From 3663d03cb96b974ffe7d83133ec4b10fea1edc42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cau=C3=AA=20Faleiros?= Date: Mon, 23 Mar 2026 15:40:36 -0300 Subject: [PATCH] refactor(rbac): complete the removal of 'owner' role from backend routes and logic - Cleaned up the requireRole middleware across all Funnel and Origin API routes to strictly allow only 'admin' and 'super_admin' to perform structural changes. - Updated the tenant creation script to assign the 'admin' role to new signups instead of 'owner'. --- backend/index.js | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/backend/index.js b/backend/index.js index 9f978c9..a0013c6 100644 --- a/backend/index.js +++ b/backend/index.js @@ -734,7 +734,7 @@ apiRouter.get('/origins', async (req, res) => { } }); -apiRouter.post('/origins', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.post('/origins', requireRole(['admin', 'super_admin']), async (req, res) => { const { name, tenantId } = req.body; const effectiveTenantId = req.user.role === 'super_admin' ? tenantId : req.user.tenant_id; try { @@ -746,7 +746,7 @@ apiRouter.post('/origins', requireRole(['admin', 'manager', 'super_admin']), asy } }); -apiRouter.put('/origins/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.put('/origins/:id', requireRole(['admin', 'super_admin']), async (req, res) => { const { name, teamIds } = req.body; try { if (name) { @@ -764,7 +764,7 @@ apiRouter.put('/origins/:id', requireRole(['admin', 'manager', 'super_admin']), } }); -apiRouter.delete('/origins/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.delete('/origins/:id', requireRole(['admin', 'super_admin']), async (req, res) => { try { await pool.query('DELETE FROM origin_items WHERE origin_group_id = ?', [req.params.id]); await pool.query('UPDATE teams SET origin_group_id = NULL WHERE origin_group_id = ?', [req.params.id]); @@ -775,7 +775,7 @@ apiRouter.delete('/origins/:id', requireRole(['admin', 'manager', 'super_admin'] } }); -apiRouter.post('/origins/:id/items', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.post('/origins/:id/items', requireRole(['admin', 'super_admin']), async (req, res) => { const { name, color_class } = req.body; try { const oid = `oriitm_${crypto.randomUUID().split('-')[0]}`; @@ -789,7 +789,7 @@ apiRouter.post('/origins/:id/items', requireRole(['admin', 'manager', 'super_adm } }); -apiRouter.put('/origin_items/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.put('/origin_items/:id', requireRole(['admin', 'super_admin']), async (req, res) => { const { name, color_class } = req.body; try { const [existing] = await pool.query('SELECT * FROM origin_items WHERE id = ?', [req.params.id]); @@ -802,7 +802,7 @@ apiRouter.put('/origin_items/:id', requireRole(['admin', 'manager', 'super_admin } }); -apiRouter.delete('/origin_items/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.delete('/origin_items/:id', requireRole(['admin', 'super_admin']), async (req, res) => { try { await pool.query('DELETE FROM origin_items WHERE id = ?', [req.params.id]); res.json({ message: 'Origin item deleted.' }); @@ -863,7 +863,7 @@ apiRouter.get('/funnels', async (req, res) => { } }); -apiRouter.post('/funnels', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.post('/funnels', requireRole(['admin', 'super_admin']), async (req, res) => { const { name, tenantId } = req.body; const effectiveTenantId = req.user.role === 'super_admin' ? tenantId : req.user.tenant_id; try { @@ -875,7 +875,7 @@ apiRouter.post('/funnels', requireRole(['admin', 'manager', 'super_admin']), asy } }); -apiRouter.put('/funnels/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.put('/funnels/:id', requireRole(['admin', 'super_admin']), async (req, res) => { const { name, teamIds } = req.body; try { if (name) { @@ -893,7 +893,7 @@ apiRouter.put('/funnels/:id', requireRole(['admin', 'manager', 'super_admin']), } }); -apiRouter.delete('/funnels/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.delete('/funnels/:id', requireRole(['admin', 'super_admin']), async (req, res) => { try { await pool.query('DELETE FROM funnel_stages WHERE funnel_id = ?', [req.params.id]); await pool.query('UPDATE teams SET funnel_id = NULL WHERE funnel_id = ?', [req.params.id]); @@ -904,7 +904,7 @@ apiRouter.delete('/funnels/:id', requireRole(['admin', 'manager', 'super_admin'] } }); -apiRouter.post('/funnels/:id/stages', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.post('/funnels/:id/stages', requireRole(['admin', 'super_admin']), async (req, res) => { const { name, color_class, order_index } = req.body; try { const sid = `stage_${crypto.randomUUID().split('-')[0]}`; @@ -918,7 +918,7 @@ apiRouter.post('/funnels/:id/stages', requireRole(['admin', 'manager', 'super_ad } }); -apiRouter.put('/funnel_stages/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.put('/funnel_stages/:id', requireRole(['admin', 'super_admin']), async (req, res) => { const { name, color_class, order_index } = req.body; try { const [existing] = await pool.query('SELECT * FROM funnel_stages WHERE id = ?', [req.params.id]); @@ -934,7 +934,7 @@ apiRouter.put('/funnel_stages/:id', requireRole(['admin', 'manager', 'super_admi } }); -apiRouter.delete('/funnel_stages/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => { +apiRouter.delete('/funnel_stages/:id', requireRole(['admin', 'super_admin']), async (req, res) => { try { await pool.query('DELETE FROM funnel_stages WHERE id = ?', [req.params.id]); res.json({ message: 'Stage deleted.' });