feat: check for client match on GET endpoint of permits and processed
This commit is contained in:
@@ -29,7 +29,7 @@ export async function getPermitHandler(req: FastifyRequest, res: FastifyReply) {
|
|||||||
const { permitId } = req.params as { permitId: string };
|
const { permitId } = req.params as { permitId: string };
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const permit = await getPermit(permitId, req.user.tenantId);
|
const permit = await getPermit(permitId, req.user);
|
||||||
if (permit === null)
|
if (permit === null)
|
||||||
return res.code(404).send({ error: "resource not found" });
|
return res.code(404).send({ error: "resource not found" });
|
||||||
|
|
||||||
|
|||||||
@@ -91,15 +91,20 @@ export async function createPermit(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
export async function getPermit(permitId: string, tenantId: string) {
|
export async function getPermit(permitId: string, user: AuthenticatedUser) {
|
||||||
return await permitModel
|
const permit = await permitModel
|
||||||
.findOne({
|
.findOne({
|
||||||
$and: [{ tenantId: tenantId }, { pid: permitId }],
|
$and: [{ tenantId: user.tenantId }, { pid: permitId }],
|
||||||
})
|
})
|
||||||
//.populate({ path: "county", select: "pid name avatar" })
|
//.populate({ path: "county", select: "pid name avatar" })
|
||||||
//.populate({ path: "client", select: "pid name avatar" })
|
//.populate({ path: "client", select: "pid name avatar" })
|
||||||
.populate({ path: "assignedTo", select: "pid name avatar" })
|
.populate({ path: "assignedTo", select: "pid name avatar" })
|
||||||
.populate({ path: "createdBy", select: "pid name avatar" });
|
.populate({ path: "createdBy", select: "pid name avatar" });
|
||||||
|
|
||||||
|
if (permit && user.role == "client" && user.orgId != permit.client.toString())
|
||||||
|
return null;
|
||||||
|
|
||||||
|
return permit;
|
||||||
}
|
}
|
||||||
|
|
||||||
export async function listPermits(
|
export async function listPermits(
|
||||||
|
|||||||
@@ -68,7 +68,7 @@ export async function processedRoutes(fastify: FastifyInstance) {
|
|||||||
const { permitId } = req.params as { permitId: string };
|
const { permitId } = req.params as { permitId: string };
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const permit = await getProcessedPermit(permitId, req.user.tenantId);
|
const permit = await getProcessedPermit(permitId, req.user);
|
||||||
return res.code(200).send(permit);
|
return res.code(200).send(permit);
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
return err;
|
return err;
|
||||||
|
|||||||
@@ -16,13 +16,21 @@ import { createAlert } from "../alert/alert.service";
|
|||||||
import { getUser } from "../user/user.service";
|
import { getUser } from "../user/user.service";
|
||||||
import { orgModel } from "../organization/organization.schema";
|
import { orgModel } from "../organization/organization.schema";
|
||||||
|
|
||||||
export async function getProcessedPermit(permitId: String, tenantId: String) {
|
export async function getProcessedPermit(
|
||||||
return await processedModel
|
permitId: String,
|
||||||
|
user: AuthenticatedUser
|
||||||
|
) {
|
||||||
|
const permit = await processedModel
|
||||||
.findOne({
|
.findOne({
|
||||||
$and: [{ tenantId: tenantId }, { pid: permitId }],
|
$and: [{ tenantId: user.tenantId }, { pid: permitId }],
|
||||||
})
|
})
|
||||||
.populate({ path: "assignedTo", select: "pid name avatar" })
|
.populate({ path: "assignedTo", select: "pid name avatar" })
|
||||||
.populate({ path: "createdBy", select: "pid name avatar" });
|
.populate({ path: "createdBy", select: "pid name avatar" });
|
||||||
|
|
||||||
|
if (permit && user.role == "client" && user.orgId != permit.client.toString())
|
||||||
|
return null;
|
||||||
|
|
||||||
|
return permit;
|
||||||
}
|
}
|
||||||
|
|
||||||
export async function updateProcessed(
|
export async function updateProcessed(
|
||||||
|
|||||||
Reference in New Issue
Block a user