full-stack-development/backend/middleware/permissionCheck.js at main · aether-raid/full-stack-development · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
const dashboardModel = require("../models/dashboardModel");

/**
 * Middleware to check if user has required role for a dashboard
 * @param {Array<string>} allowedRoles - Array of roles that can access (e.g., ['Admin', 'Editor'])
 */
function checkDashboardPermission(allowedRoles) {
  return async (req, res, next) => {
    try {
      const userId = req.user.userId || req.user.id;
      const dashboardId = parseInt(req.params.dashboardId || req.params.id || req.body.dashboardId);

      console.log(`Permission check - UserId: ${userId}, DashboardId: ${dashboardId}, Required roles: ${allowedRoles.join(', ')}`);

      if (!dashboardId) {
        return res.status(400).json({ error: "Dashboard ID is required" });
      }

      const userRole = await dashboardModel.getUserRole(userId, dashboardId);
      console.log(`User role found: ${userRole}`);

      if (!userRole) {
        return res.status(403).json({ error: "You do not have access to this dashboard" });
      }

      if (!allowedRoles.includes(userRole)) {
        return res.status(403).json({
          error: `Access denied. Required role: ${allowedRoles.join(" or ")}. Your role: ${userRole}`
        });
      }

      // Attach role to request for use in controllers
      req.userRole = userRole;
      req.dashboardId = dashboardId;
      next();
    } catch (error) {
      console.error("Permission check error:", error);
      res.status(500).json({ error: "Internal server error" });
    }
  };
}

/**
 * Middleware to check if user has access to a dashboard (any role)
 */
function checkDashboardAccess() {
  return async (req, res, next) => {
    try {
      const userId = req.user.userId || req.user.id;
      const dashboardId = parseInt(req.params.dashboardId || req.params.id || req.body.dashboardId);

      console.log(`Access check - UserId: ${userId}, DashboardId: ${dashboardId}`);

      if (!dashboardId || isNaN(dashboardId)) {
        console.error('Invalid dashboard ID in access check');
        return res.status(400).json({ error: "Dashboard ID is required" });
      }

      const userRole = await dashboardModel.getUserRole(userId, dashboardId);
      console.log(`User ${userId} role in dashboard ${dashboardId}: ${userRole || 'none'}`);

      if (!userRole) {
        console.error(`User ${userId} has no access to dashboard ${dashboardId}`);
        return res.status(403).json({ error: "You do not have access to this dashboard" });
      }

      req.userRole = userRole;
      req.dashboardId = dashboardId;
      console.log(`Access granted to user ${userId} for dashboard ${dashboardId} with role ${userRole}`);
      next();
    } catch (error) {
      console.error("Access check error:", error.message, error);
      res.status(500).json({ error: "Failed to verify dashboard access" });
    }
  };
}

module.exports = {
  checkDashboardPermission,
  checkDashboardAccess
};