Refactor auth.access middleware.

It users @dougal/user and @dougal/organisations classes.
2025-12-06 11:37:08 +00:00 · 2025-07-24 19:14:19 +02:00
parent d58bc4d62e
commit f5441d186f
1 changed files with 65 additions and 5 deletions
--- a/lib/www/server/api/middleware/auth/access.js
+++ b/lib/www/server/api/middleware/auth/access.js
@@ -1,4 +1,6 @@
-const { projectOrganisations, orgAccess } = require('../../../lib/db/project/organisations');
+const { projectOrganisations, vesselOrganisations/*, orgAccess */} = require('../../../lib/db/project/organisations');
+const ServerUser = require('../../../lib/db/user/User');
+const { Organisations } = require('@dougal/organisations');

 /** Second-order function.
 * Returns a middleware that checks if the user has access to
@@ -8,20 +10,78 @@ const { projectOrganisations, orgAccess } = require('../../../lib/db/project/org
 */
 function operation (operation) {
 	return async function (req, res, next) {
-		if (await orgAccess(req.user?.organisations, req.params.project ?? null, operation)) {
-			next();
+		const user = new ServerUser(req.user);
+		if (req.params.project) {
+			const projectOrgs = new Organisations(await projectOrganisations(req.params.project));
+			const availableOrgs = projectOrgs.accessToOperation(operation).filter(user.organisations);
+			console.log("Operation:      ", operation);
+			console.log("User:           ", user.name);
+			console.log("User orgs:      ", user.organisations);
+			console.log("Project orgs:   ", projectOrgs);
+			console.log("Available orgs: ", availableOrgs);
+			if (availableOrgs.length > 0) {
+				next();
+				return;
+			}
 		} else {
-			next({status: 403, message: "Access denied"});
+			const vesselOrgs = new Organisations(await vesselOrganisations());
+			const availableOrgs = vesselOrgs.accessToOperation(operation).filter(user.organisations);
+			console.log("Operation:      ", operation);
+			console.log("User:           ", user.name);
+			console.log("User orgs:      ", user.organisations);
+			console.log("Vessel orgs:    ", vesselOrgs);
+			console.log("Available orgs: ", availableOrgs);
+			if (availableOrgs.length > 0) {
+				next();
+				return;
+			}
+		}
+		next({status: 403, message: "Access denied"});
+	}
+}
+// function operation (operation) {
+// 	return async function (req, res, next) {
+// 		if (await orgAccess(req.user?.organisations, req.params.project ?? null, operation)) {
+// 			next();
+// 		} else {
+// 			next({status: 403, message: "Access denied"});
+// 		}
+// 	}
+// }
+
+// Everyone can access
+async function all (req, res, next) {
+	next();
+}
+
+// Any logged in user can access
+async function user (req, res, next) {
+	if (req.user) {
+		next();
+	} else {
+		next({status: 403, message: "Access denied"});
+	}
+}
+
+// Any user who is an admin of at least one organisation
+async function admin (req, res, next) {
+	if (req.user) {
+		const user = new ServerUser(req.user);
+		if (user.operations.accessToOperation("edit").length > 0) {
+			next();
+			return;
 		}
 	}
+	next({status: 403, message: "Access denied"});
 }

 const read = operation('read');
 const write = operation('write');
 const edit = operation('edit');
-const admin = edit;

 module.exports = {
+	all,
+	user,
 	read,
 	write,
 	edit,