blyzer/fasto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve sql query logic preventing managers from seeing themselves or their team if team_id is null
All checks were successful
Build and Deploy / build-and-push (push) Successful in 1m2s
Details

Browse Source
This commit is contained in:
Cauê Faleiros
2026-03-06 15:26:10 -03:00
parent cbbe519b5a
commit feb98d830b
1 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
backend/index.js
View File

@@ -291,10 +291,15 @@ apiRouter.get('/users', async (req, res) => {
params.push(effectiveTenantId);
}
// Strict RBAC: Managers can only see users in their own team
// Strict RBAC: Managers can only see users in their own team, or themselves if they don't have a team yet
if (req.user.role === 'manager') {
q += (params.length > 0 ? ' AND' : ' WHERE') + ' team_id = ?';
params.push(req.user.team_id);
if (req.user.team_id) {
q += (params.length > 0 ? ' AND' : ' WHERE') + ' (team_id = ? OR id = ?)';
params.push(req.user.team_id, req.user.id);
} else {
q += (params.length > 0 ? ' AND' : ' WHERE') + ' id = ?';
params.push(req.user.id);
}
}
const [rows] = await pool.query(q, params);
@@ -536,8 +541,13 @@ apiRouter.get('/teams', async (req, res) => {
// Strict RBAC: Managers can only see their own team
if (req.user.role === 'manager') {
q += (params.length > 0 ? ' AND' : ' WHERE') + ' id = ?';
params.push(req.user.team_id);
if (req.user.team_id) {
q += (params.length > 0 ? ' AND' : ' WHERE') + ' id = ?';
params.push(req.user.team_id);
} else {
// If a manager doesn't have a team, return nothing to prevent showing all teams
q += (params.length > 0 ? ' AND' : ' WHERE') + ' 1=0';
}
}
const [rows] = await pool.query(q, params);