feat(user-access): implement access control for user information retrieval

- Added checks to deny access if the user is not found in the organization. - Implemented authorization logic to allow access only for users requesting their own information or users with owner role in the same organization.
2025-06-26 18:27:59 +00:00 · 2025-06-22 23:56:13 -06:00
parent 2a89be6efc
commit 61cf426615
1 changed files with 18 additions and 0 deletions
--- a/apps/dokploy/server/api/routers/user.ts
+++ b/apps/dokploy/server/api/routers/user.ts
@@ -75,6 +75,24 @@ export const userRouter = createTRPCRouter({
 				},
 			});

+			// If user not found in the organization, deny access
+			if (!memberResult) {
+				throw new TRPCError({
+					code: "NOT_FOUND",
+					message: "User not found in this organization",
+				});
+			}
+
+			// Allow access if:
+			// 1. User is requesting their own information
+			// 2. User has owner role (admin permissions) AND user is in the same organization
+			if (memberResult.userId !== ctx.user.id && ctx.user.role !== "owner") {
+				throw new TRPCError({
+					code: "UNAUTHORIZED",
+					message: "You are not authorized to access this user",
+				});
+			}
+
 			return memberResult;
 		}),
 	get: protectedProcedure.query(async ({ ctx }) => {