parent bdb38db5bc
commit dd2c9f2a02
2 changed files with 18 additions and 28 deletions
--- a/server/middlewares/verifyResourceAccess.ts
+++ b/server/middlewares/verifyResourceAccess.ts
@@ -1,11 +1,15 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
-import { resources, userOrgs, userResources, roleResources } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { resources, userOrgs } from "@server/db";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import {
+    getRoleResourceAccess,
+    getUserResourceAccess
+} from "@server/db/queries/verifySessionQueries";

 export async function verifyResourceAccess(
    req: Request,
@@ -116,37 +120,22 @@ export async function verifyResourceAccess(

        const roleResourceAccess =
            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await db
-                      .select()
-                      .from(roleResources)
-                      .where(
-                          and(
-                              eq(roleResources.resourceId, resource.resourceId),
-                              inArray(
-                                  roleResources.roleId,
-                                  req.userOrgRoleIds!
-                              )
-                          )
-                      )
-                      .limit(1)
-                : [];
+                ? await getRoleResourceAccess(
+                      resource.resourceId,
+                      req.userOrgRoleIds!
+                  )
+                : null;

-        if (roleResourceAccess.length > 0) {
+        if (roleResourceAccess) {
            return next();
        }

-        const userResourceAccess = await db
-            .select()
-            .from(userResources)
-            .where(
-                and(
-                    eq(userResources.userId, userId),
-                    eq(userResources.resourceId, resource.resourceId)
-                )
-            )
-            .limit(1);
+        const userResourceAccess = await getUserResourceAccess(
+            userId,
+            resource.resourceId
+        );

-        if (userResourceAccess.length > 0) {
+        if (userResourceAccess) {
            return next();
        }

--- a/src/components/ResourceAuthPortal.tsx
+++ b/src/components/ResourceAuthPortal.tsx
@@ -300,6 +300,7 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
        let isAllowed = false;
        try {
            const response = await resourceAccessProxy(props.resource.id);
+            console.log("response", response);
            if (response.error) {
                setAccessDenied(true);
            } else {