From 7c6d3fe5ee697f72922f905d847d4fe505b9c35e Mon Sep 17 00:00:00 2001
From: "D. Berge" <dberge@aaltronav.eu>
Date: Sat, 12 Jul 2025 16:49:10 +0200
Subject: [PATCH] Check permissions against vessel if not on a project endpoint

---
 lib/www/server/api/middleware/auth/access.js | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/lib/www/server/api/middleware/auth/access.js b/lib/www/server/api/middleware/auth/access.js
index fa5b1a6..e376f5d 100644
--- a/lib/www/server/api/middleware/auth/access.js
+++ b/lib/www/server/api/middleware/auth/access.js
@@ -3,21 +3,16 @@ const { projectOrganisations, orgAccess } = require('../../../lib/db/project/org
 /** Second-order function.
  * Returns a middleware that checks if the user has access to
  * `operation` in the project identified by `req.params.project`
+ * or, if `req.params.project` is not defined, against the vessel
+ * access permissions.
  */
 function operation (operation) {
 	return async function (req, res, next) {
-		if (req.user) {
-			if (req.params.project) {
-				if (await orgAccess(req.user.organisations, req.params.project, operation)) {
-					next();
-					return;
-				}
-			} else {
-				next();
-				return;
-			}
+		if (await orgAccess(req.user?.organisations, req.params.project ?? null, operation)) {
+			next();
+		} else {
+			next({status: 403, message: "Access denied"});
 		}
-		next({status: 403, message: "Access denied"});
 	}
 }