blyzer/fasto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: restrict managers to their own team

Browse Source 
- Backend now only returns users, teams, and attendances from a manager's own team.

- Hidden 'Todas as Equipes' filter from manager dashboard.

- Removed manager ability to create or edit teams.
This commit is contained in:
Cauê Faleiros
2026-03-06 14:54:42 -03:00
parent ae81df759f
commit 13b4c0316b
3 changed files with 66 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
backend/index.js
View File

@@ -286,7 +286,17 @@ apiRouter.get('/users', async (req, res) => {
let q = 'SELECT * FROM users';
const params = [];
if (effectiveTenantId && effectiveTenantId !== 'all') { q += ' WHERE tenant_id = ?'; params.push(effectiveTenantId); }
if (effectiveTenantId && effectiveTenantId !== 'all') {
q += ' WHERE tenant_id = ?';
params.push(effectiveTenantId);
}
// Strict RBAC: Managers can only see users in their own team
if (req.user.role === 'manager') {
q += (params.length > 0 ? ' AND' : ' WHERE') + ' team_id = ?';
params.push(req.user.team_id);
}
const [rows] = await pool.query(q, params);
res.json(rows);
} catch (error) { res.status(500).json({ error: error.message }); }
@@ -447,17 +457,27 @@ apiRouter.get('/attendances', async (req, res) => {
if (req.user.role === 'agent') {
q += ' AND a.user_id = ?';
params.push(req.user.id);
} else if (userId && userId !== 'all') {
// check if it's a slug or id
if (userId.startsWith('u_')) {
q += ' AND a.user_id = ?';
params.push(userId);
} else {
q += ' AND u.slug = ?';
params.push(userId);
} else {
if (req.user.role === 'manager') {
q += ' AND u.team_id = ?';
params.push(req.user.team_id);
} else if (teamId && teamId !== 'all') {
q += ' AND u.team_id = ?';
params.push(teamId);
}
if (userId && userId !== 'all') {
// check if it's a slug or id
if (userId.startsWith('u_')) {
q += ' AND a.user_id = ?';
params.push(userId);
} else {
q += ' AND u.slug = ?';
params.push(userId);
}
}
}
if (teamId && teamId !== 'all') { q += ' AND u.team_id = ?'; params.push(teamId); }
if (funnelStage && funnelStage !== 'all') { q += ' AND a.funnel_stage = ?'; params.push(funnelStage); }
if (origin && origin !== 'all') { q += ' AND a.origin = ?'; params.push(origin); }
@@ -513,6 +533,13 @@ apiRouter.get('/teams', async (req, res) => {
q += ' WHERE tenant_id = ?';
params.push(effectiveTenantId);
}
// Strict RBAC: Managers can only see their own team
if (req.user.role === 'manager') {
q += (params.length > 0 ? ' AND' : ' WHERE') + ' id = ?';
params.push(req.user.team_id);
}
const [rows] = await pool.query(q, params);
res.json(rows);
} catch (error) {
@@ -520,7 +547,7 @@ apiRouter.get('/teams', async (req, res) => {
}
});
apiRouter.post('/teams', requireRole(['admin', 'manager', 'owner', 'super_admin']), async (req, res) => {
apiRouter.post('/teams', requireRole(['admin', 'owner', 'super_admin']), async (req, res) => {
const { name, description, tenantId } = req.body;
const effectiveTenantId = req.user.role === 'super_admin' ? tenantId : req.user.tenant_id;
try {
@@ -536,7 +563,7 @@ apiRouter.post('/teams', requireRole(['admin', 'manager', 'owner', 'super_admin'
}
});
apiRouter.put('/teams/:id', requireRole(['admin', 'manager', 'owner', 'super_admin']), async (req, res) => {
apiRouter.put('/teams/:id', requireRole(['admin', 'owner', 'super_admin']), async (req, res) => {
const { name, description } = req.body;
try {
const [existing] = await pool.query('SELECT tenant_id FROM teams WHERE id = ?', [req.params.id]);