archetecture security fix
This commit is contained in:
@@ -0,0 +1,22 @@
|
||||
"use strict";
|
||||
Object.defineProperty(exports, "__esModule", { value: true });
|
||||
exports.requireCompanyPolicy = requireCompanyPolicy;
|
||||
const authHelpers_1 = require("./authHelpers");
|
||||
const companyPolicy_1 = require("../security/policies/companyPolicy");
|
||||
function requireCompanyPolicy(action) {
|
||||
return (req, res, next) => {
|
||||
const employee = req.employee;
|
||||
if (!employee)
|
||||
return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Authentication required');
|
||||
const allowedRoles = companyPolicy_1.CompanyPolicy[action];
|
||||
if (!allowedRoles.includes(employee.role)) {
|
||||
return (0, authHelpers_1.sendForbidden)(res, 'forbidden', 'You do not have permission to perform this action', {
|
||||
action,
|
||||
allowedRoles,
|
||||
yourRole: employee.role,
|
||||
});
|
||||
}
|
||||
next();
|
||||
};
|
||||
}
|
||||
//# sourceMappingURL=requireCompanyPolicy.js.map
|
||||
Reference in New Issue
Block a user