yogiedigital/cod-api
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: veryfy access

Browse Source
This commit is contained in:
Antony Kurniawan
2025-10-09 03:19:13 +07:00
parent a6c2e7fc7e
commit 1b384a56b5
2 changed files with 3 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
middleware/verifyAcces.js
View File

@@ -1,42 +0,0 @@
const { ErrorHandler } = require("../helpers/error");
const { getUserByIdDb } = require("../db/user.db");
const verifyAccess = (minLevel = 1, allowUnapprovedReadOnly = false) => {
return async (req, res, next) => {
try {
const user = req.user;
if (!user) throw new ErrorHandler(401, "Unauthorized: User not found");
// Super Admin bypass semua
if (user.is_sa) return next();
// Ambil user lengkap dari DB
const fullUser = await getUserByIdDb(user.user_id);
if (!fullUser) throw new ErrorHandler(403, "Forbidden: User not found");
// Jika belum di-approve
if (!fullUser.is_approve) {
// Hanya boleh GET (read-only)
if (req.method !== "GET") {
throw new ErrorHandler(403, "Account not approved — read-only access");
}
if (allowUnapprovedReadOnly) return next();
throw new ErrorHandler(403, "Account not approved");
}
// Cek role level
if (!fullUser.role_level || fullUser.role_level < minLevel) {
throw new ErrorHandler(403, "Forbidden: Insufficient role level");
}
next();
} catch (err) {
next(err);
}
};
};
module.exports = verifyAccess;

6
routes/device.route.js
View File

@@ -7,8 +7,8 @@ const router = express.Router();
router.get('/', verifyToken.verifyAccessToken, DeviceController.getAll);
router.get('/:id', verifyToken.verifyAccessToken, DeviceController.getById);
router.post('/', verifyToken.verifyAccessToken, verifyAccess, DeviceController.create);
router.put('/:id', verifyToken.verifyAccessToken, verifyAccess, DeviceController.update);
router.delete('/:id', verifyToken.verifyAccessToken, verifyAccess, DeviceController.delete);
router.post('/', verifyToken.verifyAccessToken, verifyAccess(), DeviceController.create);
router.put('/:id', verifyToken.verifyAccessToken, verifyAccess(), DeviceController.update);
router.delete('/:id', verifyToken.verifyAccessToken, verifyAccess(), DeviceController.delete);
module.exports = router;