archetecture security fix
This commit is contained in:
+30
@@ -0,0 +1,30 @@
|
||||
"use strict";
|
||||
Object.defineProperty(exports, "__esModule", { value: true });
|
||||
exports.requireRole = requireRole;
|
||||
const authHelpers_1 = require("./authHelpers");
|
||||
const ROLE_RANK = {
|
||||
OWNER: 3,
|
||||
MANAGER: 2,
|
||||
AGENT: 1,
|
||||
};
|
||||
/**
|
||||
* Requires the authenticated employee to have at least `minimumRole`.
|
||||
* Must be applied after `requireCompanyAuth`.
|
||||
*/
|
||||
function requireRole(minimumRole) {
|
||||
return (req, res, next) => {
|
||||
const employee = req.employee;
|
||||
if (!employee)
|
||||
return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Authentication required');
|
||||
const employeeRank = ROLE_RANK[employee.role] ?? 0;
|
||||
const requiredRank = ROLE_RANK[minimumRole] ?? 99;
|
||||
if (employeeRank < requiredRank) {
|
||||
return (0, authHelpers_1.sendForbidden)(res, 'forbidden', `This action requires the ${minimumRole} role or higher`, {
|
||||
requiredRole: minimumRole,
|
||||
yourRole: employee.role,
|
||||
});
|
||||
}
|
||||
next();
|
||||
};
|
||||
}
|
||||
//# sourceMappingURL=requireRole.js.map
|
||||
Reference in New Issue
Block a user