yogiedigital/cod-api
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixing verify access

Browse Source
This commit is contained in:
Fachba
2026-01-08 12:16:16 +07:00
parent a4d8d55dbf
commit 4d2c18edfb
3 changed files with 26 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
middleware/verifyAccess.js
View File

@@ -1,6 +1,10 @@
const { ErrorHandler } = require("../helpers/error"); const { ErrorHandler } = require("../helpers/error");
const { getUserByIdDb } = require("../db/user.db"); const { getUserByIdDb } = require("../db/user.db");
function isPhoneNumberID(phone) {
return /^(?:\+62|62|0)8[1-9][0-9]{6,10}$/.test(phone);
}
const verifyAccess = (minLevel = 1, allowUnapprovedReadOnly = false) => { const verifyAccess = (minLevel = 1, allowUnapprovedReadOnly = false) => {
return async (req, res, next) => { return async (req, res, next) => {
try { try {
@@ -11,21 +15,30 @@ const verifyAccess = (minLevel = 1, allowUnapprovedReadOnly = false) => {
// Super Admin bypass semua // Super Admin bypass semua
if (user.is_sa) return next(); if (user.is_sa) return next();
const fullUser = await getUserByIdDb(user.user_id); if (!isPhoneNumberID(user.user_id)) {
if (!fullUser) throw new ErrorHandler(403, "Forbidden: User not found"); const fullUser = await getUserByIdDb(user.user_id);
if (!fullUser) throw new ErrorHandler(403, "Forbidden: User not found");
if (!fullUser.is_approve) { if (!fullUser.is_approve) {
if (req.method !== "GET") { if (req.method !== "GET") {
throw new ErrorHandler(403, "Account not approved — read-only access"); throw new ErrorHandler(403, "Account not approved — read-only access");
}
if (allowUnapprovedReadOnly) return next();
throw new ErrorHandler(403, "Account not approved");
} }
if (allowUnapprovedReadOnly) return next(); if (!fullUser.role_level || fullUser.role_level < minLevel) {
throw new ErrorHandler(403, "Forbidden: Insufficient role level");
}
} else {
if (req.method !== 'GET' && req.baseUrl !== '/api/notification-log') {
if (req.baseUrl !== '/api/notification') {
throw new ErrorHandler(403, "Forbidden: Insufficient Access");
}
}
throw new ErrorHandler(403, "Account not approved");
}
if (!fullUser.role_level || fullUser.role_level < minLevel) {
throw new ErrorHandler(403, "Forbidden: Insufficient role level");
} }
next(); next();

2
routes/notification_error.route.js
View File

@@ -26,7 +26,7 @@ router
.get(verifyToken.verifyAccessToken, NotificationErrorController.getById) .get(verifyToken.verifyAccessToken, NotificationErrorController.getById)
.put( .put(
verifyToken.verifyAccessToken, verifyToken.verifyAccessToken,
// verifyAccess(), verifyAccess(),
NotificationErrorController.update NotificationErrorController.update
); );

2
routes/notification_error_log.route.js
View File

@@ -9,7 +9,7 @@ router.route("/")
.get(verifyToken.verifyAccessToken, NotificationErrorLogController.getAll) .get(verifyToken.verifyAccessToken, NotificationErrorLogController.getAll)
.post( .post(
verifyToken.verifyAccessToken, verifyToken.verifyAccessToken,
// verifyAccess(), verifyAccess(),
NotificationErrorLogController.create); NotificationErrorLogController.create);
router.route("/:id") router.route("/:id")