Skip to content

Commit 846a668

Browse files
committed
feat: add segmentByIdMiddleware
Signed-off-by: Umberto Sgueglia <usgueglia@contractor.linuxfoundation.org>
1 parent d54a8e6 commit 846a668

2 files changed

Lines changed: 29 additions & 3 deletions

File tree

backend/src/api/segment/index.ts

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
import { safeWrap } from '../../middlewares/errorMiddleware'
2+
import { segmentByIdMiddleware } from '../../middlewares/segmentMiddleware'
23

34
export default (app) => {
45
app.post(`/segment/projectGroup`, safeWrap(require('./segmentCreateProjectGroup').default))
@@ -20,9 +21,10 @@ export default (app) => {
2021
safeWrap(require('./segmentSubprojectQueryLite').default),
2122
)
2223

23-
// get segment by id
24-
app.get(`/segment/:segmentId`, safeWrap(require('./segmentFind').default))
25-
app.put(`/segment/:segmentId`, safeWrap(require('./segmentUpdate').default))
24+
// get/update segment by id — segmentByIdMiddleware overrides currentSegments with the target
25+
// segment so that permission checks validate against the actual resource being accessed
26+
app.get(`/segment/:segmentId`, segmentByIdMiddleware, safeWrap(require('./segmentFind').default))
27+
app.put(`/segment/:segmentId`, segmentByIdMiddleware, safeWrap(require('./segmentUpdate').default))
2628
// Multiple ids
2729
app.post(`/segment/id`, safeWrap(require('./segmentByIds').default))
2830
}

backend/src/middlewares/segmentMiddleware.ts

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,30 @@ import SegmentRepository from '../database/repositories/segmentRepository'
1111

1212
const log = getServiceChildLogger('segmentMiddleware')
1313

14+
/**
15+
* Route-specific middleware for endpoints with :segmentId param (e.g. PUT/GET /segment/:segmentId).
16+
*
17+
* The global segmentMiddleware runs via app.use() before Express matches routes, so req.params
18+
* is never populated there. This middleware is registered directly on the route handler, where
19+
* Express has already resolved :segmentId, and overrides req.currentSegments with the leaf
20+
* segments of the target segment so that permission checks validate against the actual resource
21+
* being accessed rather than whatever segments the caller chose to include in body/query.
22+
*/
23+
export async function segmentByIdMiddleware(req: Request, _res: Response, next: NextFunction) {
24+
try {
25+
const segmentId = req.params.segmentId
26+
if (segmentId) {
27+
const segmentRepository = new SegmentRepository(req as unknown as IRepositoryOptions)
28+
const resolved = await resolveToLeafSegments(segmentRepository, [segmentId], req)
29+
const options = req as unknown as IRepositoryOptions
30+
options.currentSegments = resolved
31+
}
32+
next()
33+
} catch (error) {
34+
next(error)
35+
}
36+
}
37+
1438
export async function segmentMiddleware(req: Request, _res: Response, next: NextFunction) {
1539
try {
1640
let segments: any = null

0 commit comments

Comments
 (0)