87 lines
3.2 KiB
JavaScript
87 lines
3.2 KiB
JavaScript
"use strict";
|
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
exports.usersRouter = void 0;
|
|
const express_1 = require("express");
|
|
const client_1 = require("@prisma/client");
|
|
const users_service_1 = require("./users.service");
|
|
const users_schemas_1 = require("./users.schemas");
|
|
const validate_1 = require("../../middleware/validate");
|
|
const auth_middleware_1 = require("../../middleware/auth.middleware");
|
|
const rbac_middleware_1 = require("../../middleware/rbac.middleware");
|
|
const ADMIN_ROLES = [client_1.UserRole.SUPER_ADMIN, client_1.UserRole.INFLUENCE_ADMIN, client_1.UserRole.MAP_ADMIN];
|
|
const router = (0, express_1.Router)();
|
|
exports.usersRouter = router;
|
|
// All user routes require authentication
|
|
router.use(auth_middleware_1.authenticate);
|
|
// GET /api/users — list users (admin only)
|
|
router.get('/', (0, rbac_middleware_1.requireRole)(...ADMIN_ROLES), (0, validate_1.validate)(users_schemas_1.listUsersSchema, 'query'), async (req, res, next) => {
|
|
try {
|
|
const result = await users_service_1.usersService.findAll(req.query);
|
|
res.json(result);
|
|
}
|
|
catch (err) {
|
|
next(err);
|
|
}
|
|
});
|
|
// GET /api/users/:id — get user (admin or self)
|
|
router.get('/:id', async (req, res, next) => {
|
|
try {
|
|
const id = req.params.id;
|
|
const isAdmin = ADMIN_ROLES.includes(req.user.role);
|
|
const isSelf = req.user.id === id;
|
|
if (!isAdmin && !isSelf) {
|
|
res.status(403).json({ error: { message: 'Insufficient permissions', code: 'FORBIDDEN' } });
|
|
return;
|
|
}
|
|
const user = await users_service_1.usersService.findById(id);
|
|
res.json(user);
|
|
}
|
|
catch (err) {
|
|
next(err);
|
|
}
|
|
});
|
|
// POST /api/users — create user (admin only)
|
|
router.post('/', (0, rbac_middleware_1.requireRole)(...ADMIN_ROLES), (0, validate_1.validate)(users_schemas_1.createUserSchema), async (req, res, next) => {
|
|
try {
|
|
const user = await users_service_1.usersService.create(req.body);
|
|
res.status(201).json(user);
|
|
}
|
|
catch (err) {
|
|
next(err);
|
|
}
|
|
});
|
|
// PUT /api/users/:id — update user (admin or self, role changes admin-only)
|
|
router.put('/:id', async (req, res, next) => {
|
|
try {
|
|
const id = req.params.id;
|
|
const isAdmin = ADMIN_ROLES.includes(req.user.role);
|
|
const isSelf = req.user.id === id;
|
|
if (!isAdmin && !isSelf) {
|
|
res.status(403).json({ error: { message: 'Insufficient permissions', code: 'FORBIDDEN' } });
|
|
return;
|
|
}
|
|
// Non-admins cannot change role or status
|
|
if (!isAdmin) {
|
|
delete req.body.role;
|
|
delete req.body.status;
|
|
}
|
|
const parsed = users_schemas_1.updateUserSchema.parse(req.body);
|
|
const user = await users_service_1.usersService.update(id, parsed);
|
|
res.json(user);
|
|
}
|
|
catch (err) {
|
|
next(err);
|
|
}
|
|
});
|
|
// DELETE /api/users/:id — delete user (admin only)
|
|
router.delete('/:id', (0, rbac_middleware_1.requireRole)(...ADMIN_ROLES), async (req, res, next) => {
|
|
try {
|
|
const id = req.params.id;
|
|
await users_service_1.usersService.delete(id);
|
|
res.status(204).send();
|
|
}
|
|
catch (err) {
|
|
next(err);
|
|
}
|
|
});
|
|
//# sourceMappingURL=users.routes.js.map
|