From 56b1f0c8845ef87fc97ae9dd9ea5bb6ec14352a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cau=C3=AA=20Faleiros?= <cauefaleiros@gmail.com>
Date: Mon, 9 Mar 2026 10:15:16 -0300
Subject: [PATCH] fix: sanitize rbac error msg and enforce manager creation
 constraints

- Prevented API error messages from leaking system roles.

- Updated POST /users to safely allow managers to create users while strictly forcing them to be agents assigned to the manager's team.
---
 backend/index.js | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/backend/index.js b/backend/index.js
index feca531..9f494ba 100644
--- a/backend/index.js
+++ b/backend/index.js
@@ -118,7 +118,7 @@ const authenticateToken = (req, res, next) => {
 };
 
 const requireRole = (roles) => (req, res, next) => {
-  if (!roles.includes(req.user.role)) return res.status(403).json({ error: 'Acesso negado. Esta ação requer as seguintes permissões: ' + roles.join(', ') });
+  if (!roles.includes(req.user.role)) return res.status(403).json({ error: 'Acesso negado. Você não tem permissão para realizar esta ação.' });
   next();
 };
 
@@ -319,9 +319,18 @@ apiRouter.get('/users/:idOrSlug', async (req, res) => {
 });
 
 // Convidar Novo Membro (Admin criando usuário)
-apiRouter.post('/users', requireRole(['admin', 'owner', 'super_admin']), async (req, res) => {
+apiRouter.post('/users', requireRole(['admin', 'manager', 'super_admin']), async (req, res) => {
   const { name, email, role, team_id, tenant_id } = req.body;
   const effectiveTenantId = req.user.role === 'super_admin' ? tenant_id : req.user.tenant_id;
+  
+  // Strict RBAC: Managers can only create agents and assign them to their own team
+  let finalRole = role || 'agent';
+  let finalTeamId = team_id || null;
+  
+  if (req.user.role === 'manager') {
+    finalRole = 'agent'; // Force manager creations to be agents
+    finalTeamId = req.user.team_id; // Force assignment to manager's team
+  }
   try {
     // 1. Verificar se e-mail já existe
     const [existing] = await pool.query('SELECT id FROM users WHERE email = ?', [email]);
@@ -334,7 +343,7 @@ apiRouter.post('/users', requireRole(['admin', 'owner', 'super_admin']), async (
     // 2. Criar Usuário
     await pool.query(
       'INSERT INTO users (id, tenant_id, team_id, name, email, password_hash, slug, role, status) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
-      [uid, effectiveTenantId, team_id || null, name, email, placeholderHash, slug, role || 'agent', 'active']
+      [uid, effectiveTenantId, finalTeamId, name, email, placeholderHash, slug, finalRole, 'active']
     );
 
     // 3. Gerar Token de Setup de Senha (reusando lógica de reset)