blyzer/fasto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: complete fine-grained RBAC rules across all roles
All checks were successful
Build and Deploy / build-and-push (push) Successful in 1m52s
Details

Browse Source 
- Restricted Agent view to own dashboard and hid management tabs.

- Allowed Managers to create teams and members but restricted them from editing roles or emails.

- Allowed Admins to update their own email via profile.

- Protected Admin roles from being modified by anyone other than Super Admins.
This commit is contained in:
Cauê Faleiros
2026-03-06 13:27:43 -03:00
parent 2e766bd197
commit 38eb55793f
6 changed files with 66 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
backend/index.js
View File

@@ -358,7 +358,7 @@ apiRouter.post('/users', requireRole(['admin', 'owner', 'super_admin']), async (
});
apiRouter.put('/users/:id', async (req, res) => {
const { name, bio, role, team_id, status } = req.body;
const { name, bio, role, team_id, status, email } = req.body;
try {
const [existing] = await pool.query('SELECT * FROM users WHERE id = ?', [req.params.id]);
if (existing.length === 0) return res.status(404).json({ error: 'Not found' });
@@ -377,10 +377,16 @@ apiRouter.put('/users/:id', async (req, res) => {
const finalRole = isManagerOrAdmin && role !== undefined ? role : existing[0].role;
const finalTeamId = isManagerOrAdmin && team_id !== undefined ? team_id : existing[0].team_id;
const finalStatus = isManagerOrAdmin && status !== undefined ? status : existing[0].status;
const finalEmail = email !== undefined ? email : existing[0].email;
if (finalEmail !== existing[0].email) {
const [emailCheck] = await pool.query('SELECT id FROM users WHERE email = ? AND id != ?', [finalEmail, req.params.id]);
if (emailCheck.length > 0) return res.status(400).json({ error: 'E-mail já está em uso.' });
}
await pool.query(
'UPDATE users SET name = ?, bio = ?, role = ?, team_id = ?, status = ? WHERE id = ?',
[name || existing[0].name, bio !== undefined ? bio : existing[0].bio, finalRole, finalTeamId || null, finalStatus, req.params.id]
'UPDATE users SET name = ?, bio = ?, email = ?, role = ?, team_id = ?, status = ? WHERE id = ?',
[name || existing[0].name, bio !== undefined ? bio : existing[0].bio, finalEmail, finalRole, finalTeamId || null, finalStatus, req.params.id]
);
res.json({ message: 'User updated successfully.' });
} catch (error) {