(actionType = "readAny")
| 8 | const teamController = new TeamController(); |
| 9 | |
| 10 | const checkPermissions = (actionType = "readAny") => { |
| 11 | return async (req, res, next) => { |
| 12 | const { team_id } = req.params; |
| 13 | |
| 14 | // Fetch the TeamRole for the user |
| 15 | const teamRole = await teamController.getTeamRole(team_id, req.user.id); |
| 16 | |
| 17 | if (!teamRole) { |
| 18 | return res.status(403).json({ message: "Access denied" }); |
| 19 | } |
| 20 | |
| 21 | const permission = accessControl.can(teamRole.role)[actionType]("savedQuery"); |
| 22 | if (!permission.granted) { |
| 23 | return res.status(403).json({ message: "Access denied" }); |
| 24 | } |
| 25 | |
| 26 | const { role } = teamRole; |
| 27 | |
| 28 | // Handle permissions for teamOwner and teamAdmin |
| 29 | if (["teamOwner", "teamAdmin"].includes(role)) { |
| 30 | req.user.isEditor = true; |
| 31 | } |
| 32 | |
| 33 | return next(); |
| 34 | }; |
| 35 | }; |
| 36 | |
| 37 | /** |
| 38 | * [MASTER] Route to get all saved queries |
no test coverage detected