@lenne.tech/nest-server 10.3.0 → 10.3.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "10.3.0",
+  "version": "10.3.2",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",

package/src/config.env.ts

@@ -89,7 +89,14 @@ const config: { [env: string]: IServerOptions } = {
     },
     port: 3000,
     security: {
-      checkResponseInterceptor: true,
+      checkResponseInterceptor: {
+        checkObjectItself: false,
+        debug: false,
+        ignoreUndefined: true,
+        mergeRoles: true,
+        removeUndefinedFromResultArray: true,
+        throwError: false,
+      },
       checkSecurityInterceptor: true,
       mapAndValidatePipe: true,
     },
@@ -196,7 +203,14 @@ const config: { [env: string]: IServerOptions } = {
     },
     port: 3000,
     security: {
-      checkResponseInterceptor: true,
+      checkResponseInterceptor: {
+        checkObjectItself: false,
+        debug: false,
+        ignoreUndefined: true,
+        mergeRoles: true,
+        removeUndefinedFromResultArray: true,
+        throwError: false,
+      },
       checkSecurityInterceptor: true,
       mapAndValidatePipe: true,
     },
@@ -292,7 +306,14 @@ const config: { [env: string]: IServerOptions } = {
     },
     port: 3000,
     security: {
-      checkResponseInterceptor: true,
+      checkResponseInterceptor: {
+        checkObjectItself: false,
+        debug: false,
+        ignoreUndefined: true,
+        mergeRoles: true,
+        removeUndefinedFromResultArray: true,
+        throwError: false,
+      },
       checkSecurityInterceptor: true,
       mapAndValidatePipe: true,
     },

package/src/core/common/decorators/restricted.decorator.ts

@@ -67,15 +67,20 @@ export const checkRestricted = (
     dbObject?: any;
     debug?: boolean;
     ignoreUndefined?: boolean;
+    mergeRoles?: boolean;
     processType?: ProcessType;
     removeUndefinedFromResultArray?: boolean;
     throwError?: boolean;
   } = {},
   processedObjects: any[] = [],
 ) => {
+  // Act like Roles handling: checkObjectItself = false & mergeRoles = true
+  // For Input: throwError = true
+  // For Output: throwError = false
   const config = {
-    checkObjectItself: true,
+    checkObjectItself: false,
     ignoreUndefined: true,
+    mergeRoles: true,
     removeUndefinedFromResultArray: true,
     throwError: true,
     ...options,
@@ -220,7 +225,8 @@ export const checkRestricted = (
 
     // Check restricted
     const restricted = getRestricted(data, propertyKey) || [];
-    const valid = validateRestricted(restricted);
+    const concatenatedRestrictions = config.mergeRoles ? _.uniq(objectRestrictions.concat(restricted)) : restricted;
+    const valid = validateRestricted(concatenatedRestrictions);
 
     // Check rights
     if (valid) {

package/src/core/common/inputs/combined-filter.input.ts

@@ -1,10 +1,13 @@
 import { Field, InputType } from '@nestjs/graphql';
 
+import { Restricted } from '../decorators/restricted.decorator';
 import { LogicalOperatorEnum } from '../enums/logical-operator.enum';
+import { RoleEnum } from '../enums/role.enum';
 import { maps } from '../helpers/model.helper';
 import { CoreInput } from './core-input.input';
 import { FilterInput } from './filter.input';
 
+@Restricted(RoleEnum.S_EVERYONE)
 @InputType({
   description: 'Combination of multiple filters via logical operator',
 })
@@ -12,6 +15,7 @@ export class CombinedFilterInput extends CoreInput {
   /**
    * Logical Operator to combine filters
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => LogicalOperatorEnum, {
     description: 'Logical Operator to combine filters',
   })
@@ -20,6 +24,7 @@ export class CombinedFilterInput extends CoreInput {
   /**
    * Filters to combine via logical operator
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => [FilterInput], {
     description: 'Filters to combine via logical operator',
   })

package/src/core/common/inputs/filter.input.ts

@@ -1,5 +1,7 @@
 import { Field, InputType } from '@nestjs/graphql';
 
+import { Restricted } from '../decorators/restricted.decorator';
+import { RoleEnum } from '../enums/role.enum';
 import { CombinedFilterInput } from './combined-filter.input';
 import { CoreInput } from './core-input.input';
 import { SingleFilterInput } from './single-filter.input';
@@ -7,6 +9,7 @@ import { SingleFilterInput } from './single-filter.input';
 /**
  * Input for filtering. The `singleFilter` will be ignored if the `combinedFilter` is set.
  */
+@Restricted(RoleEnum.S_EVERYONE)
 @InputType({
   description: 'Input for filtering. The `singleFilter` will be ignored if the `combinedFilter` is set.',
 })
@@ -14,6 +17,7 @@ export class FilterInput extends CoreInput {
   /**
    * Combination of multiple filters via logical operator
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => CombinedFilterInput, {
     description: 'Combination of multiple filters via logical operator',
     nullable: true,
@@ -23,6 +27,7 @@ export class FilterInput extends CoreInput {
   /**
    * Filter for a single property
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => SingleFilterInput, {
     description: 'Filter for a single property',
     nullable: true,

package/src/core/common/inputs/single-filter.input.ts

@@ -1,17 +1,21 @@
 import { Field, InputType } from '@nestjs/graphql';
 
+import { Restricted } from '../decorators/restricted.decorator';
 import { ComparisonOperatorEnum } from '../enums/comparison-operator.enum';
+import { RoleEnum } from '../enums/role.enum';
 import { JSON } from '../scalars/json.scalar';
 import { CoreInput } from './core-input.input';
 
 /**
  * Input for a configuration of a filter
  */
+@Restricted(RoleEnum.S_EVERYONE)
 @InputType({ description: 'Input for a configuration of a filter' })
 export class SingleFilterInput extends CoreInput {
   /**
    * Convert value to ObjectId
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({
     description: 'Convert value to ObjectId',
     nullable: true,
@@ -21,12 +25,14 @@ export class SingleFilterInput extends CoreInput {
   /**
    * Name of the property to be used for the filter
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Name of the property to be used for the filter' })
   field: string = undefined;
 
   /**
    * Process value as reference
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({
     description: 'Process value as reference',
     nullable: true,
@@ -36,6 +42,7 @@ export class SingleFilterInput extends CoreInput {
   /**
    * [Negate operator](https://docs.mongodb.com/manual/reference/operator/query/not/)
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({
     description: '[Negate operator](https://docs.mongodb.com/manual/reference/operator/query/not/)',
     nullable: true,
@@ -45,6 +52,7 @@ export class SingleFilterInput extends CoreInput {
   /**
    * [Comparison operator](https://docs.mongodb.com/manual/reference/operator/query-comparison/)
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => ComparisonOperatorEnum, {
     description: '[Comparison operator](https://docs.mongodb.com/manual/reference/operator/query-comparison/)',
   })
@@ -54,6 +62,7 @@ export class SingleFilterInput extends CoreInput {
    * [Options](https://docs.mongodb.com/manual/reference/operator/query/regex/#op._S_options) for
    * [REGEX](https://docs.mongodb.com/manual/reference/operator/query/regex/) operator
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({
     description:
       '[Options](https://docs.mongodb.com/manual/reference/operator/query/regex/#op._S_options) for '
@@ -62,6 +71,7 @@ export class SingleFilterInput extends CoreInput {
   })
   options?: string = undefined;
 
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => JSON, { description: 'Value of the property' })
   value: any = undefined;
 }

package/src/core/common/inputs/sort.input.ts

@@ -1,22 +1,27 @@
 import { Field, InputType } from '@nestjs/graphql';
 
+import { Restricted } from '../decorators/restricted.decorator';
+import { RoleEnum } from '../enums/role.enum';
 import { SortOrderEnum } from '../enums/sort-order.emum';
 import { CoreInput } from './core-input.input';
 
 /**
  * Sorting the returned elements
  */
+@Restricted(RoleEnum.S_EVERYONE)
 @InputType({ description: 'Sorting the returned elements' })
 export class SortInput extends CoreInput {
   /**
    * Field that is to be used for sorting
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Field that is to be used for sorting' })
   field: string = undefined;
 
   /**
    * SortInput order of the field
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => SortOrderEnum, { description: 'SortInput order of the field' })
   order: SortOrderEnum = undefined;
 }

package/src/core/common/interceptors/check-response.interceptor.ts

@@ -4,12 +4,29 @@ import { map } from 'rxjs/operators';
 
 import { checkRestricted } from '../decorators/restricted.decorator';
 import { getContextData } from '../helpers/context.helper';
+import { ConfigService } from '../services/config.service';
 
 /**
  * Interceptor to check the response data for current user
  */
 @Injectable()
 export class CheckResponseInterceptor implements NestInterceptor {
+  config = {
+    checkObjectItself: false,
+    debug: false,
+    ignoreUndefined: true,
+    mergeRoles: true,
+    removeUndefinedFromResultArray: true,
+    throwError: false,
+  };
+
+  constructor(private readonly configService: ConfigService) {
+    const configuration = this.configService.getFastButReadOnly('security.checkResponseInterceptor');
+    if (typeof configuration === 'object') {
+      this.config = { ...this.config, ...configuration };
+    }
+  }
+
   /**
    * Interception
    */
@@ -21,7 +38,7 @@ export class CheckResponseInterceptor implements NestInterceptor {
     return next.handle().pipe(
       map((data) => {
         // Prepare response data for current user
-        return checkRestricted(data, currentUser, { throwError: false });
+        return checkRestricted(data, currentUser, this.config);
       }),
     );
   }

package/src/core/common/interfaces/server-options.interface.ts

@@ -410,9 +410,47 @@ export interface IServerOptions {
     /**
      * Check restrictions for output (models and output objects)
      * See @lenne.tech/nest-server/src/core/common/interceptors/check-response.interceptor.ts
-     * default = true
      */
-    checkResponseInterceptor?: boolean;
+    checkResponseInterceptor?:
+      | {
+          /**
+           * Check the object itself for restrictions
+           * (the class restriction is not only default for properties but object itself)
+           * default = false (to act like Roles)
+           */
+          checkObjectItself?: boolean;
+
+          /**
+           * Whether to log if a restricted field is found
+           * default = false
+           */
+          debug?: boolean;
+
+          /**
+           * Whether to ignore fields with undefined values
+           * default = true
+           */
+          ignoreUndefined?: boolean;
+
+          /**
+           * Merge roles of object and properties
+           * default = true (to act like Roles)
+           */
+          mergeRoles?: boolean;
+
+          /**
+           * Remove undefined values from result array
+           * default = true
+           */
+          removeUndefinedFromResultArray?: boolean;
+
+          /**
+           * Whether to throw an error if a restricted field is found
+           * default = false (for output objects)
+           */
+          throwError?: boolean;
+        }
+      | boolean;
 
     /**
      * Process securityCheck() methode of Object before response

package/src/core/common/models/core-persistence.model.ts

@@ -2,6 +2,8 @@ import { Field, ID, ObjectType } from '@nestjs/graphql';
 import { Prop, Schema } from '@nestjs/mongoose';
 import { Types } from 'mongoose';
 
+import { Restricted } from '../decorators/restricted.decorator';
+import { RoleEnum } from '../enums/role.enum';
 import { CoreModel } from './core-model.model';
 
 /**
@@ -16,6 +18,7 @@ import { CoreModel } from './core-model.model';
  * with undefined if possible. If necessary and useful, the init method can then be used deliberately:
  * const corePersistenceModel = item ? CorePersistenceModel.map(item).init() : CorePersistenceModel.init();
  */
+@Restricted(RoleEnum.S_EVERYONE)
 @ObjectType({
   description: 'Persistence model which will be saved in DB',
   isAbstract: true,
@@ -26,6 +29,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   // Getter
   // ===========================================================================
 
+  @Restricted(RoleEnum.S_EVERYONE)
   get _id() {
     return new Types.ObjectId(this.id);
   }
@@ -37,6 +41,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   /**
    * ID of the persistence object as string
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => ID, {
     description: 'ID of the persistence object',
     nullable: true,
@@ -46,6 +51,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   /**
    * Created date, is set automatically by mongoose
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Created date', nullable: true })
   @Prop({ onCreate: () => new Date() })
   createdAt: Date = undefined;
@@ -53,6 +59,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   /**
    * Labels of the object
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => [String], {
     description: 'Labels of the object',
     nullable: true,
@@ -63,6 +70,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   /**
    * Tags for the object
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => [String], {
     description: 'Tags for the object',
     nullable: true,
@@ -73,6 +81,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   /**
    * Updated date is set automatically by mongoose
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Updated date', nullable: true })
   @Prop({ onUpdate: () => new Date() })
   updatedAt: Date = undefined;

package/src/core/modules/auth/core-auth.controller.ts

@@ -3,6 +3,8 @@ import { Args } from '@nestjs/graphql';
 import { Response as ResponseType } from 'express';
 
 import { CurrentUser } from '../../common/decorators/current-user.decorator';
+import { Roles } from '../../common/decorators/roles.decorator';
+import { RoleEnum } from '../../common/enums/role.enum';
 import { ConfigService } from '../../common/services/config.service';
 import { AuthGuardStrategy } from './auth-guard-strategy.enum';
 import { CoreAuthModel } from './core-auth.model';
@@ -13,6 +15,7 @@ import { ICoreAuthUser } from './interfaces/core-auth-user.interface';
 import { CoreAuthService } from './services/core-auth.service';
 import { Tokens } from './tokens.decorator';
 
+@Roles(RoleEnum.ADMIN)
 @Controller('auth')
 export class CoreAuthController {
   /**
@@ -26,6 +29,7 @@ export class CoreAuthController {
   /**
    * Logout user (from specific device)
    */
+  @Roles(RoleEnum.S_EVERYONE)
   @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   @Get()
   async logout(
@@ -41,6 +45,7 @@ export class CoreAuthController {
   /**
    * Refresh token (for specific device)
    */
+  @Roles(RoleEnum.S_EVERYONE)
   @UseGuards(AuthGuard(AuthGuardStrategy.JWT_REFRESH))
   @Get()
   async refreshToken(
@@ -55,6 +60,7 @@ export class CoreAuthController {
   /**
    * Sign in user via email and password (on specific device)
    */
+  @Roles(RoleEnum.S_EVERYONE)
   @Post()
   async signIn(@Res() res: ResponseType, @Body('input') input: CoreAuthSignInInput): Promise<CoreAuthModel> {
     const result = await this.authService.signIn(input);
@@ -64,6 +70,7 @@ export class CoreAuthController {
   /**
    * Register a new user account (on specific device)
    */
+  @Roles(RoleEnum.S_EVERYONE)
   @Post()
   async signUp(@Res() res: ResponseType, @Args('input') input: CoreAuthSignUpInput): Promise<CoreAuthModel> {
     const result = await this.authService.signUp(input);

package/src/core/modules/auth/core-auth.model.ts

@@ -1,11 +1,14 @@
 import { Field, ObjectType } from '@nestjs/graphql';
 
+import { Restricted } from '../../common/decorators/restricted.decorator';
+import { RoleEnum } from '../../common/enums/role.enum';
 import { CoreModel } from '../../common/models/core-model.model';
 import { CoreUserModel } from '../user/core-user.model';
 
 /**
  * CoreAuth model for the response after the sign in
  */
+@Restricted(RoleEnum.S_EVERYONE)
 @ObjectType({ description: 'CoreAuth', isAbstract: true })
 export class CoreAuthModel extends CoreModel {
   // ===================================================================================================================
@@ -15,18 +18,21 @@ export class CoreAuthModel extends CoreModel {
   /**
    * JavaScript Web Token (JWT)
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'JavaScript Web Token (JWT)', nullable: true })
   token?: string = undefined;
 
   /**
    * Refresh token
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Refresh token', nullable: true })
   refreshToken?: string = undefined;
 
   /**
    * Current user
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Current user' })
   user: CoreUserModel = undefined;
 

package/src/core/modules/auth/core-auth.resolver.ts

@@ -4,6 +4,8 @@ import { Response as ResponseType } from 'express';
 
 import { CurrentUser } from '../../common/decorators/current-user.decorator';
 import { GraphQLServiceOptions } from '../../common/decorators/graphql-service-options.decorator';
+import { Roles } from '../../common/decorators/roles.decorator';
+import { RoleEnum } from '../../common/enums/role.enum';
 import { ServiceOptions } from '../../common/interfaces/service-options.interface';
 import { ConfigService } from '../../common/services/config.service';
 import { AuthGuardStrategy } from './auth-guard-strategy.enum';
@@ -18,6 +20,7 @@ import { Tokens } from './tokens.decorator';
 /**
  * Authentication resolver for the sign in
  */
+@Roles(RoleEnum.ADMIN)
 @Resolver(of => CoreAuthModel, { isAbstract: true })
 export class CoreAuthResolver {
   /**
@@ -35,6 +38,7 @@ export class CoreAuthResolver {
   /**
    * Logout user (from specific device)
    */
+  @Roles(RoleEnum.S_EVERYONE)
   @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   @Mutation(returns => Boolean, { description: 'Logout user (from specific device)' })
   async logout(
@@ -50,6 +54,7 @@ export class CoreAuthResolver {
   /**
    * Refresh token (for specific device)
    */
+  @Roles(RoleEnum.S_EVERYONE)
   @UseGuards(AuthGuard(AuthGuardStrategy.JWT_REFRESH))
   @Mutation(returns => CoreAuthModel, { description: 'Refresh tokens (for specific device)' })
   async refreshToken(
@@ -64,6 +69,7 @@ export class CoreAuthResolver {
   /**
    * Sign in user via email and password (on specific device)
    */
+  @Roles(RoleEnum.S_EVERYONE)
   @Mutation(returns => CoreAuthModel, {
     description: 'Sign in user via email and password and get JWT tokens (for specific device)',
   })
@@ -79,6 +85,7 @@ export class CoreAuthResolver {
   /**
    * Register a new user account (on specific device)
    */
+  @Roles(RoleEnum.S_EVERYONE)
   @Mutation(returns => CoreAuthModel, { description: 'Register a new user account (on specific device)' })
   async signUp(
     @GraphQLServiceOptions({ gqlPath: 'signUp.user' }) serviceOptions: ServiceOptions,

package/src/core/modules/auth/inputs/core-auth-sign-in.input.ts

@@ -1,25 +1,32 @@
 import { Field, InputType } from '@nestjs/graphql';
 
+import { Restricted } from '../../../common/decorators/restricted.decorator';
+import { RoleEnum } from '../../../common/enums/role.enum';
 import { CoreInput } from '../../../common/inputs/core-input.input';
 
 /**
  * SignIn input
  */
+@Restricted(RoleEnum.S_EVERYONE)
 @InputType({ description: 'Sign-in input' })
 export class CoreAuthSignInInput extends CoreInput {
   // ===================================================================================================================
   // Properties
   // ===================================================================================================================
 
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Device ID (is created automatically if it is not set)', nullable: true })
   deviceId?: string = undefined;
 
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Device description', nullable: true })
   deviceDescription?: string = undefined;
 
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Email', nullable: false })
   email: string = undefined;
 
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Password', nullable: false })
   password: string = undefined;
 }

package/src/core/modules/auth/inputs/core-auth-sign-up.input.ts

@@ -1,9 +1,12 @@
 import { InputType } from '@nestjs/graphql';
 
+import { Restricted } from '../../../common/decorators/restricted.decorator';
+import { RoleEnum } from '../../../common/enums/role.enum';
 import { CoreAuthSignInInput } from './core-auth-sign-in.input';
 
 /**
  * SignUp input
  */
+@Restricted(RoleEnum.S_EVERYONE)
 @InputType({ description: 'Sign-up input' })
 export class CoreAuthSignUpInput extends CoreAuthSignInInput {}

package/src/core/modules/file/core-file-info.model.ts

@@ -2,17 +2,21 @@ import { Field, ObjectType } from '@nestjs/graphql';
 import { Prop } from '@nestjs/mongoose';
 import { Types } from 'mongoose';
 
+import { Restricted } from '../../common/decorators/restricted.decorator';
+import { RoleEnum } from '../../common/enums/role.enum';
 import { CoreModel } from '../../common/models/core-model.model';
 
 /**
  * File info
  */
+@Restricted(RoleEnum.S_EVERYONE)
 @ObjectType({ description: 'Information about file' })
 export class CoreFileInfo extends CoreModel {
   // ===========================================================================
   // Getter
   // ===========================================================================
 
+  @Restricted(RoleEnum.S_EVERYONE)
   get _id() {
     return new Types.ObjectId(this.id);
   }
@@ -21,9 +25,11 @@ export class CoreFileInfo extends CoreModel {
   // Properties
   // ===========================================================================
 
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(() => String, { description: 'ID of the file' })
   id: string = undefined;
 
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(() => Number, {
     description:
       'The size of each chunk in bytes. GridFS divides the document into chunks of size chunkSize, '
@@ -33,18 +39,22 @@ export class CoreFileInfo extends CoreModel {
   @Prop({ required: false, type: Number })
   chunkSize: number = undefined;
 
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(() => String, { description: 'Content type', nullable: true })
   @Prop({ required: false, type: String })
   contentType?: string = undefined;
 
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(() => String, { description: 'Name of the file', nullable: true })
   @Prop({ required: false, type: String })
   filename?: string = undefined;
 
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(() => Number, { description: 'The size of the document in bytes', nullable: true })
   @Prop({ required: false, type: Number })
   length: number = undefined;
 
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(() => Date, { description: 'The date the file was first stored', nullable: true })
   @Prop({ required: false, type: Date })
   uploadDate: Date = undefined;

package/src/core/modules/file/core-file.controller.ts

@@ -1,10 +1,13 @@
 import { BadRequestException, Controller, Get, NotFoundException, Param, Res } from '@nestjs/common';
 
+import { Roles } from '../../common/decorators/roles.decorator';
+import { RoleEnum } from '../../common/enums/role.enum';
 import { CoreFileService } from './core-file.service';
 
 /**
  * File controller
  */
+@Roles(RoleEnum.ADMIN)
 @Controller('files')
 export abstract class CoreFileController {
   /**
@@ -15,6 +18,7 @@ export abstract class CoreFileController {
   /**
    * Download file
    */
+  @Roles(RoleEnum.S_EVERYONE)
   @Get(':filename')
   async getFile(@Param('filename') filename: string, @Res() res) {
     if (!filename) {