Updated A LOT
This commit is contained in:
@@ -41,9 +41,24 @@ function requireRole(...roles) {
|
||||
};
|
||||
}
|
||||
|
||||
// Capability-based guard: the user's role must grant at least one of the listed capabilities.
|
||||
// Required lazily to avoid a load-time cycle (roles -> db -> ...).
|
||||
function requireCapability(...capabilities) {
|
||||
return (req, res, next) => {
|
||||
const { capabilitiesForRole } = require('../services/roles');
|
||||
const { capabilitySetIncludes } = require('../services/accessControl');
|
||||
const granted = capabilitiesForRole(req.user.role);
|
||||
if (!capabilities.some((cap) => capabilitySetIncludes(granted, cap))) {
|
||||
return res.status(403).json({ error: 'Insufficient access' });
|
||||
}
|
||||
return next();
|
||||
};
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
publicUser,
|
||||
requireAuth,
|
||||
requireCapability,
|
||||
requireRole,
|
||||
tokenFor
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user