mirror of
https://github.com/fosrl/pangolin.git
synced 2026-06-26 09:09:05 +00:00
check resource policy in verifyResourceAccess middleware
This commit is contained in:
miloschwartz
@@ -1,11 +1,15 @@
|
|||||||
import { Request, Response, NextFunction } from "express";
|
import { Request, Response, NextFunction } from "express";
|
||||||
import { db, Resource } from "@server/db";
|
import { db, Resource } from "@server/db";
|
||||||
import { resources, userOrgs, userResources, roleResources } from "@server/db";
|
import { resources, userOrgs } from "@server/db";
|
||||||
import { and, eq, inArray } from "drizzle-orm";
|
import { and, eq } from "drizzle-orm";
|
||||||
import createHttpError from "http-errors";
|
import createHttpError from "http-errors";
|
||||||
import HttpCode from "@server/types/HttpCode";
|
import HttpCode from "@server/types/HttpCode";
|
||||||
import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
|
import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
|
||||||
import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
|
import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
|
||||||
|
import {
|
||||||
|
getRoleResourceAccess,
|
||||||
|
getUserResourceAccess
|
||||||
|
} from "@server/db/queries/verifySessionQueries";
|
||||||
|
|
||||||
export async function verifyResourceAccess(
|
export async function verifyResourceAccess(
|
||||||
req: Request,
|
req: Request,
|
||||||
@@ -116,37 +120,22 @@ export async function verifyResourceAccess(
|
|||||||
|
|
||||||
const roleResourceAccess =
|
const roleResourceAccess =
|
||||||
(req.userOrgRoleIds?.length ?? 0) > 0
|
(req.userOrgRoleIds?.length ?? 0) > 0
|
||||||
? await db
|
? await getRoleResourceAccess(
|
||||||
.select()
|
resource.resourceId,
|
||||||
.from(roleResources)
|
req.userOrgRoleIds!
|
||||||
.where(
|
)
|
||||||
and(
|
: null;
|
||||||
eq(roleResources.resourceId, resource.resourceId),
|
|
||||||
inArray(
|
|
||||||
roleResources.roleId,
|
|
||||||
req.userOrgRoleIds!
|
|
||||||
)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.limit(1)
|
|
||||||
: [];
|
|
||||||
|
|
||||||
if (roleResourceAccess.length > 0) {
|
if (roleResourceAccess) {
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
|
|
||||||
const userResourceAccess = await db
|
const userResourceAccess = await getUserResourceAccess(
|
||||||
.select()
|
userId,
|
||||||
.from(userResources)
|
resource.resourceId
|
||||||
.where(
|
);
|
||||||
and(
|
|
||||||
eq(userResources.userId, userId),
|
|
||||||
eq(userResources.resourceId, resource.resourceId)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (userResourceAccess.length > 0) {
|
if (userResourceAccess) {
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -300,6 +300,7 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
|
|||||||
let isAllowed = false;
|
let isAllowed = false;
|
||||||
try {
|
try {
|
||||||
const response = await resourceAccessProxy(props.resource.id);
|
const response = await resourceAccessProxy(props.resource.id);
|
||||||
|
console.log("response", response);
|
||||||
if (response.error) {
|
if (response.error) {
|
||||||
setAccessDenied(true);
|
setAccessDenied(true);
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
Reference in New Issue
Block a user