blyzer/fasto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(rbac): complete the removal of 'owner' role from backend routes and logic
All checks were successful
Build and Deploy / build-and-push (push) Successful in 1m48s
Details

Browse Source 
- Cleaned up the requireRole middleware across all Funnel and Origin API routes to strictly allow only 'admin' and 'super_admin' to perform structural changes.

- Updated the tenant creation script to assign the 'admin' role to new signups instead of 'owner'.
This commit is contained in:
Cauê Faleiros
2026-03-23 15:40:36 -03:00
parent 2317c46ac9
commit 3663d03cb9
1 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
backend/index.js
View File

@@ -734,7 +734,7 @@ apiRouter.get('/origins', async (req, res) => {
}
});
apiRouter.post('/origins', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.post('/origins', requireRole(['admin', 'super_admin']), async (req, res) => {
const { name, tenantId } = req.body;
const effectiveTenantId = req.user.role === 'super_admin' ? tenantId : req.user.tenant_id;
try {
@@ -746,7 +746,7 @@ apiRouter.post('/origins', requireRole(['admin', 'manager', 'super_admin']), asy
}
});
apiRouter.put('/origins/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.put('/origins/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
const { name, teamIds } = req.body;
try {
if (name) {
@@ -764,7 +764,7 @@ apiRouter.put('/origins/:id', requireRole(['admin', 'manager', 'super_admin']),
}
});
apiRouter.delete('/origins/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.delete('/origins/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
try {
await pool.query('DELETE FROM origin_items WHERE origin_group_id = ?', [req.params.id]);
await pool.query('UPDATE teams SET origin_group_id = NULL WHERE origin_group_id = ?', [req.params.id]);
@@ -775,7 +775,7 @@ apiRouter.delete('/origins/:id', requireRole(['admin', 'manager', 'super_admin']
}
});
apiRouter.post('/origins/:id/items', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.post('/origins/:id/items', requireRole(['admin', 'super_admin']), async (req, res) => {
const { name, color_class } = req.body;
try {
const oid = `oriitm_${crypto.randomUUID().split('-')[0]}`;
@@ -789,7 +789,7 @@ apiRouter.post('/origins/:id/items', requireRole(['admin', 'manager', 'super_adm
}
});
apiRouter.put('/origin_items/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.put('/origin_items/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
const { name, color_class } = req.body;
try {
const [existing] = await pool.query('SELECT * FROM origin_items WHERE id = ?', [req.params.id]);
@@ -802,7 +802,7 @@ apiRouter.put('/origin_items/:id', requireRole(['admin', 'manager', 'super_admin
}
});
apiRouter.delete('/origin_items/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.delete('/origin_items/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
try {
await pool.query('DELETE FROM origin_items WHERE id = ?', [req.params.id]);
res.json({ message: 'Origin item deleted.' });
@@ -863,7 +863,7 @@ apiRouter.get('/funnels', async (req, res) => {
}
});
apiRouter.post('/funnels', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.post('/funnels', requireRole(['admin', 'super_admin']), async (req, res) => {
const { name, tenantId } = req.body;
const effectiveTenantId = req.user.role === 'super_admin' ? tenantId : req.user.tenant_id;
try {
@@ -875,7 +875,7 @@ apiRouter.post('/funnels', requireRole(['admin', 'manager', 'super_admin']), asy
}
});
apiRouter.put('/funnels/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.put('/funnels/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
const { name, teamIds } = req.body;
try {
if (name) {
@@ -893,7 +893,7 @@ apiRouter.put('/funnels/:id', requireRole(['admin', 'manager', 'super_admin']),
}
});
apiRouter.delete('/funnels/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.delete('/funnels/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
try {
await pool.query('DELETE FROM funnel_stages WHERE funnel_id = ?', [req.params.id]);
await pool.query('UPDATE teams SET funnel_id = NULL WHERE funnel_id = ?', [req.params.id]);
@@ -904,7 +904,7 @@ apiRouter.delete('/funnels/:id', requireRole(['admin', 'manager', 'super_admin']
}
});
apiRouter.post('/funnels/:id/stages', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.post('/funnels/:id/stages', requireRole(['admin', 'super_admin']), async (req, res) => {
const { name, color_class, order_index } = req.body;
try {
const sid = `stage_${crypto.randomUUID().split('-')[0]}`;
@@ -918,7 +918,7 @@ apiRouter.post('/funnels/:id/stages', requireRole(['admin', 'manager', 'super_ad
}
});
apiRouter.put('/funnel_stages/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.put('/funnel_stages/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
const { name, color_class, order_index } = req.body;
try {
const [existing] = await pool.query('SELECT * FROM funnel_stages WHERE id = ?', [req.params.id]);
@@ -934,7 +934,7 @@ apiRouter.put('/funnel_stages/:id', requireRole(['admin', 'manager', 'super_admi
}
});
apiRouter.delete('/funnel_stages/:id', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
apiRouter.delete('/funnel_stages/:id', requireRole(['admin', 'super_admin']), async (req, res) => {
try {
await pool.query('DELETE FROM funnel_stages WHERE id = ?', [req.params.id]);
res.json({ message: 'Stage deleted.' });