fix permissions
This commit is contained in:
Matthias Hochmeister
@@ -5,14 +5,14 @@ import { requirePermission } from '../middleware/rbac.middleware';
|
||||
|
||||
const router = Router();
|
||||
|
||||
// ── Read-only (any authenticated user) ───────────────────────────────────────
|
||||
// ── Read-only ────────────────────────────────────────────────────────────────
|
||||
|
||||
router.get('/', authenticate, atemschutzController.list.bind(atemschutzController));
|
||||
router.get('/stats', authenticate, atemschutzController.getStats.bind(atemschutzController));
|
||||
router.get('/expiring', authenticate, atemschutzController.getExpiring.bind(atemschutzController));
|
||||
router.get('/', authenticate, requirePermission('atemschutz:view'), atemschutzController.list.bind(atemschutzController));
|
||||
router.get('/stats', authenticate, requirePermission('atemschutz:view'), atemschutzController.getStats.bind(atemschutzController));
|
||||
router.get('/expiring', authenticate, requirePermission('atemschutz:view'), atemschutzController.getExpiring.bind(atemschutzController));
|
||||
router.get('/my-status', authenticate, atemschutzController.getMyStatus.bind(atemschutzController));
|
||||
router.get('/user/:userId', authenticate, atemschutzController.getByUserId.bind(atemschutzController));
|
||||
router.get('/:id', authenticate, atemschutzController.getOne.bind(atemschutzController));
|
||||
router.get('/user/:userId', authenticate, requirePermission('atemschutz:view'), atemschutzController.getByUserId.bind(atemschutzController));
|
||||
router.get('/:id', authenticate, requirePermission('atemschutz:view'), atemschutzController.getOne.bind(atemschutzController));
|
||||
|
||||
// ── Write — gruppenfuehrer+ ─────────────────────────────────────────────────
|
||||
|
||||
|
||||
@@ -88,7 +88,7 @@ router.delete(
|
||||
router.patch(
|
||||
'/:id/status',
|
||||
authenticate,
|
||||
requirePermission('bestellungen:create'),
|
||||
requirePermission('bestellungen:manage_orders'),
|
||||
bestellungController.updateStatus.bind(bestellungController)
|
||||
);
|
||||
|
||||
|
||||
@@ -42,7 +42,7 @@ router.get(
|
||||
*/
|
||||
router.post(
|
||||
'/refresh-stats',
|
||||
requirePermission('einsaetze:delete'),
|
||||
requirePermission('einsaetze:create'),
|
||||
incidentController.refreshStats.bind(incidentController)
|
||||
);
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ const router = Router();
|
||||
// ---------------------------------------------------------------------------
|
||||
// injectTeilnahmenFlag
|
||||
//
|
||||
// Sets req.canSeeTeilnahmen = true for users with kalender:mark_attendance.
|
||||
// Sets req.canSeeTeilnahmen = true for users with kalender:create.
|
||||
// Regular Mitglieder see only attendance counts; officers see the full list.
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -23,7 +23,7 @@ async function injectTeilnahmenFlag(
|
||||
const groups: string[] = req.user?.groups ?? [];
|
||||
(req as any).canSeeTeilnahmen =
|
||||
groups.includes('dashboard_admin') ||
|
||||
permissionService.hasPermission(groups, 'kalender:mark_attendance');
|
||||
permissionService.hasPermission(groups, 'kalender:create');
|
||||
}
|
||||
} catch (_err) {
|
||||
// Non-fatal — default to restricted view
|
||||
@@ -67,12 +67,12 @@ router.get('/calendar-token', authenticate, trainingController.getCalendarToken)
|
||||
/**
|
||||
* GET /api/training/stats?year=<YYYY>
|
||||
* Annual participation stats.
|
||||
* Requires Kommandant or above (requirePermission('kalender:view_reports')).
|
||||
* Requires Kommandant or above (requirePermission('kalender:create')).
|
||||
*/
|
||||
router.get(
|
||||
'/stats',
|
||||
authenticate,
|
||||
requirePermission('kalender:view_reports'),
|
||||
requirePermission('kalender:create'),
|
||||
trainingController.getStats
|
||||
);
|
||||
|
||||
@@ -120,7 +120,7 @@ router.patch(
|
||||
router.delete(
|
||||
'/:id',
|
||||
authenticate,
|
||||
requirePermission('kalender:cancel'),
|
||||
requirePermission('kalender:create'),
|
||||
trainingController.cancelEvent
|
||||
);
|
||||
|
||||
@@ -141,7 +141,7 @@ router.patch(
|
||||
router.post(
|
||||
'/:id/attendance/mark',
|
||||
authenticate,
|
||||
requirePermission('kalender:mark_attendance'),
|
||||
requirePermission('kalender:create'),
|
||||
trainingController.markAttendance
|
||||
);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user