@spfn/auth 0.2.0-beta.56 → 0.2.0-beta.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/server.js +16 -2
- package/dist/server.js.map +1 -1
- package/package.json +4 -4
package/dist/server.js
CHANGED
|
@@ -9248,6 +9248,7 @@ var oauthRouter = defineRouter4({
|
|
|
9248
9248
|
});
|
|
9249
9249
|
|
|
9250
9250
|
// src/server/routes/admin/index.ts
|
|
9251
|
+
init_repositories();
|
|
9251
9252
|
init_esm();
|
|
9252
9253
|
import { ForbiddenError as ForbiddenError4 } from "@spfn/core/errors";
|
|
9253
9254
|
import { route as route5 } from "@spfn/core/route";
|
|
@@ -9257,7 +9258,7 @@ var listRoles = route5.get("/_auth/admin/roles").input({
|
|
|
9257
9258
|
description: "Include inactive roles (default: false)"
|
|
9258
9259
|
}))
|
|
9259
9260
|
})
|
|
9260
|
-
}).use([authenticate, requireRole("superadmin")]).handler(async (c) => {
|
|
9261
|
+
}).use([authenticate, requireRole("admin", "superadmin")]).handler(async (c) => {
|
|
9261
9262
|
const { query } = await c.data();
|
|
9262
9263
|
const roles2 = await getAllRoles(query.includeInactive ?? false);
|
|
9263
9264
|
return { roles: roles2 };
|
|
@@ -9315,9 +9316,10 @@ var updateUserRole = route5.patch("/_auth/admin/users/:userId/role").input({
|
|
|
9315
9316
|
body: Type.Object({
|
|
9316
9317
|
roleId: Type.Number({ description: "New role ID to assign" })
|
|
9317
9318
|
})
|
|
9318
|
-
}).use([authenticate, requireRole("superadmin")]).handler(async (c) => {
|
|
9319
|
+
}).use([authenticate, requireRole("admin", "superadmin")]).handler(async (c) => {
|
|
9319
9320
|
const { params, body } = await c.data();
|
|
9320
9321
|
const auth = getAuth(c);
|
|
9322
|
+
const callerRole = await getUserRole(auth.userId);
|
|
9321
9323
|
if (params.userId === Number(auth.userId)) {
|
|
9322
9324
|
throw new ForbiddenError4({ message: "Cannot change your own role" });
|
|
9323
9325
|
}
|
|
@@ -9325,6 +9327,18 @@ var updateUserRole = route5.patch("/_auth/admin/users/:userId/role").input({
|
|
|
9325
9327
|
if (targetRole === "superadmin") {
|
|
9326
9328
|
throw new ForbiddenError4({ message: "Cannot modify superadmin role" });
|
|
9327
9329
|
}
|
|
9330
|
+
if (callerRole !== "superadmin") {
|
|
9331
|
+
const newRole = await rolesRepository.findById(body.roleId);
|
|
9332
|
+
if (newRole?.name === "superadmin") {
|
|
9333
|
+
throw new ForbiddenError4({ message: "Only superadmin can assign superadmin role" });
|
|
9334
|
+
}
|
|
9335
|
+
if (newRole?.name === "admin") {
|
|
9336
|
+
const canPromote = await hasPermission(auth.userId, "admin:promote");
|
|
9337
|
+
if (!canPromote) {
|
|
9338
|
+
throw new ForbiddenError4({ message: "admin:promote permission required to assign admin role" });
|
|
9339
|
+
}
|
|
9340
|
+
}
|
|
9341
|
+
}
|
|
9328
9342
|
await updateUserService(params.userId, { roleId: body.roleId });
|
|
9329
9343
|
return { userId: params.userId, roleId: body.roleId };
|
|
9330
9344
|
});
|