(actionType = "readOwn", entity = "chart")
| 177 | }; |
| 178 | |
| 179 | const checkPermissions = (actionType = "readOwn", entity = "chart") => { |
| 180 | return async (req, res, next) => { |
| 181 | const projectId = req.params.project_id || req.body?.project_id; |
| 182 | const chartId = req.params.chart_id || req.body?.chart_id; |
| 183 | |
| 184 | const project = await projectController.findById(projectId); |
| 185 | if (!project) { |
| 186 | return res.status(404).json({ message: "Project not found" }); |
| 187 | } |
| 188 | |
| 189 | const teamRole = await teamController.getTeamRole(project.team_id, req.user.id); |
| 190 | |
| 191 | req.user.teamRole = teamRole; |
| 192 | |
| 193 | if (!teamRole?.role) { |
| 194 | return res.status(403).json({ message: "Access denied" }); |
| 195 | } |
| 196 | |
| 197 | // check if the chart is part of the right project |
| 198 | if (chartId && projectId) { |
| 199 | const chart = await chartController.findById(req.params.chart_id); |
| 200 | if (chart.project_id.toString() !== projectId.toString()) { |
| 201 | return res.status(403).json({ message: "Access denied" }); |
| 202 | } |
| 203 | } |
| 204 | |
| 205 | // check if the alert is part of a chart in the right project |
| 206 | if (chartId && req.params.alert_id) { |
| 207 | const alert = await alertController.findById(req.params.alert_id); |
| 208 | if (alert.chart_id.toString() !== chartId.toString()) { |
| 209 | return res.status(403).json({ message: "Access denied" }); |
| 210 | } |
| 211 | } |
| 212 | |
| 213 | // check if the cdc is part of a chart in the right project |
| 214 | if (chartId && req.params.cdc_id) { |
| 215 | const cdc = await db.ChartDatasetConfig.findByPk(req.params.cdc_id); |
| 216 | if (cdc.chart_id.toString() !== chartId.toString()) { |
| 217 | return res.status(403).json({ message: "Access denied" }); |
| 218 | } |
| 219 | } |
| 220 | |
| 221 | if (["teamOwner", "teamAdmin"].includes(teamRole.role)) { |
| 222 | const permission = accessControl.can(teamRole.role)[actionType](entity); |
| 223 | if (!permission.granted) { |
| 224 | return res.status(403).json({ message: "Access denied" }); |
| 225 | } |
| 226 | |
| 227 | return next(); |
| 228 | } |
| 229 | |
| 230 | if (teamRole?.projects?.length > 0) { |
| 231 | if (projectId) { |
| 232 | const filteredProjects = teamRole.projects.filter((o) => `${o}` === `${projectId}`); |
| 233 | if (filteredProjects.length === 0 && !project.ghost) { |
| 234 | return res.status(403).json({ message: "Access denied" }); |
| 235 | } |
| 236 | } |
no test coverage detected