refactor(rbac): complete the removal of 'owner' role from backend routes and logic

- Cleaned up the requireRole middleware across all Funnel and Origin API routes to strictly allow only 'admin' and 'super_admin' to perform structural changes. - Updated the tenant creation script to assign the 'admin' role to new signups instead of 'owner'.
2026-03-23 15:40:36 -03:00
parent 2317c46ac9
commit 3663d03cb9
1 changed files with 12 additions and 12 deletions
--- a/backend/index.js
+++ b/backend/index.js
@@ -734,7 +734,7 @@ apiRouter.get('/origins', async (req, res) => {
  }
 });
-apiRouter.post('/origins', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.post('/origins', requireRole(['admin', 'super_admin']), async (req, res) => {
  const { name, tenantId } = req.body;
  const effectiveTenantId = req.user.role === 'super_admin' ? tenantId : req.user.tenant_id;
  try {
@@ -746,7 +746,7 @@ apiRouter.post('/origins', requireRole(['admin', 'manager', 'super_admin']), asy
  }
 });
-apiRouter.put('/origins/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.put('/origins/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
  const { name, teamIds } = req.body;
  try {
    if (name) {
@@ -764,7 +764,7 @@ apiRouter.put('/origins/:id', requireRole(['admin', 'manager', 'super_admin']),
  }
 });
-apiRouter.delete('/origins/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.delete('/origins/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
  try {
    await pool.query('DELETE FROM origin_items WHERE origin_group_id = ?', [req.params.id]);
    await pool.query('UPDATE teams SET origin_group_id = NULL WHERE origin_group_id = ?', [req.params.id]);
@@ -775,7 +775,7 @@ apiRouter.delete('/origins/:id', requireRole(['admin', 'manager', 'super_admin']
  }
 });
-apiRouter.post('/origins/:id/items', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.post('/origins/:id/items', requireRole(['admin', 'super_admin']), async (req, res) => {
  const { name, color_class } = req.body;
  try {
    const oid = `oriitm_${crypto.randomUUID().split('-')[0]}`;
@@ -789,7 +789,7 @@ apiRouter.post('/origins/:id/items', requireRole(['admin', 'manager', 'super_adm
  }
 });
-apiRouter.put('/origin_items/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.put('/origin_items/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
  const { name, color_class } = req.body;
  try {
    const [existing] = await pool.query('SELECT * FROM origin_items WHERE id = ?', [req.params.id]);
@@ -802,7 +802,7 @@ apiRouter.put('/origin_items/:id', requireRole(['admin', 'manager', 'super_admin
  }
 });
-apiRouter.delete('/origin_items/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.delete('/origin_items/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
  try {
    await pool.query('DELETE FROM origin_items WHERE id = ?', [req.params.id]);
    res.json({ message: 'Origin item deleted.' });
@@ -863,7 +863,7 @@ apiRouter.get('/funnels', async (req, res) => {
  }
 });
-apiRouter.post('/funnels', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.post('/funnels', requireRole(['admin', 'super_admin']), async (req, res) => {
  const { name, tenantId } = req.body;
  const effectiveTenantId = req.user.role === 'super_admin' ? tenantId : req.user.tenant_id;
  try {
@@ -875,7 +875,7 @@ apiRouter.post('/funnels', requireRole(['admin', 'manager', 'super_admin']), asy
  }
 });
-apiRouter.put('/funnels/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.put('/funnels/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
  const { name, teamIds } = req.body;
  try {
    if (name) {
@@ -893,7 +893,7 @@ apiRouter.put('/funnels/:id', requireRole(['admin', 'manager', 'super_admin']),
  }
 });
-apiRouter.delete('/funnels/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.delete('/funnels/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
  try {
    await pool.query('DELETE FROM funnel_stages WHERE funnel_id = ?', [req.params.id]);
    await pool.query('UPDATE teams SET funnel_id = NULL WHERE funnel_id = ?', [req.params.id]);
@@ -904,7 +904,7 @@ apiRouter.delete('/funnels/:id', requireRole(['admin', 'manager', 'super_admin']
  }
 });
-apiRouter.post('/funnels/:id/stages', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.post('/funnels/:id/stages', requireRole(['admin', 'super_admin']), async (req, res) => {
  const { name, color_class, order_index } = req.body;
  try {
    const sid = `stage_${crypto.randomUUID().split('-')[0]}`;
@@ -918,7 +918,7 @@ apiRouter.post('/funnels/:id/stages', requireRole(['admin', 'manager', 'super_ad
  }
 });
-apiRouter.put('/funnel_stages/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.put('/funnel_stages/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
  const { name, color_class, order_index } = req.body;
  try {
    const [existing] = await pool.query('SELECT * FROM funnel_stages WHERE id = ?', [req.params.id]);
@@ -934,7 +934,7 @@ apiRouter.put('/funnel_stages/:id', requireRole(['admin', 'manager', 'super_admi
  }
 });
-apiRouter.delete('/funnel_stages/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.delete('/funnel_stages/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
  try {
    await pool.query('DELETE FROM funnel_stages WHERE id = ?', [req.params.id]);
    res.json({ message: 'Stage deleted.' });