feat: use meta operation access

konecty · Nov 29, 2024 · 5a9fd10 · 5a9fd10
1 parent efc0101
commit 5a9fd10
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/src/imports/model/User.ts b/src/imports/model/User.ts
@@ -23,6 +23,9 @@ export const UserModel = z.object({
 					readAccess: z.boolean().or(z.string()).optional(),
 					updateAccess: z.boolean().or(z.string()).optional(),
 					createAccess: z.boolean().optional(),
+
+					updateDocument: z.boolean().or(z.string()).optional(),
+					deleteDocument: z.boolean().or(z.string()).optional(),
 				})
 				.optional(),
 		})

diff --git a/src/server/routes/api/document/index.ts b/src/server/routes/api/document/index.ts
@@ -3,11 +3,12 @@ import fp from 'fastify-plugin';
 
 import { getUserFromRequest } from '@imports/auth/getUser';
 import { getDocument } from '@imports/document';
-import { logger } from '@imports/utils/logger';
-import { WithoutId } from 'mongodb';
 import { loadMetaObjects } from '@imports/meta/loadMetaObjects';
 import { MetaObject } from '@imports/model/MetaObject';
 import { MetaObjectSchema, MetaObjectType } from '@imports/types/metadata';
+import { checkMetaOperation } from '@imports/utils/accessUtils';
+import { logger } from '@imports/utils/logger';
+import { WithoutId } from 'mongodb';
 
 const documentAPi: FastifyPluginCallback = async fastify => {
 	fastify.get<{ Params: { name: string } }>('/api/document/:name', async (req, reply) => {
@@ -58,11 +59,15 @@ const documentAPi: FastifyPluginCallback = async fastify => {
 
 		try {
 			const user = await getUserFromRequest(req);
-
-			if (user == null || user.admin !== true) {
+			if (user == null) {
 				return reply.status(401).send('Unauthorized');
 			}
 
+			const metaOperationAccess = checkMetaOperation({ user, operation: 'updateDocument', document: id });
+			if (metaOperationAccess === false) {
+				return reply.status(403).send('Forbidden');
+			}
+
 			const document = req.body as MetaObjectType;
 
 			if (document == null) {
@@ -112,11 +117,15 @@ const documentAPi: FastifyPluginCallback = async fastify => {
 
 		try {
 			const user = await getUserFromRequest(req);
-
-			if (user == null || user.admin !== true) {
+			if (user == null) {
 				return reply.status(401).send('Unauthorized');
 			}
 
+			const metaOperationAccess = checkMetaOperation({ user, operation: 'deleteDocument', document: id });
+			if (metaOperationAccess === false) {
+				return reply.status(403).send('Forbidden');
+			}
+
 			const result = await MetaObject.MetaObject.deleteOne({ _id: id });
 
 			if (result.deletedCount === 0) {