matthias/dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix permissions

Browse Source
This commit is contained in:
Matthias Hochmeister
2026-03-25 09:07:31 +01:00
parent 5db4cc21b5
commit 4ed76fe20d
2 changed files with 51 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
backend/src/middleware/rbac.middleware.ts
View File

@@ -85,6 +85,52 @@ export function requirePermission(permission: string) {
};
}
/**
* Middleware factory: passes if the user holds ANY of the listed permissions.
* Useful when multiple roles should access the same read endpoint.
* Maintenance mode is checked against the first permission's feature group.
*/
export function requireAnyPermission(...permissions: string[]) {
return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
if (!req.user) {
res.status(401).json({ success: false, message: 'Authentication required' });
return;
}
const groups: string[] = req.user?.groups ?? [];
(req as any).userRole = resolveRequestRole(req);
if (groups.includes('dashboard_admin')) {
next();
return;
}
// Maintenance check on the feature group of the first permission
const featureGroup = permissions[0].split(':')[0];
if (permissionService.isFeatureInMaintenance(featureGroup)) {
res.status(403).json({ success: false, message: 'Diese Funktion befindet sich im Wartungsmodus' });
return;
}
if (permissions.some(p => permissionService.hasPermission(groups, p))) {
next();
return;
}
logger.warn('Permission denied (any-of)', {
userId: req.user.id,
groups,
permissions,
path: req.path,
});
auditPermissionDenied(req, AuditResourceType.SYSTEM, undefined, {
required_permissions: permissions,
user_groups: groups,
});
res.status(403).json({ success: false, message: 'Keine Berechtigung' });
};
}
/**
* Resolve the effective AppRole for a request.
* Simplified: returns 'admin' for dashboard_admin, 'kommandant' for dashboard_kommando,