36 lines
1.5 KiB
JavaScript
36 lines
1.5 KiB
JavaScript
"use strict";
|
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
exports.requireRole = requireRole;
|
|
exports.requireNonTemp = requireNonTemp;
|
|
const client_1 = require("@prisma/client");
|
|
const error_handler_1 = require("./error-handler");
|
|
function requireRole(...roles) {
|
|
return (req, _res, next) => {
|
|
if (!req.user) {
|
|
throw new error_handler_1.AppError(401, 'Authentication required', 'AUTH_REQUIRED');
|
|
}
|
|
// Check multi-role array (falls back to single role via auth middleware)
|
|
const userRoles = req.user.roles || [req.user.role];
|
|
// SUPER_ADMIN bypasses all role checks
|
|
if (userRoles.includes(client_1.UserRole.SUPER_ADMIN)) {
|
|
return next();
|
|
}
|
|
const hasRole = userRoles.some(r => roles.includes(r));
|
|
if (!hasRole) {
|
|
throw new error_handler_1.AppError(403, 'Insufficient permissions', 'FORBIDDEN');
|
|
}
|
|
next();
|
|
};
|
|
}
|
|
function requireNonTemp(req, _res, next) {
|
|
if (!req.user) {
|
|
throw new error_handler_1.AppError(401, 'Authentication required', 'AUTH_REQUIRED');
|
|
}
|
|
const userRoles = req.user.roles || [req.user.role];
|
|
// User is "temp only" if their only role is TEMP
|
|
if (userRoles.length === 1 && userRoles[0] === client_1.UserRole.TEMP) {
|
|
throw new error_handler_1.AppError(403, 'Temporary accounts cannot access this resource', 'TEMP_FORBIDDEN');
|
|
}
|
|
next();
|
|
}
|
|
//# sourceMappingURL=rbac.middleware.js.map
|