From f3d8fcd1f14aa103856770710b76d270126c1259 Mon Sep 17 00:00:00 2001 From: Guilherme Peixoto <48967037+guipeeix7@users.noreply.github.com> Date: Wed, 15 Jan 2025 23:37:12 -0300 Subject: [PATCH 1/2] Update routes.js --- src/routes.js | 44 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 7 deletions(-) diff --git a/src/routes.js b/src/routes.js index c57ca5d..23b318e 100644 --- a/src/routes.js +++ b/src/routes.js @@ -4,64 +4,94 @@ const bankAccountController = require("./Controllers/bankAccountController"); const supplierFormController = require("./Controllers/supplierFormController"); const financialMovementsController = require("./Controllers/financialMovementsController"); const financialReportController = require("./Controllers/financialReportController"); +const {checkPermissions} = require("./Middlewares/accessControlMiddleware"); + -// Rotas Privadas (Comentadas por enquanto, você pode descomentar quando implementar a validação de token) -// router.get('/finance', tokenValidation, ???.getUsers); -// router.get('/finance/:id', tokenValidation, ???.getUserById); // Rotas Contas Bancárias routes.post( "/finance/createBankAccount", + checkPermissions("contas_bancarias_criar"), bankAccountController.createBankAccount ); routes.get( "/finance/bankAccount/:id", + checkPermissions("contas_bancarias_visualizar"), bankAccountController.getBankAccountbyId ); routes.delete( "/finance/deleteBankAccount/:id", + checkPermissions("contas_bancarias_deletar"), bankAccountController.deleteBankAccount ); routes.patch( "/finance/updateBankAccount/:id", + checkPermissions("contas_bancarias_editar"), bankAccountController.updateBankAccount ); -routes.get("/finance/getBankAccount", bankAccountController.getAll); +routes.get( + "/finance/getBankAccount", + checkPermissions("contas_bancarias_visualizar"), + bankAccountController.getAll +); // Rotas Fornecedores -routes.post("/SupplierForm/create", supplierFormController.createSupplierForm); -routes.get("/SupplierForm", supplierFormController.getSupplierForm); -routes.get("/SupplierForm/:id", supplierFormController.getSupplierFormById); +routes.post( + "/SupplierForm/create", + checkPermissions("fornecedores_criar"), + supplierFormController.createSupplierForm +); +routes.get( + "/SupplierForm", + checkPermissions("fornecedores_visualizar"), + supplierFormController.getSupplierForm +); +routes.get( + "/SupplierForm/:id", + checkPermissions("fornecedores_visualizar"), + supplierFormController.getSupplierFormById +); routes.delete( "/SupplierForm/delete/:id", + checkPermissions("fornecedores_deletar"), supplierFormController.deleteSupplierFormById ); routes.patch( "/SupplierForm/update/:id", + checkPermissions("fornecedores_editar"), supplierFormController.updateSupplierFormById ); + +// Rotas Movimentações Financeiras routes.post( "/financialMovements/create", + checkPermissions("movimentacao_financeira_criar"), financialMovementsController.createFinancialMovements ); routes.get( "/financialMovements", + checkPermissions("movimentacao_financeira_visualizar"), financialMovementsController.getFinancialMovements ); routes.get( "/financialMovements/:id", + checkPermissions("movimentacao_financeira_visualizar"), financialMovementsController.getFinancialMovementsById ); routes.delete( "/financialMovements/delete/:id", + checkPermissions("movimentacao_financeira_deletar"), financialMovementsController.deleteFinancialMovementsById ); routes.patch( "/financialMovements/update/:id", + checkPermissions("movimentacao_financeira_editar"), financialMovementsController.updateFinancialMovementsById ); routes.post( "/financialMovements/report", + checkPermissions("movimentacao_financeira_visualizar"), financialReportController.generateFinancialReport ); + module.exports = routes; From 282c0060c43aad43872d90dff4fd65539f61b71a Mon Sep 17 00:00:00 2001 From: Guilherme Peixoto <48967037+guipeeix7@users.noreply.github.com> Date: Wed, 15 Jan 2025 23:38:00 -0300 Subject: [PATCH 2/2] added middleware --- src/Middlewares/accessControlMiddleware.js | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 src/Middlewares/accessControlMiddleware.js diff --git a/src/Middlewares/accessControlMiddleware.js b/src/Middlewares/accessControlMiddleware.js new file mode 100644 index 0000000..9a3f497 --- /dev/null +++ b/src/Middlewares/accessControlMiddleware.js @@ -0,0 +1,26 @@ +const jwt = require('jsonwebtoken'); + + +const checkPermissions = (permissionName) => { + return async (req, res, next) => { + try{ + const decoded = jwt.decode(req.headers.authorization?.split(" ")[1]); + + const permission = decoded._doc.permissions.find( + (perm) => perm.name === permissionName + ); + + if (!permission) { + return res + .status(400) + .send("user has no permission to access resource"); + } + next(); + } + catch(error){ + next(error); + } + }; +}; + +module.exports = { checkPermissions };