@apolitical/server 2.1.0 → 2.1.1

package/CHANGELOG.md

@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.1.1] - 2022-01-31
+### Fixed
+- Authorisation logic
+
 ## [2.1.0] - 2022-01-21
 ### Added
 - Prerender middleware

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@apolitical/server",
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "Node.js module to encapsulate Apolitical's express server setup",
   "author": "Apolitical Group Limited <engineering@apolitical.co>",
   "license": "MIT",

package/src/middlewares/authorisation.middleware.js

@@ -8,21 +8,21 @@ module.exports = ({ logger, serverError: { Forbidden }, config }) => {
     return function handler(req, res, next) {
       const childLogger = logger.where(__filename, 'handler');
       childLogger.debug('Started');
-      let isNotMyselfSlug = false;
       let isNotAdmin = false;
-      // Check myself param
-      if (myselfSource) {
-        isNotMyselfSlug = req.params[myselfSource] !== MYSELF_SLUG;
-      }
+      let isNotMyselfSlug = false;
       // Check user role (from JWT)
       if (!allowNonAdmin) {
         isNotAdmin = req.user && req.user.role !== ADMIN_ROLE;
       }
+      // Check myself param
+      if (myselfSource) {
+        isNotMyselfSlug = req.params[myselfSource] !== MYSELF_SLUG;
+      }
       // Check permissions and prevent unauthorised requests
       let unauthorised = false;
-      if (isNotMyselfSlug && myselfSource && isNotAdmin && !allowNonAdmin) {
+      if (!allowNonAdmin && isNotAdmin && isNotMyselfSlug) {
         unauthorised = true;
-      } else if (isNotAdmin && !allowNonAdmin) {
+      } else if (!allowNonAdmin && isNotAdmin && !myselfSource) {
         unauthorised = true;
       }
       if (unauthorised) {