Files
EgleH b2dce18c7a Limit access to resources according to user scoped Account or SP (#140)
* limit access to resources according to user scope

* fix error change

* speech credentials validation

* fix speech credentials validation

* fix the issues that didnt allow tests to pass

* speech credential validation

* retrieve speech cred list

* fixt speech credential test valodation

* check scope of smpp-gateways

* check scope of smpp-gateways

* testing time

* /signin for hosted system needs to return scope in jwt

* fix user delete route and adjust tests

* get refactor

---------

Co-authored-by: eglehelms <e.helms@cognigy.com>
Co-authored-by: Dave Horton <daveh@beachdognet.com>
Co-authored-by: Guilherme Rauen <g.rauen@cognigy.com>
2023-04-05 14:20:51 -04:00

59 lines
1.8 KiB
JavaScript

const router = require('express').Router();
const Sbc = require('../../models/sbc');
const decorate = require('./decorate');
const sysError = require('../error');
const {DbErrorBadRequest} = require('../../utils/errors');
const {promisePool} = require('../../db');
const validate = (req, res) => {
if (req.user.hasScope('admin')) return;
res.status(403).json({
status: 'fail',
message: 'insufficient privileges'
});
};
const preconditions = {
'add': validate,
'delete': validate
};
decorate(router, Sbc, ['add', 'delete'], preconditions);
/* list */
router.get('/', async(req, res) => {
const logger = req.app.locals.logger;
try {
let service_provider_sid = req.query.service_provider_sid;
if (req.user.hasAccountAuth) {
const [r] = await promisePool.query('SELECT * from accounts WHERE account_sid = ?', req.user.account_sid);
if (0 === r.length) throw new Error('invalid account_sid');
service_provider_sid = r[0].service_provider_sid;
}
if (req.user.hasServiceProviderAuth) {
const [r] = await promisePool.query(
'SELECT * from service_providers where service_provider_sid = ?',
service_provider_sid);
if (0 === r.length) throw new Error('invalid account_sid');
service_provider_sid = r[0].service_provider_sid;
if (!service_provider_sid) throw new DbErrorBadRequest('missing service_provider_sid in query');
}
/** generally, we have a global set of SBCs that all accounts use.
* However, we can have a set of SBCs that are specific for use by a service provider.
*/
let results = await Sbc.retrieveAll(service_provider_sid);
if (results.length === 0) results = await Sbc.retrieveAll();
res.status(200).json(results);
} catch (err) {
sysError(logger, res, err);
}
});
module.exports = router;