Auspicious14 commited on
Commit
0fef56a
·
1 Parent(s): 01d0870

fix(facilities): secure facility get endpoints

Browse files

Update allowed roles for findAll endpoint to include FACILITY_ADMIN and FACILITY_STAFF. Add request validation to findOne to restrict non-super admins to their own facility, and add required ForbiddenException import.

src/facilities/facilities.controller.ts CHANGED
@@ -2,6 +2,7 @@ import {
2
  Body,
3
  Controller,
4
  Delete,
 
5
  Get,
6
  Param,
7
  Patch,
@@ -46,7 +47,7 @@ export class FacilitiesController {
46
  }
47
 
48
  /** GET /facilities */
49
- @Roles("SUPER_ADMIN")
50
  @Get()
51
  findAll() {
52
  return this.facilitiesService.findAll();
@@ -55,7 +56,15 @@ export class FacilitiesController {
55
  /** GET /facilities/:id */
56
  @Roles("SUPER_ADMIN", "FACILITY_ADMIN", "FACILITY_STAFF")
57
  @Get(":id")
58
- findOne(@Param("id") id: string) {
 
 
 
 
 
 
 
 
59
  return this.facilitiesService.findOne(id);
60
  }
61
 
 
2
  Body,
3
  Controller,
4
  Delete,
5
+ ForbiddenException,
6
  Get,
7
  Param,
8
  Patch,
 
47
  }
48
 
49
  /** GET /facilities */
50
+ @Roles("SUPER_ADMIN", "FACILITY_ADMIN", "FACILITY_STAFF")
51
  @Get()
52
  findAll() {
53
  return this.facilitiesService.findAll();
 
56
  /** GET /facilities/:id */
57
  @Roles("SUPER_ADMIN", "FACILITY_ADMIN", "FACILITY_STAFF")
58
  @Get(":id")
59
+ findOne(@Param("id") id: string, @Req() req: any) {
60
+ const requesterRole = req.user?.role;
61
+ const requesterFacilityId = req.user?.healthcareWorker?.facilityId;
62
+
63
+ // Only SUPER_ADMIN can access any facility, others can only access their own
64
+ if (requesterRole !== "SUPER_ADMIN" && requesterFacilityId !== id) {
65
+ throw new ForbiddenException("You are not authorized to access this facility");
66
+ }
67
+
68
  return this.facilitiesService.findOne(id);
69
  }
70