mirror of
https://github.com/Dokploy/dokploy
synced 2025-06-26 18:27:59 +00:00
feat(user-access): implement access control for user information retrieval
- Added checks to deny access if the user is not found in the organization. - Implemented authorization logic to allow access only for users requesting their own information or users with owner role in the same organization.
This commit is contained in:
@@ -75,6 +75,24 @@ export const userRouter = createTRPCRouter({
|
|||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// If user not found in the organization, deny access
|
||||||
|
if (!memberResult) {
|
||||||
|
throw new TRPCError({
|
||||||
|
code: "NOT_FOUND",
|
||||||
|
message: "User not found in this organization",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
// Allow access if:
|
||||||
|
// 1. User is requesting their own information
|
||||||
|
// 2. User has owner role (admin permissions) AND user is in the same organization
|
||||||
|
if (memberResult.userId !== ctx.user.id && ctx.user.role !== "owner") {
|
||||||
|
throw new TRPCError({
|
||||||
|
code: "UNAUTHORIZED",
|
||||||
|
message: "You are not authorized to access this user",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
return memberResult;
|
return memberResult;
|
||||||
}),
|
}),
|
||||||
get: protectedProcedure.query(async ({ ctx }) => {
|
get: protectedProcedure.query(async ({ ctx }) => {
|
||||||
|
|||||||
Reference in New Issue
Block a user