From 98fc0cf9443e8d88351c9e100a8bd05a698c433b Mon Sep 17 00:00:00 2001 From: Adrian Flores Cortes Date: Sat, 31 Jan 2026 01:43:05 -0600 Subject: [PATCH] [RBAC-002] feat: Migrate all routes from requireRoles to requireAccess Phase 2 of RBAC propagation - migrates 18 route files to use hybrid requireAccess() middleware for permission-based authorization: P1 Routes (auth/billing): - users.routes.ts (11 occurrences) - roles.routes.ts (11 occurrences) - permissions.routes.ts (8 occurrences) - invoices.routes.ts (9 occurrences) - financial.routes.ts (42 occurrences) P2 Routes (business): - partners.routes.ts (16 occurrences) - sales.routes.ts (32 occurrences) - purchases.routes.ts (21 occurrences) P3 Routes (operations): - inventory.routes.ts (28 occurrences) - hr.routes.ts (28 occurrences) - crm.routes.ts (23 occurrences) - core.routes.ts (21 occurrences) - tenants.routes.ts (12 occurrences) - companies.routes.ts (9 occurrences) - warehouses.routes.ts (6 occurrences) - products.routes.ts (6 occurrences) - projects.routes.ts (6 occurrences) - system.routes.ts (2 occurrences) Total: ~271 route protections migrated to permission-based access Co-Authored-By: Claude Opus 4.5 --- src/modules/companies/companies.routes.ts | 19 ++--- src/modules/core/core.routes.ts | 43 ++++++----- src/modules/crm/crm.routes.ts | 47 ++++++------ src/modules/financial/financial.routes.ts | 85 +++++++++++---------- src/modules/hr/hr.routes.ts | 57 +++++++------- src/modules/inventory/inventory.routes.ts | 57 +++++++------- src/modules/invoices/invoices.routes.ts | 19 ++--- src/modules/partners/partners.routes.ts | 33 ++++---- src/modules/products/products.routes.ts | 15 ++-- src/modules/projects/projects.routes.ts | 15 ++-- src/modules/purchases/purchases.routes.ts | 43 ++++++----- src/modules/roles/permissions.routes.ts | 17 +++-- src/modules/roles/roles.routes.ts | 23 +++--- src/modules/sales/sales.routes.ts | 65 ++++++++-------- src/modules/system/system.routes.ts | 7 +- src/modules/tenants/tenants.routes.ts | 27 +++---- src/modules/users/users.routes.ts | 23 +++--- src/modules/warehouses/warehouses.routes.ts | 15 ++-- 18 files changed, 314 insertions(+), 296 deletions(-) diff --git a/src/modules/companies/companies.routes.ts b/src/modules/companies/companies.routes.ts index e18bb78..3fcb48e 100644 --- a/src/modules/companies/companies.routes.ts +++ b/src/modules/companies/companies.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { companiesController } from './companies.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -8,42 +9,42 @@ const router = Router(); router.use(authenticate); // List companies (admin, manager) -router.get('/', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/', requireAccess({ roles: ['admin', 'manager'], permission: 'branches:read' }), (req, res, next) => companiesController.findAll(req, res, next) ); // Get company hierarchy tree (must be before /:id to avoid conflict) -router.get('/hierarchy/tree', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/hierarchy/tree', requireAccess({ roles: ['admin', 'manager'], permission: 'branches:read' }), (req, res, next) => companiesController.getHierarchy(req, res, next) ); // Get company by ID -router.get('/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'branches:read' }), (req, res, next) => companiesController.findById(req, res, next) ); // Create company (admin only) -router.post('/', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/', requireAccess({ roles: ['admin'], permission: 'branches:create' }), (req, res, next) => companiesController.create(req, res, next) ); // Update company (admin only) -router.put('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/:id', requireAccess({ roles: ['admin'], permission: 'branches:update' }), (req, res, next) => companiesController.update(req, res, next) ); // Delete company (admin only) -router.delete('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/:id', requireAccess({ roles: ['admin'], permission: 'branches:delete' }), (req, res, next) => companiesController.delete(req, res, next) ); // Get users assigned to company -router.get('/:id/users', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/:id/users', requireAccess({ roles: ['admin', 'manager'], permission: 'users:read' }), (req, res, next) => companiesController.getUsers(req, res, next) ); // Get subsidiaries (child companies) -router.get('/:id/subsidiaries', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/:id/subsidiaries', requireAccess({ roles: ['admin', 'manager'], permission: 'branches:read' }), (req, res, next) => companiesController.getSubsidiaries(req, res, next) ); diff --git a/src/modules/core/core.routes.ts b/src/modules/core/core.routes.ts index ef7d7f7..74394f8 100644 --- a/src/modules/core/core.routes.ts +++ b/src/modules/core/core.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { coreController } from './core.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -10,10 +11,10 @@ router.use(authenticate); // ========== CURRENCIES ========== router.get('/currencies', (req, res, next) => coreController.getCurrencies(req, res, next)); router.get('/currencies/:id', (req, res, next) => coreController.getCurrency(req, res, next)); -router.post('/currencies', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/currencies', requireAccess({ roles: ['admin'], permission: 'settings:update' }), (req, res, next) => coreController.createCurrency(req, res, next) ); -router.put('/currencies/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/currencies/:id', requireAccess({ roles: ['admin'], permission: 'settings:update' }), (req, res, next) => coreController.updateCurrency(req, res, next) ); @@ -26,13 +27,13 @@ router.get('/states', (req, res, next) => coreController.getStates(req, res, nex router.get('/states/:id', (req, res, next) => coreController.getState(req, res, next)); router.get('/countries/:countryId/states', (req, res, next) => coreController.getStatesByCountry(req, res, next)); router.get('/countries/code/:countryCode/states', (req, res, next) => coreController.getStatesByCountryCode(req, res, next)); -router.post('/states', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/states', requireAccess({ roles: ['admin'], permission: 'settings:update' }), (req, res, next) => coreController.createState(req, res, next) ); -router.put('/states/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/states/:id', requireAccess({ roles: ['admin'], permission: 'settings:update' }), (req, res, next) => coreController.updateState(req, res, next) ); -router.delete('/states/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/states/:id', requireAccess({ roles: ['admin'], permission: 'settings:update' }), (req, res, next) => coreController.deleteState(req, res, next) ); @@ -42,11 +43,11 @@ router.get('/currency-rates/latest', (req, res, next) => coreController.getLates router.get('/currency-rates/rate/:from/:to', (req, res, next) => coreController.getLatestRate(req, res, next)); router.get('/currency-rates/history/:from/:to', (req, res, next) => coreController.getCurrencyRateHistory(req, res, next)); router.get('/currency-rates/:id', (req, res, next) => coreController.getCurrencyRate(req, res, next)); -router.post('/currency-rates', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/currency-rates', requireAccess({ roles: ['admin', 'manager'], permission: 'settings:update' }), (req, res, next) => coreController.createCurrencyRate(req, res, next) ); router.post('/currency-rates/convert', (req, res, next) => coreController.convertCurrency(req, res, next)); -router.delete('/currency-rates/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/currency-rates/:id', requireAccess({ roles: ['admin'], permission: 'settings:update' }), (req, res, next) => coreController.deleteCurrencyRate(req, res, next) ); @@ -58,27 +59,27 @@ router.get('/uom-categories/:id', (req, res, next) => coreController.getUomCateg router.get('/uom', (req, res, next) => coreController.getUoms(req, res, next)); router.get('/uom/by-code/:code', (req, res, next) => coreController.getUomByCode(req, res, next)); router.get('/uom/:id', (req, res, next) => coreController.getUom(req, res, next)); -router.post('/uom', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/uom', requireAccess({ roles: ['admin'], permission: 'settings:update' }), (req, res, next) => coreController.createUom(req, res, next) ); router.post('/uom/convert', (req, res, next) => coreController.convertUom(req, res, next)); router.get('/uom-categories/:categoryId/conversions', (req, res, next) => coreController.getUomConversions(req, res, next) ); -router.put('/uom/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/uom/:id', requireAccess({ roles: ['admin'], permission: 'settings:update' }), (req, res, next) => coreController.updateUom(req, res, next) ); // ========== PRODUCT CATEGORIES ========== router.get('/product-categories', (req, res, next) => coreController.getProductCategories(req, res, next)); router.get('/product-categories/:id', (req, res, next) => coreController.getProductCategory(req, res, next)); -router.post('/product-categories', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/product-categories', requireAccess({ roles: ['admin', 'manager'], permission: 'categories:create' }), (req, res, next) => coreController.createProductCategory(req, res, next) ); -router.put('/product-categories/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.put('/product-categories/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'categories:update' }), (req, res, next) => coreController.updateProductCategory(req, res, next) ); -router.delete('/product-categories/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/product-categories/:id', requireAccess({ roles: ['admin'], permission: 'categories:delete' }), (req, res, next) => coreController.deleteProductCategory(req, res, next) ); @@ -86,19 +87,19 @@ router.delete('/product-categories/:id', requireRoles('admin', 'super_admin'), ( router.get('/payment-terms', (req, res, next) => coreController.getPaymentTerms(req, res, next)); router.get('/payment-terms/standard', (req, res, next) => coreController.getStandardPaymentTerms(req, res, next)); router.get('/payment-terms/:id', (req, res, next) => coreController.getPaymentTerm(req, res, next)); -router.post('/payment-terms', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/payment-terms', requireAccess({ roles: ['admin', 'manager'], permission: 'settings:update' }), (req, res, next) => coreController.createPaymentTerm(req, res, next) ); -router.post('/payment-terms/initialize', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/payment-terms/initialize', requireAccess({ roles: ['admin'], permission: 'settings:update' }), (req, res, next) => coreController.initializePaymentTerms(req, res, next) ); router.post('/payment-terms/:id/calculate-due-date', (req, res, next) => coreController.calculateDueDate(req, res, next) ); -router.put('/payment-terms/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.put('/payment-terms/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'settings:update' }), (req, res, next) => coreController.updatePaymentTerm(req, res, next) ); -router.delete('/payment-terms/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/payment-terms/:id', requireAccess({ roles: ['admin'], permission: 'settings:update' }), (req, res, next) => coreController.deletePaymentTerm(req, res, next) ); @@ -111,17 +112,17 @@ router.get('/discount-rules/by-customer/:customerId', (req, res, next) => coreController.getDiscountRulesByCustomer(req, res, next) ); router.get('/discount-rules/:id', (req, res, next) => coreController.getDiscountRule(req, res, next)); -router.post('/discount-rules', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/discount-rules', requireAccess({ roles: ['admin', 'manager'], permission: 'price_lists:create' }), (req, res, next) => coreController.createDiscountRule(req, res, next) ); router.post('/discount-rules/apply', (req, res, next) => coreController.applyDiscounts(req, res, next)); -router.put('/discount-rules/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.put('/discount-rules/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'price_lists:update' }), (req, res, next) => coreController.updateDiscountRule(req, res, next) ); -router.post('/discount-rules/:id/reset-usage', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/discount-rules/:id/reset-usage', requireAccess({ roles: ['admin'], permission: 'price_lists:update' }), (req, res, next) => coreController.resetDiscountRuleUsage(req, res, next) ); -router.delete('/discount-rules/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/discount-rules/:id', requireAccess({ roles: ['admin'], permission: 'price_lists:delete' }), (req, res, next) => coreController.deleteDiscountRule(req, res, next) ); diff --git a/src/modules/crm/crm.routes.ts b/src/modules/crm/crm.routes.ts index 8445ca9..4743f9b 100644 --- a/src/modules/crm/crm.routes.ts +++ b/src/modules/crm/crm.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { crmController } from './crm.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -13,27 +14,27 @@ router.get('/leads', (req, res, next) => crmController.getLeads(req, res, next)) router.get('/leads/:id', (req, res, next) => crmController.getLead(req, res, next)); -router.post('/leads', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/leads', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'leads:create' }), (req, res, next) => crmController.createLead(req, res, next) ); -router.put('/leads/:id', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.put('/leads/:id', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'leads:update' }), (req, res, next) => crmController.updateLead(req, res, next) ); -router.post('/leads/:id/move', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/leads/:id/move', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'leads:update' }), (req, res, next) => crmController.moveLeadStage(req, res, next) ); -router.post('/leads/:id/convert', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/leads/:id/convert', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'leads:convert' }), (req, res, next) => crmController.convertLead(req, res, next) ); -router.post('/leads/:id/lost', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/leads/:id/lost', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'leads:update' }), (req, res, next) => crmController.markLeadLost(req, res, next) ); -router.delete('/leads/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/leads/:id', requireAccess({ roles: ['admin'], permission: 'leads:delete' }), (req, res, next) => crmController.deleteLead(req, res, next) ); @@ -43,31 +44,31 @@ router.get('/opportunities', (req, res, next) => crmController.getOpportunities( router.get('/opportunities/:id', (req, res, next) => crmController.getOpportunity(req, res, next)); -router.post('/opportunities', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/opportunities', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'opportunities:create' }), (req, res, next) => crmController.createOpportunity(req, res, next) ); -router.put('/opportunities/:id', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.put('/opportunities/:id', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'opportunities:update' }), (req, res, next) => crmController.updateOpportunity(req, res, next) ); -router.post('/opportunities/:id/move', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/opportunities/:id/move', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'opportunities:update' }), (req, res, next) => crmController.moveOpportunityStage(req, res, next) ); -router.post('/opportunities/:id/won', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/opportunities/:id/won', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'opportunities:close' }), (req, res, next) => crmController.markOpportunityWon(req, res, next) ); -router.post('/opportunities/:id/lost', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/opportunities/:id/lost', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'opportunities:close' }), (req, res, next) => crmController.markOpportunityLost(req, res, next) ); -router.post('/opportunities/:id/quote', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/opportunities/:id/quote', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'quotations:create' }), (req, res, next) => crmController.createOpportunityQuotation(req, res, next) ); -router.delete('/opportunities/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/opportunities/:id', requireAccess({ roles: ['admin'], permission: 'opportunities:delete' }), (req, res, next) => crmController.deleteOpportunity(req, res, next) ); @@ -79,15 +80,15 @@ router.get('/pipeline', (req, res, next) => crmController.getPipeline(req, res, router.get('/lead-stages', (req, res, next) => crmController.getLeadStages(req, res, next)); -router.post('/lead-stages', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/lead-stages', requireAccess({ roles: ['admin'], permission: 'leads:create' }), (req, res, next) => crmController.createLeadStage(req, res, next) ); -router.put('/lead-stages/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/lead-stages/:id', requireAccess({ roles: ['admin'], permission: 'leads:update' }), (req, res, next) => crmController.updateLeadStage(req, res, next) ); -router.delete('/lead-stages/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/lead-stages/:id', requireAccess({ roles: ['admin'], permission: 'leads:delete' }), (req, res, next) => crmController.deleteLeadStage(req, res, next) ); @@ -95,15 +96,15 @@ router.delete('/lead-stages/:id', requireRoles('admin', 'super_admin'), (req, re router.get('/opportunity-stages', (req, res, next) => crmController.getOpportunityStages(req, res, next)); -router.post('/opportunity-stages', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/opportunity-stages', requireAccess({ roles: ['admin'], permission: 'opportunities:create' }), (req, res, next) => crmController.createOpportunityStage(req, res, next) ); -router.put('/opportunity-stages/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/opportunity-stages/:id', requireAccess({ roles: ['admin'], permission: 'opportunities:update' }), (req, res, next) => crmController.updateOpportunityStage(req, res, next) ); -router.delete('/opportunity-stages/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/opportunity-stages/:id', requireAccess({ roles: ['admin'], permission: 'opportunities:delete' }), (req, res, next) => crmController.deleteOpportunityStage(req, res, next) ); @@ -111,15 +112,15 @@ router.delete('/opportunity-stages/:id', requireRoles('admin', 'super_admin'), ( router.get('/lost-reasons', (req, res, next) => crmController.getLostReasons(req, res, next)); -router.post('/lost-reasons', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/lost-reasons', requireAccess({ roles: ['admin'], permission: 'leads:create' }), (req, res, next) => crmController.createLostReason(req, res, next) ); -router.put('/lost-reasons/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/lost-reasons/:id', requireAccess({ roles: ['admin'], permission: 'leads:update' }), (req, res, next) => crmController.updateLostReason(req, res, next) ); -router.delete('/lost-reasons/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/lost-reasons/:id', requireAccess({ roles: ['admin'], permission: 'leads:delete' }), (req, res, next) => crmController.deleteLostReason(req, res, next) ); diff --git a/src/modules/financial/financial.routes.ts b/src/modules/financial/financial.routes.ts index 8a18e65..47cdfb4 100644 --- a/src/modules/financial/financial.routes.ts +++ b/src/modules/financial/financial.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { financialController } from './financial.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -11,139 +12,139 @@ router.use(authenticate); router.get('/account-types', (req, res, next) => financialController.getAccountTypes(req, res, next)); // ========== ACCOUNTS ========== -router.get('/accounts', requireRoles('admin', 'accountant', 'manager', 'super_admin'), (req, res, next) => +router.get('/accounts', requireAccess({ roles: ['admin', 'accountant', 'manager'], permission: 'accounts:read' }), (req, res, next) => financialController.getAccounts(req, res, next) ); -router.get('/accounts/:id', requireRoles('admin', 'accountant', 'manager', 'super_admin'), (req, res, next) => +router.get('/accounts/:id', requireAccess({ roles: ['admin', 'accountant', 'manager'], permission: 'accounts:read' }), (req, res, next) => financialController.getAccount(req, res, next) ); -router.get('/accounts/:id/balance', requireRoles('admin', 'accountant', 'manager', 'super_admin'), (req, res, next) => +router.get('/accounts/:id/balance', requireAccess({ roles: ['admin', 'accountant', 'manager'], permission: 'accounts:read' }), (req, res, next) => financialController.getAccountBalance(req, res, next) ); -router.post('/accounts', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.post('/accounts', requireAccess({ roles: ['admin', 'accountant'], permission: 'accounts:create' }), (req, res, next) => financialController.createAccount(req, res, next) ); -router.put('/accounts/:id', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.put('/accounts/:id', requireAccess({ roles: ['admin', 'accountant'], permission: 'accounts:update' }), (req, res, next) => financialController.updateAccount(req, res, next) ); -router.delete('/accounts/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/accounts/:id', requireAccess({ roles: ['admin'], permission: 'accounts:delete' }), (req, res, next) => financialController.deleteAccount(req, res, next) ); // ========== JOURNALS ========== -router.get('/journals', requireRoles('admin', 'accountant', 'manager', 'super_admin'), (req, res, next) => +router.get('/journals', requireAccess({ roles: ['admin', 'accountant', 'manager'], permission: 'journal_entries:read' }), (req, res, next) => financialController.getJournals(req, res, next) ); -router.get('/journals/:id', requireRoles('admin', 'accountant', 'manager', 'super_admin'), (req, res, next) => +router.get('/journals/:id', requireAccess({ roles: ['admin', 'accountant', 'manager'], permission: 'journal_entries:read' }), (req, res, next) => financialController.getJournal(req, res, next) ); -router.post('/journals', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/journals', requireAccess({ roles: ['admin'], permission: 'journal_entries:create' }), (req, res, next) => financialController.createJournal(req, res, next) ); -router.put('/journals/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/journals/:id', requireAccess({ roles: ['admin'], permission: 'journal_entries:update' }), (req, res, next) => financialController.updateJournal(req, res, next) ); -router.delete('/journals/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/journals/:id', requireAccess({ roles: ['admin'], permission: 'journal_entries:delete' }), (req, res, next) => financialController.deleteJournal(req, res, next) ); // ========== JOURNAL ENTRIES ========== -router.get('/entries', requireRoles('admin', 'accountant', 'manager', 'super_admin'), (req, res, next) => +router.get('/entries', requireAccess({ roles: ['admin', 'accountant', 'manager'], permission: 'journal_entries:read' }), (req, res, next) => financialController.getJournalEntries(req, res, next) ); -router.get('/entries/:id', requireRoles('admin', 'accountant', 'manager', 'super_admin'), (req, res, next) => +router.get('/entries/:id', requireAccess({ roles: ['admin', 'accountant', 'manager'], permission: 'journal_entries:read' }), (req, res, next) => financialController.getJournalEntry(req, res, next) ); -router.post('/entries', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.post('/entries', requireAccess({ roles: ['admin', 'accountant'], permission: 'journal_entries:create' }), (req, res, next) => financialController.createJournalEntry(req, res, next) ); -router.put('/entries/:id', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.put('/entries/:id', requireAccess({ roles: ['admin', 'accountant'], permission: 'journal_entries:update' }), (req, res, next) => financialController.updateJournalEntry(req, res, next) ); -router.post('/entries/:id/post', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.post('/entries/:id/post', requireAccess({ roles: ['admin', 'accountant'], permission: 'journal_entries:post' }), (req, res, next) => financialController.postJournalEntry(req, res, next) ); -router.post('/entries/:id/cancel', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/entries/:id/cancel', requireAccess({ roles: ['admin'], permission: 'journal_entries:reverse' }), (req, res, next) => financialController.cancelJournalEntry(req, res, next) ); -router.delete('/entries/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/entries/:id', requireAccess({ roles: ['admin'], permission: 'journal_entries:delete' }), (req, res, next) => financialController.deleteJournalEntry(req, res, next) ); // ========== INVOICES ========== -router.get('/invoices', requireRoles('admin', 'accountant', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.get('/invoices', requireAccess({ roles: ['admin', 'accountant', 'manager', 'sales'], permission: 'invoices:read' }), (req, res, next) => financialController.getInvoices(req, res, next) ); -router.get('/invoices/:id', requireRoles('admin', 'accountant', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.get('/invoices/:id', requireAccess({ roles: ['admin', 'accountant', 'manager', 'sales'], permission: 'invoices:read' }), (req, res, next) => financialController.getInvoice(req, res, next) ); -router.post('/invoices', requireRoles('admin', 'accountant', 'sales', 'super_admin'), (req, res, next) => +router.post('/invoices', requireAccess({ roles: ['admin', 'accountant', 'sales'], permission: 'invoices:create' }), (req, res, next) => financialController.createInvoice(req, res, next) ); -router.put('/invoices/:id', requireRoles('admin', 'accountant', 'sales', 'super_admin'), (req, res, next) => +router.put('/invoices/:id', requireAccess({ roles: ['admin', 'accountant', 'sales'], permission: 'invoices:update' }), (req, res, next) => financialController.updateInvoice(req, res, next) ); -router.post('/invoices/:id/validate', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.post('/invoices/:id/validate', requireAccess({ roles: ['admin', 'accountant'], permission: 'invoices:validate' }), (req, res, next) => financialController.validateInvoice(req, res, next) ); -router.post('/invoices/:id/cancel', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.post('/invoices/:id/cancel', requireAccess({ roles: ['admin', 'accountant'], permission: 'invoices:cancel' }), (req, res, next) => financialController.cancelInvoice(req, res, next) ); -router.delete('/invoices/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/invoices/:id', requireAccess({ roles: ['admin'], permission: 'invoices:delete' }), (req, res, next) => financialController.deleteInvoice(req, res, next) ); // Invoice lines -router.post('/invoices/:id/lines', requireRoles('admin', 'accountant', 'sales', 'super_admin'), (req, res, next) => +router.post('/invoices/:id/lines', requireAccess({ roles: ['admin', 'accountant', 'sales'], permission: 'invoices:update' }), (req, res, next) => financialController.addInvoiceLine(req, res, next) ); -router.put('/invoices/:id/lines/:lineId', requireRoles('admin', 'accountant', 'sales', 'super_admin'), (req, res, next) => +router.put('/invoices/:id/lines/:lineId', requireAccess({ roles: ['admin', 'accountant', 'sales'], permission: 'invoices:update' }), (req, res, next) => financialController.updateInvoiceLine(req, res, next) ); -router.delete('/invoices/:id/lines/:lineId', requireRoles('admin', 'accountant', 'sales', 'super_admin'), (req, res, next) => +router.delete('/invoices/:id/lines/:lineId', requireAccess({ roles: ['admin', 'accountant', 'sales'], permission: 'invoices:update' }), (req, res, next) => financialController.removeInvoiceLine(req, res, next) ); // ========== PAYMENTS ========== -router.get('/payments', requireRoles('admin', 'accountant', 'manager', 'super_admin'), (req, res, next) => +router.get('/payments', requireAccess({ roles: ['admin', 'accountant', 'manager'], permission: 'payments:read' }), (req, res, next) => financialController.getPayments(req, res, next) ); -router.get('/payments/:id', requireRoles('admin', 'accountant', 'manager', 'super_admin'), (req, res, next) => +router.get('/payments/:id', requireAccess({ roles: ['admin', 'accountant', 'manager'], permission: 'payments:read' }), (req, res, next) => financialController.getPayment(req, res, next) ); -router.post('/payments', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.post('/payments', requireAccess({ roles: ['admin', 'accountant'], permission: 'payments:create' }), (req, res, next) => financialController.createPayment(req, res, next) ); -router.put('/payments/:id', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.put('/payments/:id', requireAccess({ roles: ['admin', 'accountant'], permission: 'payments:update' }), (req, res, next) => financialController.updatePayment(req, res, next) ); -router.post('/payments/:id/post', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.post('/payments/:id/post', requireAccess({ roles: ['admin', 'accountant'], permission: 'payments:apply' }), (req, res, next) => financialController.postPayment(req, res, next) ); -router.post('/payments/:id/reconcile', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.post('/payments/:id/reconcile', requireAccess({ roles: ['admin', 'accountant'], permission: 'bank_reconciliation:update' }), (req, res, next) => financialController.reconcilePayment(req, res, next) ); -router.post('/payments/:id/cancel', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.post('/payments/:id/cancel', requireAccess({ roles: ['admin', 'accountant'], permission: 'payments:delete' }), (req, res, next) => financialController.cancelPayment(req, res, next) ); -router.delete('/payments/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/payments/:id', requireAccess({ roles: ['admin'], permission: 'payments:delete' }), (req, res, next) => financialController.deletePayment(req, res, next) ); // ========== TAXES ========== -router.get('/taxes', requireRoles('admin', 'accountant', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.get('/taxes', requireAccess({ roles: ['admin', 'accountant', 'manager', 'sales'], permission: 'accounts:read' }), (req, res, next) => financialController.getTaxes(req, res, next) ); -router.get('/taxes/:id', requireRoles('admin', 'accountant', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.get('/taxes/:id', requireAccess({ roles: ['admin', 'accountant', 'manager', 'sales'], permission: 'accounts:read' }), (req, res, next) => financialController.getTax(req, res, next) ); -router.post('/taxes', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.post('/taxes', requireAccess({ roles: ['admin', 'accountant'], permission: 'accounts:create' }), (req, res, next) => financialController.createTax(req, res, next) ); -router.put('/taxes/:id', requireRoles('admin', 'accountant', 'super_admin'), (req, res, next) => +router.put('/taxes/:id', requireAccess({ roles: ['admin', 'accountant'], permission: 'accounts:update' }), (req, res, next) => financialController.updateTax(req, res, next) ); -router.delete('/taxes/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/taxes/:id', requireAccess({ roles: ['admin'], permission: 'accounts:delete' }), (req, res, next) => financialController.deleteTax(req, res, next) ); diff --git a/src/modules/hr/hr.routes.ts b/src/modules/hr/hr.routes.ts index 68a78ed..ae091ad 100644 --- a/src/modules/hr/hr.routes.ts +++ b/src/modules/hr/hr.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { hrController } from './hr.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -15,23 +16,23 @@ router.get('/employees/:id', (req, res, next) => hrController.getEmployee(req, r router.get('/employees/:id/subordinates', (req, res, next) => hrController.getSubordinates(req, res, next)); -router.post('/employees', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/employees', requireAccess({ roles: ['admin', 'manager'], permission: 'employees:create' }), (req, res, next) => hrController.createEmployee(req, res, next) ); -router.put('/employees/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.put('/employees/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'employees:update' }), (req, res, next) => hrController.updateEmployee(req, res, next) ); -router.post('/employees/:id/terminate', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/employees/:id/terminate', requireAccess({ roles: ['admin'], permission: 'employees:delete' }), (req, res, next) => hrController.terminateEmployee(req, res, next) ); -router.post('/employees/:id/reactivate', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/employees/:id/reactivate', requireAccess({ roles: ['admin'], permission: 'employees:update' }), (req, res, next) => hrController.reactivateEmployee(req, res, next) ); -router.delete('/employees/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/employees/:id', requireAccess({ roles: ['admin'], permission: 'employees:delete' }), (req, res, next) => hrController.deleteEmployee(req, res, next) ); @@ -41,15 +42,15 @@ router.get('/departments', (req, res, next) => hrController.getDepartments(req, router.get('/departments/:id', (req, res, next) => hrController.getDepartment(req, res, next)); -router.post('/departments', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/departments', requireAccess({ roles: ['admin'], permission: 'departments:create' }), (req, res, next) => hrController.createDepartment(req, res, next) ); -router.put('/departments/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/departments/:id', requireAccess({ roles: ['admin'], permission: 'departments:update' }), (req, res, next) => hrController.updateDepartment(req, res, next) ); -router.delete('/departments/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/departments/:id', requireAccess({ roles: ['admin'], permission: 'departments:delete' }), (req, res, next) => hrController.deleteDepartment(req, res, next) ); @@ -57,15 +58,15 @@ router.delete('/departments/:id', requireRoles('admin', 'super_admin'), (req, re router.get('/positions', (req, res, next) => hrController.getJobPositions(req, res, next)); -router.post('/positions', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/positions', requireAccess({ roles: ['admin'], permission: 'positions:create' }), (req, res, next) => hrController.createJobPosition(req, res, next) ); -router.put('/positions/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/positions/:id', requireAccess({ roles: ['admin'], permission: 'positions:update' }), (req, res, next) => hrController.updateJobPosition(req, res, next) ); -router.delete('/positions/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/positions/:id', requireAccess({ roles: ['admin'], permission: 'positions:delete' }), (req, res, next) => hrController.deleteJobPosition(req, res, next) ); @@ -75,27 +76,27 @@ router.get('/contracts', (req, res, next) => hrController.getContracts(req, res, router.get('/contracts/:id', (req, res, next) => hrController.getContract(req, res, next)); -router.post('/contracts', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/contracts', requireAccess({ roles: ['admin', 'manager'], permission: 'contracts:create' }), (req, res, next) => hrController.createContract(req, res, next) ); -router.put('/contracts/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.put('/contracts/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'contracts:update' }), (req, res, next) => hrController.updateContract(req, res, next) ); -router.post('/contracts/:id/activate', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/contracts/:id/activate', requireAccess({ roles: ['admin'], permission: 'contracts:update' }), (req, res, next) => hrController.activateContract(req, res, next) ); -router.post('/contracts/:id/terminate', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/contracts/:id/terminate', requireAccess({ roles: ['admin'], permission: 'contracts:update' }), (req, res, next) => hrController.terminateContract(req, res, next) ); -router.post('/contracts/:id/cancel', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/contracts/:id/cancel', requireAccess({ roles: ['admin'], permission: 'contracts:update' }), (req, res, next) => hrController.cancelContract(req, res, next) ); -router.delete('/contracts/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/contracts/:id', requireAccess({ roles: ['admin'], permission: 'contracts:delete' }), (req, res, next) => hrController.deleteContract(req, res, next) ); @@ -103,15 +104,15 @@ router.delete('/contracts/:id', requireRoles('admin', 'super_admin'), (req, res, router.get('/leave-types', (req, res, next) => hrController.getLeaveTypes(req, res, next)); -router.post('/leave-types', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/leave-types', requireAccess({ roles: ['admin'], permission: 'leaves:create' }), (req, res, next) => hrController.createLeaveType(req, res, next) ); -router.put('/leave-types/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/leave-types/:id', requireAccess({ roles: ['admin'], permission: 'leaves:update' }), (req, res, next) => hrController.updateLeaveType(req, res, next) ); -router.delete('/leave-types/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/leave-types/:id', requireAccess({ roles: ['admin'], permission: 'leaves:delete' }), (req, res, next) => hrController.deleteLeaveType(req, res, next) ); @@ -121,31 +122,31 @@ router.get('/leaves', (req, res, next) => hrController.getLeaves(req, res, next) router.get('/leaves/:id', (req, res, next) => hrController.getLeave(req, res, next)); -router.post('/leaves', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/leaves', requireAccess({ roles: ['admin', 'manager'], permission: 'leaves:create' }), (req, res, next) => hrController.createLeave(req, res, next) ); -router.put('/leaves/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.put('/leaves/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'leaves:update' }), (req, res, next) => hrController.updateLeave(req, res, next) ); -router.post('/leaves/:id/submit', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/leaves/:id/submit', requireAccess({ roles: ['admin', 'manager'], permission: 'leaves:create' }), (req, res, next) => hrController.submitLeave(req, res, next) ); -router.post('/leaves/:id/approve', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/leaves/:id/approve', requireAccess({ roles: ['admin', 'manager'], permission: 'leaves:approve' }), (req, res, next) => hrController.approveLeave(req, res, next) ); -router.post('/leaves/:id/reject', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/leaves/:id/reject', requireAccess({ roles: ['admin', 'manager'], permission: 'leaves:approve' }), (req, res, next) => hrController.rejectLeave(req, res, next) ); -router.post('/leaves/:id/cancel', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/leaves/:id/cancel', requireAccess({ roles: ['admin', 'manager'], permission: 'leaves:update' }), (req, res, next) => hrController.cancelLeave(req, res, next) ); -router.delete('/leaves/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/leaves/:id', requireAccess({ roles: ['admin'], permission: 'leaves:delete' }), (req, res, next) => hrController.deleteLeave(req, res, next) ); diff --git a/src/modules/inventory/inventory.routes.ts b/src/modules/inventory/inventory.routes.ts index 6f45bf6..1ee8474 100644 --- a/src/modules/inventory/inventory.routes.ts +++ b/src/modules/inventory/inventory.routes.ts @@ -1,7 +1,8 @@ import { Router } from 'express'; import { inventoryController } from './inventory.controller.js'; import { valuationController } from './valuation.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -15,15 +16,15 @@ router.get('/products/:id', (req, res, next) => inventoryController.getProduct(r router.get('/products/:id/stock', (req, res, next) => inventoryController.getProductStock(req, res, next)); -router.post('/products', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/products', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'products:create' }), (req, res, next) => inventoryController.createProduct(req, res, next) ); -router.put('/products/:id', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.put('/products/:id', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'products:update' }), (req, res, next) => inventoryController.updateProduct(req, res, next) ); -router.delete('/products/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/products/:id', requireAccess({ roles: ['admin'], permission: 'products:delete' }), (req, res, next) => inventoryController.deleteProduct(req, res, next) ); @@ -36,15 +37,15 @@ router.get('/warehouses/:id/locations', (req, res, next) => inventoryController. router.get('/warehouses/:id/stock', (req, res, next) => inventoryController.getWarehouseStock(req, res, next)); -router.post('/warehouses', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/warehouses', requireAccess({ roles: ['admin'], permission: 'warehouses:create' }), (req, res, next) => inventoryController.createWarehouse(req, res, next) ); -router.put('/warehouses/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/warehouses/:id', requireAccess({ roles: ['admin'], permission: 'warehouses:update' }), (req, res, next) => inventoryController.updateWarehouse(req, res, next) ); -router.delete('/warehouses/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/warehouses/:id', requireAccess({ roles: ['admin'], permission: 'warehouses:delete' }), (req, res, next) => inventoryController.deleteWarehouse(req, res, next) ); @@ -55,11 +56,11 @@ router.get('/locations/:id', (req, res, next) => inventoryController.getLocation router.get('/locations/:id/stock', (req, res, next) => inventoryController.getLocationStock(req, res, next)); -router.post('/locations', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/locations', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'warehouses:update' }), (req, res, next) => inventoryController.createLocation(req, res, next) ); -router.put('/locations/:id', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.put('/locations/:id', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'warehouses:update' }), (req, res, next) => inventoryController.updateLocation(req, res, next) ); @@ -68,23 +69,23 @@ router.get('/pickings', (req, res, next) => inventoryController.getPickings(req, router.get('/pickings/:id', (req, res, next) => inventoryController.getPicking(req, res, next)); -router.post('/pickings', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/pickings', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'stock_moves:create' }), (req, res, next) => inventoryController.createPicking(req, res, next) ); -router.post('/pickings/:id/confirm', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/pickings/:id/confirm', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'stock_moves:validate' }), (req, res, next) => inventoryController.confirmPicking(req, res, next) ); -router.post('/pickings/:id/validate', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/pickings/:id/validate', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'stock_moves:validate' }), (req, res, next) => inventoryController.validatePicking(req, res, next) ); -router.post('/pickings/:id/cancel', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/pickings/:id/cancel', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'stock_moves:cancel' }), (req, res, next) => inventoryController.cancelPicking(req, res, next) ); -router.delete('/pickings/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/pickings/:id', requireAccess({ roles: ['admin'], permission: 'stock_moves:delete' }), (req, res, next) => inventoryController.deletePicking(req, res, next) ); @@ -95,15 +96,15 @@ router.get('/lots/:id', (req, res, next) => inventoryController.getLot(req, res, router.get('/lots/:id/movements', (req, res, next) => inventoryController.getLotMovements(req, res, next)); -router.post('/lots', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/lots', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'inventory:update' }), (req, res, next) => inventoryController.createLot(req, res, next) ); -router.put('/lots/:id', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.put('/lots/:id', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'inventory:update' }), (req, res, next) => inventoryController.updateLot(req, res, next) ); -router.delete('/lots/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/lots/:id', requireAccess({ roles: ['admin'], permission: 'inventory:update' }), (req, res, next) => inventoryController.deleteLot(req, res, next) ); @@ -112,41 +113,41 @@ router.get('/adjustments', (req, res, next) => inventoryController.getAdjustment router.get('/adjustments/:id', (req, res, next) => inventoryController.getAdjustment(req, res, next)); -router.post('/adjustments', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/adjustments', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'inventory:adjust' }), (req, res, next) => inventoryController.createAdjustment(req, res, next) ); -router.put('/adjustments/:id', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.put('/adjustments/:id', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'inventory:adjust' }), (req, res, next) => inventoryController.updateAdjustment(req, res, next) ); // Adjustment lines -router.post('/adjustments/:id/lines', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/adjustments/:id/lines', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'inventory:adjust' }), (req, res, next) => inventoryController.addAdjustmentLine(req, res, next) ); -router.put('/adjustments/:id/lines/:lineId', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.put('/adjustments/:id/lines/:lineId', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'inventory:adjust' }), (req, res, next) => inventoryController.updateAdjustmentLine(req, res, next) ); -router.delete('/adjustments/:id/lines/:lineId', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.delete('/adjustments/:id/lines/:lineId', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'inventory:adjust' }), (req, res, next) => inventoryController.removeAdjustmentLine(req, res, next) ); // Adjustment workflow -router.post('/adjustments/:id/confirm', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/adjustments/:id/confirm', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'inventory:adjust' }), (req, res, next) => inventoryController.confirmAdjustment(req, res, next) ); -router.post('/adjustments/:id/validate', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/adjustments/:id/validate', requireAccess({ roles: ['admin', 'manager'], permission: 'stock_count:validate' }), (req, res, next) => inventoryController.validateAdjustment(req, res, next) ); -router.post('/adjustments/:id/cancel', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/adjustments/:id/cancel', requireAccess({ roles: ['admin', 'manager'], permission: 'inventory:adjust' }), (req, res, next) => inventoryController.cancelAdjustment(req, res, next) ); -router.delete('/adjustments/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/adjustments/:id', requireAccess({ roles: ['admin'], permission: 'inventory:adjust' }), (req, res, next) => inventoryController.deleteAdjustment(req, res, next) ); @@ -163,11 +164,11 @@ router.get('/valuation/products/:productId/layers', (req, res, next) => valuationController.getProductLayers(req, res, next) ); -router.post('/valuation/layers', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/valuation/layers', requireAccess({ roles: ['admin', 'manager'], permission: 'inventory:update' }), (req, res, next) => valuationController.createLayer(req, res, next) ); -router.post('/valuation/consume', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/valuation/consume', requireAccess({ roles: ['admin', 'manager'], permission: 'inventory:update' }), (req, res, next) => valuationController.consumeFifo(req, res, next) ); diff --git a/src/modules/invoices/invoices.routes.ts b/src/modules/invoices/invoices.routes.ts index a597a35..12d6260 100644 --- a/src/modules/invoices/invoices.routes.ts +++ b/src/modules/invoices/invoices.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { invoicesController } from './invoices.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -15,17 +16,17 @@ router.get('/payments', (req, res, next) => invoicesController.findAllPayments(r router.get('/payments/:id', (req, res, next) => invoicesController.findPaymentById(req, res, next)); // Create payment -router.post('/payments', requireRoles('admin', 'manager', 'accountant', 'super_admin'), (req, res, next) => +router.post('/payments', requireAccess({ roles: ['admin', 'manager', 'accountant'], permission: 'payments:create' }), (req, res, next) => invoicesController.createPayment(req, res, next) ); // Confirm payment -router.post('/payments/:id/confirm', requireRoles('admin', 'manager', 'accountant', 'super_admin'), (req, res, next) => +router.post('/payments/:id/confirm', requireAccess({ roles: ['admin', 'manager', 'accountant'], permission: 'payments:apply' }), (req, res, next) => invoicesController.confirmPayment(req, res, next) ); // Cancel payment -router.post('/payments/:id/cancel', requireRoles('admin', 'manager', 'accountant', 'super_admin'), (req, res, next) => +router.post('/payments/:id/cancel', requireAccess({ roles: ['admin', 'manager', 'accountant'], permission: 'payments:delete' }), (req, res, next) => invoicesController.cancelPayment(req, res, next) ); @@ -37,27 +38,27 @@ router.get('/', (req, res, next) => invoicesController.findAll(req, res, next)); router.get('/:id', (req, res, next) => invoicesController.findById(req, res, next)); // Create invoice -router.post('/', requireRoles('admin', 'manager', 'accountant', 'super_admin'), (req, res, next) => +router.post('/', requireAccess({ roles: ['admin', 'manager', 'accountant'], permission: 'invoices:create' }), (req, res, next) => invoicesController.create(req, res, next) ); // Update invoice -router.patch('/:id', requireRoles('admin', 'manager', 'accountant', 'super_admin'), (req, res, next) => +router.patch('/:id', requireAccess({ roles: ['admin', 'manager', 'accountant'], permission: 'invoices:update' }), (req, res, next) => invoicesController.update(req, res, next) ); // Delete invoice -router.delete('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/:id', requireAccess({ roles: ['admin'], permission: 'invoices:delete' }), (req, res, next) => invoicesController.delete(req, res, next) ); // Validate invoice (change status to validated) -router.post('/:id/validate', requireRoles('admin', 'manager', 'accountant', 'super_admin'), (req, res, next) => +router.post('/:id/validate', requireAccess({ roles: ['admin', 'manager', 'accountant'], permission: 'invoices:validate' }), (req, res, next) => invoicesController.validate(req, res, next) ); // Cancel invoice -router.post('/:id/cancel', requireRoles('admin', 'manager', 'accountant', 'super_admin'), (req, res, next) => +router.post('/:id/cancel', requireAccess({ roles: ['admin', 'manager', 'accountant'], permission: 'invoices:cancel' }), (req, res, next) => invoicesController.cancel(req, res, next) ); diff --git a/src/modules/partners/partners.routes.ts b/src/modules/partners/partners.routes.ts index d4c65f7..5293d6f 100644 --- a/src/modules/partners/partners.routes.ts +++ b/src/modules/partners/partners.routes.ts @@ -1,7 +1,8 @@ import { Router } from 'express'; import { partnersController } from './partners.controller.js'; import { rankingController } from './ranking.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -13,44 +14,44 @@ router.use(authenticate); // ============================================================================ // Calculate rankings (admin, manager) -router.post('/rankings/calculate', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/rankings/calculate', requireAccess({ roles: ['admin', 'manager'], permission: 'partners:update' }), (req, res, next) => rankingController.calculateRankings(req, res, next) ); // Get all rankings -router.get('/rankings', requireRoles('admin', 'manager', 'sales', 'accountant', 'super_admin'), (req, res, next) => +router.get('/rankings', requireAccess({ roles: ['admin', 'manager', 'sales', 'accountant'], permission: 'partners:read' }), (req, res, next) => rankingController.findRankings(req, res, next) ); // Top partners -router.get('/rankings/top/customers', requireRoles('admin', 'manager', 'sales', 'accountant', 'super_admin'), (req, res, next) => +router.get('/rankings/top/customers', requireAccess({ roles: ['admin', 'manager', 'sales', 'accountant'], permission: 'customers:read' }), (req, res, next) => rankingController.getTopCustomers(req, res, next) ); -router.get('/rankings/top/suppliers', requireRoles('admin', 'manager', 'sales', 'accountant', 'super_admin'), (req, res, next) => +router.get('/rankings/top/suppliers', requireAccess({ roles: ['admin', 'manager', 'sales', 'accountant'], permission: 'suppliers:read' }), (req, res, next) => rankingController.getTopSuppliers(req, res, next) ); // ABC distribution -router.get('/rankings/abc/customers', requireRoles('admin', 'manager', 'sales', 'accountant', 'super_admin'), (req, res, next) => +router.get('/rankings/abc/customers', requireAccess({ roles: ['admin', 'manager', 'sales', 'accountant'], permission: 'customers:read' }), (req, res, next) => rankingController.getCustomerABCDistribution(req, res, next) ); -router.get('/rankings/abc/suppliers', requireRoles('admin', 'manager', 'sales', 'accountant', 'super_admin'), (req, res, next) => +router.get('/rankings/abc/suppliers', requireAccess({ roles: ['admin', 'manager', 'sales', 'accountant'], permission: 'suppliers:read' }), (req, res, next) => rankingController.getSupplierABCDistribution(req, res, next) ); // Partners by ABC -router.get('/rankings/abc/customers/:abc', requireRoles('admin', 'manager', 'sales', 'accountant', 'super_admin'), (req, res, next) => +router.get('/rankings/abc/customers/:abc', requireAccess({ roles: ['admin', 'manager', 'sales', 'accountant'], permission: 'customers:read' }), (req, res, next) => rankingController.getCustomersByABC(req, res, next) ); -router.get('/rankings/abc/suppliers/:abc', requireRoles('admin', 'manager', 'sales', 'accountant', 'super_admin'), (req, res, next) => +router.get('/rankings/abc/suppliers/:abc', requireAccess({ roles: ['admin', 'manager', 'sales', 'accountant'], permission: 'suppliers:read' }), (req, res, next) => rankingController.getSuppliersByABC(req, res, next) ); // Partner-specific ranking -router.get('/rankings/partner/:partnerId', requireRoles('admin', 'manager', 'sales', 'accountant', 'super_admin'), (req, res, next) => +router.get('/rankings/partner/:partnerId', requireAccess({ roles: ['admin', 'manager', 'sales', 'accountant'], permission: 'partners:read' }), (req, res, next) => rankingController.findPartnerRanking(req, res, next) ); -router.get('/rankings/partner/:partnerId/history', requireRoles('admin', 'manager', 'sales', 'accountant', 'super_admin'), (req, res, next) => +router.get('/rankings/partner/:partnerId/history', requireAccess({ roles: ['admin', 'manager', 'sales', 'accountant'], permission: 'partners:read' }), (req, res, next) => rankingController.getPartnerHistory(req, res, next) ); @@ -63,27 +64,27 @@ router.get('/customers', (req, res, next) => partnersController.findCustomers(re router.get('/suppliers', (req, res, next) => partnersController.findSuppliers(req, res, next)); // List all partners (admin, manager, sales, accountant) -router.get('/', requireRoles('admin', 'manager', 'sales', 'accountant', 'super_admin'), (req, res, next) => +router.get('/', requireAccess({ roles: ['admin', 'manager', 'sales', 'accountant'], permission: 'partners:read' }), (req, res, next) => partnersController.findAll(req, res, next) ); // Get partner by ID -router.get('/:id', requireRoles('admin', 'manager', 'sales', 'accountant', 'super_admin'), (req, res, next) => +router.get('/:id', requireAccess({ roles: ['admin', 'manager', 'sales', 'accountant'], permission: 'partners:read' }), (req, res, next) => partnersController.findById(req, res, next) ); // Create partner (admin, manager, sales) -router.post('/', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'partners:create' }), (req, res, next) => partnersController.create(req, res, next) ); // Update partner (admin, manager, sales) -router.put('/:id', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.put('/:id', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'partners:update' }), (req, res, next) => partnersController.update(req, res, next) ); // Delete partner (admin only) -router.delete('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/:id', requireAccess({ roles: ['admin'], permission: 'partners:delete' }), (req, res, next) => partnersController.delete(req, res, next) ); diff --git a/src/modules/products/products.routes.ts b/src/modules/products/products.routes.ts index d0c1629..7c9c075 100644 --- a/src/modules/products/products.routes.ts +++ b/src/modules/products/products.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { productsController } from './products.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -15,17 +16,17 @@ router.get('/categories', (req, res, next) => productsController.findAllCategori router.get('/categories/:id', (req, res, next) => productsController.findCategoryById(req, res, next)); // Create category -router.post('/categories', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/categories', requireAccess({ roles: ['admin', 'manager'], permission: 'categories:create' }), (req, res, next) => productsController.createCategory(req, res, next) ); // Update category -router.patch('/categories/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.patch('/categories/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'categories:update' }), (req, res, next) => productsController.updateCategory(req, res, next) ); // Delete category -router.delete('/categories/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/categories/:id', requireAccess({ roles: ['admin'], permission: 'categories:delete' }), (req, res, next) => productsController.deleteCategory(req, res, next) ); @@ -50,17 +51,17 @@ router.get('/', (req, res, next) => productsController.findAll(req, res, next)); router.get('/:id', (req, res, next) => productsController.findById(req, res, next)); // Create product -router.post('/', requireRoles('admin', 'manager', 'inventory', 'super_admin'), (req, res, next) => +router.post('/', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'products:create' }), (req, res, next) => productsController.create(req, res, next) ); // Update product -router.patch('/:id', requireRoles('admin', 'manager', 'inventory', 'super_admin'), (req, res, next) => +router.patch('/:id', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'products:update' }), (req, res, next) => productsController.update(req, res, next) ); // Delete product -router.delete('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/:id', requireAccess({ roles: ['admin'], permission: 'products:delete' }), (req, res, next) => productsController.delete(req, res, next) ); diff --git a/src/modules/projects/projects.routes.ts b/src/modules/projects/projects.routes.ts index e5e9f2a..26c8325 100644 --- a/src/modules/projects/projects.routes.ts +++ b/src/modules/projects/projects.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { projectsController } from './projects.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -12,15 +13,15 @@ router.get('/', (req, res, next) => projectsController.getProjects(req, res, nex router.get('/:id', (req, res, next) => projectsController.getProject(req, res, next)); -router.post('/', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/', requireAccess({ roles: ['admin', 'manager'], permission: 'projects:create' }), (req, res, next) => projectsController.createProject(req, res, next) ); -router.put('/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.put('/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'projects:update' }), (req, res, next) => projectsController.updateProject(req, res, next) ); -router.delete('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/:id', requireAccess({ roles: ['admin'], permission: 'projects:delete' }), (req, res, next) => projectsController.deleteProject(req, res, next) ); @@ -50,7 +51,7 @@ router.get('/timesheets/all', (req, res, next) => projectsController.getTimeshee router.get('/timesheets/me', (req, res, next) => projectsController.getMyTimesheets(req, res, next)); -router.get('/timesheets/pending', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/timesheets/pending', requireAccess({ roles: ['admin', 'manager'], permission: 'timesheets:approve' }), (req, res, next) => projectsController.getPendingApprovals(req, res, next) ); @@ -64,11 +65,11 @@ router.delete('/timesheets/:id', (req, res, next) => projectsController.deleteTi router.post('/timesheets/:id/submit', (req, res, next) => projectsController.submitTimesheet(req, res, next)); -router.post('/timesheets/:id/approve', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/timesheets/:id/approve', requireAccess({ roles: ['admin', 'manager'], permission: 'timesheets:approve' }), (req, res, next) => projectsController.approveTimesheet(req, res, next) ); -router.post('/timesheets/:id/reject', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/timesheets/:id/reject', requireAccess({ roles: ['admin', 'manager'], permission: 'timesheets:approve' }), (req, res, next) => projectsController.rejectTimesheet(req, res, next) ); diff --git a/src/modules/purchases/purchases.routes.ts b/src/modules/purchases/purchases.routes.ts index 64e25df..fe6d2b1 100644 --- a/src/modules/purchases/purchases.routes.ts +++ b/src/modules/purchases/purchases.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { purchasesController } from './purchases.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -8,82 +9,82 @@ const router = Router(); router.use(authenticate); // List purchase orders -router.get('/', requireRoles('admin', 'manager', 'warehouse', 'accountant', 'super_admin'), (req, res, next) => +router.get('/', requireAccess({ roles: ['admin', 'manager', 'warehouse', 'accountant'], permission: 'purchases:read' }), (req, res, next) => purchasesController.findAll(req, res, next) ); // Get purchase order by ID -router.get('/:id', requireRoles('admin', 'manager', 'warehouse', 'accountant', 'super_admin'), (req, res, next) => +router.get('/:id', requireAccess({ roles: ['admin', 'manager', 'warehouse', 'accountant'], permission: 'purchases:read' }), (req, res, next) => purchasesController.findById(req, res, next) ); // Create purchase order -router.post('/', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'purchases:create' }), (req, res, next) => purchasesController.create(req, res, next) ); // Update purchase order -router.put('/:id', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.put('/:id', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'purchases:update' }), (req, res, next) => purchasesController.update(req, res, next) ); // Confirm purchase order -router.post('/:id/confirm', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/:id/confirm', requireAccess({ roles: ['admin', 'manager'], permission: 'purchases:approve' }), (req, res, next) => purchasesController.confirm(req, res, next) ); // Cancel purchase order -router.post('/:id/cancel', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/:id/cancel', requireAccess({ roles: ['admin', 'manager'], permission: 'purchases:cancel' }), (req, res, next) => purchasesController.cancel(req, res, next) ); // Delete purchase order -router.delete('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/:id', requireAccess({ roles: ['admin'], permission: 'purchases:delete' }), (req, res, next) => purchasesController.delete(req, res, next) ); // ========== RFQs (Request for Quotation) ========== -router.get('/rfqs', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.get('/rfqs', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'purchase_orders:read' }), (req, res, next) => purchasesController.getRfqs(req, res, next) ); -router.get('/rfqs/:id', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.get('/rfqs/:id', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'purchase_orders:read' }), (req, res, next) => purchasesController.getRfq(req, res, next) ); -router.post('/rfqs', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/rfqs', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'purchase_orders:create' }), (req, res, next) => purchasesController.createRfq(req, res, next) ); -router.put('/rfqs/:id', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.put('/rfqs/:id', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'purchase_orders:update' }), (req, res, next) => purchasesController.updateRfq(req, res, next) ); -router.delete('/rfqs/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/rfqs/:id', requireAccess({ roles: ['admin'], permission: 'purchase_orders:delete' }), (req, res, next) => purchasesController.deleteRfq(req, res, next) ); // RFQ Lines -router.post('/rfqs/:id/lines', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.post('/rfqs/:id/lines', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'purchase_orders:update' }), (req, res, next) => purchasesController.addRfqLine(req, res, next) ); -router.put('/rfqs/:id/lines/:lineId', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.put('/rfqs/:id/lines/:lineId', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'purchase_orders:update' }), (req, res, next) => purchasesController.updateRfqLine(req, res, next) ); -router.delete('/rfqs/:id/lines/:lineId', requireRoles('admin', 'manager', 'warehouse', 'super_admin'), (req, res, next) => +router.delete('/rfqs/:id/lines/:lineId', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'purchase_orders:update' }), (req, res, next) => purchasesController.removeRfqLine(req, res, next) ); // RFQ Workflow -router.post('/rfqs/:id/send', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/rfqs/:id/send', requireAccess({ roles: ['admin', 'manager'], permission: 'purchase_orders:approve' }), (req, res, next) => purchasesController.sendRfq(req, res, next) ); -router.post('/rfqs/:id/responded', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/rfqs/:id/responded', requireAccess({ roles: ['admin', 'manager'], permission: 'purchase_orders:update' }), (req, res, next) => purchasesController.markRfqResponded(req, res, next) ); -router.post('/rfqs/:id/accept', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/rfqs/:id/accept', requireAccess({ roles: ['admin', 'manager'], permission: 'purchase_orders:approve' }), (req, res, next) => purchasesController.acceptRfq(req, res, next) ); -router.post('/rfqs/:id/reject', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/rfqs/:id/reject', requireAccess({ roles: ['admin', 'manager'], permission: 'purchase_orders:reject' }), (req, res, next) => purchasesController.rejectRfq(req, res, next) ); -router.post('/rfqs/:id/cancel', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/rfqs/:id/cancel', requireAccess({ roles: ['admin', 'manager'], permission: 'purchase_orders:delete' }), (req, res, next) => purchasesController.cancelRfq(req, res, next) ); diff --git a/src/modules/roles/permissions.routes.ts b/src/modules/roles/permissions.routes.ts index 8e12e3b..55c87e7 100644 --- a/src/modules/roles/permissions.routes.ts +++ b/src/modules/roles/permissions.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { permissionsController } from './permissions.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -18,37 +19,37 @@ router.post('/check', (req, res, next) => ); // List all permissions (admin, manager) -router.get('/', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/', requireAccess({ roles: ['admin', 'manager'], permission: 'permissions:read' }), (req, res, next) => permissionsController.findAll(req, res, next) ); // Get available modules (admin, manager) -router.get('/modules', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/modules', requireAccess({ roles: ['admin', 'manager'], permission: 'permissions:read' }), (req, res, next) => permissionsController.getModules(req, res, next) ); // Get available resources (admin, manager) -router.get('/resources', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/resources', requireAccess({ roles: ['admin', 'manager'], permission: 'permissions:read' }), (req, res, next) => permissionsController.getResources(req, res, next) ); // Get permissions grouped by module (admin, manager) -router.get('/grouped', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/grouped', requireAccess({ roles: ['admin', 'manager'], permission: 'permissions:read' }), (req, res, next) => permissionsController.getGrouped(req, res, next) ); // Get permissions by module (admin, manager) -router.get('/by-module/:module', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/by-module/:module', requireAccess({ roles: ['admin', 'manager'], permission: 'permissions:read' }), (req, res, next) => permissionsController.getByModule(req, res, next) ); // Get permission matrix for admin UI (admin only) -router.get('/matrix', requireRoles('admin', 'super_admin'), (req, res, next) => +router.get('/matrix', requireAccess({ roles: ['admin'], permission: 'permissions:read' }), (req, res, next) => permissionsController.getMatrix(req, res, next) ); // Get effective permissions for a specific user (admin only) -router.get('/user/:userId', requireRoles('admin', 'super_admin'), (req, res, next) => +router.get('/user/:userId', requireAccess({ roles: ['admin'], permission: 'users:read' }), (req, res, next) => permissionsController.getUserPermissions(req, res, next) ); diff --git a/src/modules/roles/roles.routes.ts b/src/modules/roles/roles.routes.ts index a04920f..a115a46 100644 --- a/src/modules/roles/roles.routes.ts +++ b/src/modules/roles/roles.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { rolesController } from './roles.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -8,49 +9,49 @@ const router = Router(); router.use(authenticate); // List roles (admin, manager) -router.get('/', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/', requireAccess({ roles: ['admin', 'manager'], permission: 'roles:read' }), (req, res, next) => rolesController.findAll(req, res, next) ); // Get system roles (admin) -router.get('/system', requireRoles('admin', 'super_admin'), (req, res, next) => +router.get('/system', requireAccess({ roles: ['admin'], permission: 'roles:read' }), (req, res, next) => rolesController.getSystemRoles(req, res, next) ); // Get role by ID (admin, manager) -router.get('/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'roles:read' }), (req, res, next) => rolesController.findById(req, res, next) ); // Create role (admin only) -router.post('/', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/', requireAccess({ roles: ['admin'], permission: 'roles:create' }), (req, res, next) => rolesController.create(req, res, next) ); // Update role (admin only) -router.put('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/:id', requireAccess({ roles: ['admin'], permission: 'roles:update' }), (req, res, next) => rolesController.update(req, res, next) ); // Delete role (admin only) -router.delete('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/:id', requireAccess({ roles: ['admin'], permission: 'roles:delete' }), (req, res, next) => rolesController.delete(req, res, next) ); // Role permissions management -router.get('/:id/permissions', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/:id/permissions', requireAccess({ roles: ['admin', 'manager'], permission: 'permissions:read' }), (req, res, next) => rolesController.getPermissions(req, res, next) ); -router.put('/:id/permissions', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/:id/permissions', requireAccess({ roles: ['admin'], permission: 'permissions:update' }), (req, res, next) => rolesController.assignPermissions(req, res, next) ); -router.post('/:id/permissions', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/:id/permissions', requireAccess({ roles: ['admin'], permission: 'permissions:update' }), (req, res, next) => rolesController.addPermission(req, res, next) ); -router.delete('/:id/permissions/:permissionId', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/:id/permissions/:permissionId', requireAccess({ roles: ['admin'], permission: 'permissions:update' }), (req, res, next) => rolesController.removePermission(req, res, next) ); diff --git a/src/modules/sales/sales.routes.ts b/src/modules/sales/sales.routes.ts index 6da9632..b229e84 100644 --- a/src/modules/sales/sales.routes.ts +++ b/src/modules/sales/sales.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { salesController } from './sales.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -12,19 +13,19 @@ router.get('/pricelists', (req, res, next) => salesController.getPricelists(req, router.get('/pricelists/:id', (req, res, next) => salesController.getPricelist(req, res, next)); -router.post('/pricelists', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/pricelists', requireAccess({ roles: ['admin', 'manager'], permission: 'price_lists:create' }), (req, res, next) => salesController.createPricelist(req, res, next) ); -router.put('/pricelists/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.put('/pricelists/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'price_lists:update' }), (req, res, next) => salesController.updatePricelist(req, res, next) ); -router.post('/pricelists/:id/items', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/pricelists/:id/items', requireAccess({ roles: ['admin', 'manager'], permission: 'price_lists:update' }), (req, res, next) => salesController.addPricelistItem(req, res, next) ); -router.delete('/pricelists/:id/items/:itemId', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.delete('/pricelists/:id/items/:itemId', requireAccess({ roles: ['admin', 'manager'], permission: 'price_lists:update' }), (req, res, next) => salesController.removePricelistItem(req, res, next) ); @@ -33,19 +34,19 @@ router.get('/teams', (req, res, next) => salesController.getSalesTeams(req, res, router.get('/teams/:id', (req, res, next) => salesController.getSalesTeam(req, res, next)); -router.post('/teams', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/teams', requireAccess({ roles: ['admin', 'manager'], permission: 'sales:create' }), (req, res, next) => salesController.createSalesTeam(req, res, next) ); -router.put('/teams/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.put('/teams/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'sales:update' }), (req, res, next) => salesController.updateSalesTeam(req, res, next) ); -router.post('/teams/:id/members', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/teams/:id/members', requireAccess({ roles: ['admin', 'manager'], permission: 'sales:update' }), (req, res, next) => salesController.addSalesTeamMember(req, res, next) ); -router.delete('/teams/:id/members/:memberId', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.delete('/teams/:id/members/:memberId', requireAccess({ roles: ['admin', 'manager'], permission: 'sales:update' }), (req, res, next) => salesController.removeSalesTeamMember(req, res, next) ); @@ -54,23 +55,23 @@ router.get('/customer-groups', (req, res, next) => salesController.getCustomerGr router.get('/customer-groups/:id', (req, res, next) => salesController.getCustomerGroup(req, res, next)); -router.post('/customer-groups', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/customer-groups', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'customers:create' }), (req, res, next) => salesController.createCustomerGroup(req, res, next) ); -router.put('/customer-groups/:id', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.put('/customer-groups/:id', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'customers:update' }), (req, res, next) => salesController.updateCustomerGroup(req, res, next) ); -router.delete('/customer-groups/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/customer-groups/:id', requireAccess({ roles: ['admin'], permission: 'customers:delete' }), (req, res, next) => salesController.deleteCustomerGroup(req, res, next) ); -router.post('/customer-groups/:id/members', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/customer-groups/:id/members', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'customers:update' }), (req, res, next) => salesController.addCustomerGroupMember(req, res, next) ); -router.delete('/customer-groups/:id/members/:memberId', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.delete('/customer-groups/:id/members/:memberId', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'customers:update' }), (req, res, next) => salesController.removeCustomerGroupMember(req, res, next) ); @@ -79,39 +80,39 @@ router.get('/quotations', (req, res, next) => salesController.getQuotations(req, router.get('/quotations/:id', (req, res, next) => salesController.getQuotation(req, res, next)); -router.post('/quotations', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/quotations', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'quotations:create' }), (req, res, next) => salesController.createQuotation(req, res, next) ); -router.put('/quotations/:id', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.put('/quotations/:id', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'quotations:update' }), (req, res, next) => salesController.updateQuotation(req, res, next) ); -router.delete('/quotations/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.delete('/quotations/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'quotations:delete' }), (req, res, next) => salesController.deleteQuotation(req, res, next) ); -router.post('/quotations/:id/lines', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/quotations/:id/lines', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'quotations:update' }), (req, res, next) => salesController.addQuotationLine(req, res, next) ); -router.put('/quotations/:id/lines/:lineId', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.put('/quotations/:id/lines/:lineId', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'quotations:update' }), (req, res, next) => salesController.updateQuotationLine(req, res, next) ); -router.delete('/quotations/:id/lines/:lineId', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.delete('/quotations/:id/lines/:lineId', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'quotations:update' }), (req, res, next) => salesController.removeQuotationLine(req, res, next) ); -router.post('/quotations/:id/send', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/quotations/:id/send', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'quotations:update' }), (req, res, next) => salesController.sendQuotation(req, res, next) ); -router.post('/quotations/:id/confirm', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/quotations/:id/confirm', requireAccess({ roles: ['admin', 'manager'], permission: 'quotations:convert' }), (req, res, next) => salesController.confirmQuotation(req, res, next) ); -router.post('/quotations/:id/cancel', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/quotations/:id/cancel', requireAccess({ roles: ['admin', 'manager'], permission: 'quotations:delete' }), (req, res, next) => salesController.cancelQuotation(req, res, next) ); @@ -120,39 +121,39 @@ router.get('/orders', (req, res, next) => salesController.getOrders(req, res, ne router.get('/orders/:id', (req, res, next) => salesController.getOrder(req, res, next)); -router.post('/orders', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/orders', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'sales:create' }), (req, res, next) => salesController.createOrder(req, res, next) ); -router.put('/orders/:id', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.put('/orders/:id', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'sales:update' }), (req, res, next) => salesController.updateOrder(req, res, next) ); -router.delete('/orders/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.delete('/orders/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'sales:delete' }), (req, res, next) => salesController.deleteOrder(req, res, next) ); -router.post('/orders/:id/lines', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.post('/orders/:id/lines', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'sales:update' }), (req, res, next) => salesController.addOrderLine(req, res, next) ); -router.put('/orders/:id/lines/:lineId', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.put('/orders/:id/lines/:lineId', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'sales:update' }), (req, res, next) => salesController.updateOrderLine(req, res, next) ); -router.delete('/orders/:id/lines/:lineId', requireRoles('admin', 'manager', 'sales', 'super_admin'), (req, res, next) => +router.delete('/orders/:id/lines/:lineId', requireAccess({ roles: ['admin', 'manager', 'sales'], permission: 'sales:update' }), (req, res, next) => salesController.removeOrderLine(req, res, next) ); -router.post('/orders/:id/confirm', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/orders/:id/confirm', requireAccess({ roles: ['admin', 'manager'], permission: 'sales:approve' }), (req, res, next) => salesController.confirmOrder(req, res, next) ); -router.post('/orders/:id/cancel', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/orders/:id/cancel', requireAccess({ roles: ['admin', 'manager'], permission: 'sales:cancel' }), (req, res, next) => salesController.cancelOrder(req, res, next) ); -router.post('/orders/:id/invoice', requireRoles('admin', 'manager', 'accountant', 'super_admin'), (req, res, next) => +router.post('/orders/:id/invoice', requireAccess({ roles: ['admin', 'manager', 'accountant'], permission: 'invoices:create' }), (req, res, next) => salesController.createOrderInvoice(req, res, next) ); diff --git a/src/modules/system/system.routes.ts b/src/modules/system/system.routes.ts index 6cd819c..7bedc8e 100644 --- a/src/modules/system/system.routes.ts +++ b/src/modules/system/system.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { systemController } from './system.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -20,13 +21,13 @@ router.post('/followers', (req, res, next) => systemController.addFollower(req, router.delete('/followers/:model/:recordId', (req, res, next) => systemController.removeFollower(req, res, next)); // ========== NOTIFICATIONS ========== -router.get('/notifications', requireRoles('admin', 'super_admin'), (req, res, next) => +router.get('/notifications', requireAccess({ roles: ['admin'], permission: 'notifications:read' }), (req, res, next) => systemController.getNotifications(req, res, next) ); router.get('/notifications/me', (req, res, next) => systemController.getMyNotifications(req, res, next)); router.get('/notifications/me/count', (req, res, next) => systemController.getUnreadCount(req, res, next)); router.get('/notifications/:id', (req, res, next) => systemController.getNotification(req, res, next)); -router.post('/notifications', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/notifications', requireAccess({ roles: ['admin'], permission: 'notifications:create' }), (req, res, next) => systemController.createNotification(req, res, next) ); router.post('/notifications/:id/read', (req, res, next) => systemController.markNotificationAsRead(req, res, next)); diff --git a/src/modules/tenants/tenants.routes.ts b/src/modules/tenants/tenants.routes.ts index c47acf0..dac9986 100644 --- a/src/modules/tenants/tenants.routes.ts +++ b/src/modules/tenants/tenants.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { tenantsController } from './tenants.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -12,57 +13,57 @@ router.get('/current', (req, res, next) => tenantsController.getCurrent(req, res, next) ); -// List all tenants (super_admin only) -router.get('/', requireRoles('super_admin'), (req, res, next) => +// List all tenants (super_admin only - no permission fallback) +router.get('/', requireAccess({ roles: ['super_admin'], permission: 'system:manage' }), (req, res, next) => tenantsController.findAll(req, res, next) ); // Get tenant by ID (super_admin only) -router.get('/:id', requireRoles('super_admin'), (req, res, next) => +router.get('/:id', requireAccess({ roles: ['super_admin'], permission: 'system:manage' }), (req, res, next) => tenantsController.findById(req, res, next) ); // Get tenant statistics (super_admin only) -router.get('/:id/stats', requireRoles('super_admin'), (req, res, next) => +router.get('/:id/stats', requireAccess({ roles: ['super_admin'], permission: 'system:manage' }), (req, res, next) => tenantsController.getStats(req, res, next) ); // Create tenant (super_admin only) -router.post('/', requireRoles('super_admin'), (req, res, next) => +router.post('/', requireAccess({ roles: ['super_admin'], permission: 'system:manage' }), (req, res, next) => tenantsController.create(req, res, next) ); // Update tenant (super_admin only) -router.put('/:id', requireRoles('super_admin'), (req, res, next) => +router.put('/:id', requireAccess({ roles: ['super_admin'], permission: 'system:manage' }), (req, res, next) => tenantsController.update(req, res, next) ); // Suspend tenant (super_admin only) -router.post('/:id/suspend', requireRoles('super_admin'), (req, res, next) => +router.post('/:id/suspend', requireAccess({ roles: ['super_admin'], permission: 'system:manage' }), (req, res, next) => tenantsController.suspend(req, res, next) ); // Activate tenant (super_admin only) -router.post('/:id/activate', requireRoles('super_admin'), (req, res, next) => +router.post('/:id/activate', requireAccess({ roles: ['super_admin'], permission: 'system:manage' }), (req, res, next) => tenantsController.activate(req, res, next) ); // Delete tenant (super_admin only) -router.delete('/:id', requireRoles('super_admin'), (req, res, next) => +router.delete('/:id', requireAccess({ roles: ['super_admin'], permission: 'system:manage' }), (req, res, next) => tenantsController.delete(req, res, next) ); // Tenant settings (admin and super_admin) -router.get('/:id/settings', requireRoles('admin', 'super_admin'), (req, res, next) => +router.get('/:id/settings', requireAccess({ roles: ['admin'], permission: 'tenant_settings:read' }), (req, res, next) => tenantsController.getSettings(req, res, next) ); -router.put('/:id/settings', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/:id/settings', requireAccess({ roles: ['admin'], permission: 'tenant_settings:update' }), (req, res, next) => tenantsController.updateSettings(req, res, next) ); // Check user limit (admin and super_admin) -router.get('/:id/can-add-user', requireRoles('admin', 'super_admin'), (req, res, next) => +router.get('/:id/can-add-user', requireAccess({ roles: ['admin'], permission: 'users:create' }), (req, res, next) => tenantsController.canAddUser(req, res, next) ); diff --git a/src/modules/users/users.routes.ts b/src/modules/users/users.routes.ts index 1add501..826837f 100644 --- a/src/modules/users/users.routes.ts +++ b/src/modules/users/users.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { usersController } from './users.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -11,49 +12,49 @@ router.use(authenticate); router.get('/me', (req, res, next) => usersController.getMe(req, res, next)); // List users (admin, manager) -router.get('/', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/', requireAccess({ roles: ['admin', 'manager'], permission: 'users:read' }), (req, res, next) => usersController.findAll(req, res, next) ); // Get user by ID -router.get('/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.get('/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'users:read' }), (req, res, next) => usersController.findById(req, res, next) ); // Create user (admin only) -router.post('/', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/', requireAccess({ roles: ['admin'], permission: 'users:create' }), (req, res, next) => usersController.create(req, res, next) ); // Update user (admin only) -router.put('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.put('/:id', requireAccess({ roles: ['admin'], permission: 'users:update' }), (req, res, next) => usersController.update(req, res, next) ); // Delete user (admin only) -router.delete('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/:id', requireAccess({ roles: ['admin'], permission: 'users:delete' }), (req, res, next) => usersController.delete(req, res, next) ); // Activate/Deactivate user (admin only) -router.post('/:id/activate', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/:id/activate', requireAccess({ roles: ['admin'], permission: 'users:activate' }), (req, res, next) => usersController.activate(req, res, next) ); -router.post('/:id/deactivate', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/:id/deactivate', requireAccess({ roles: ['admin'], permission: 'users:deactivate' }), (req, res, next) => usersController.deactivate(req, res, next) ); // User roles -router.get('/:id/roles', requireRoles('admin', 'super_admin'), (req, res, next) => +router.get('/:id/roles', requireAccess({ roles: ['admin'], permission: 'roles:read' }), (req, res, next) => usersController.getRoles(req, res, next) ); -router.post('/:id/roles', requireRoles('admin', 'super_admin'), (req, res, next) => +router.post('/:id/roles', requireAccess({ roles: ['admin'], permission: 'roles:update' }), (req, res, next) => usersController.assignRole(req, res, next) ); -router.delete('/:id/roles/:roleId', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/:id/roles/:roleId', requireAccess({ roles: ['admin'], permission: 'roles:update' }), (req, res, next) => usersController.removeRole(req, res, next) ); diff --git a/src/modules/warehouses/warehouses.routes.ts b/src/modules/warehouses/warehouses.routes.ts index 58a0f89..4ce0ff0 100644 --- a/src/modules/warehouses/warehouses.routes.ts +++ b/src/modules/warehouses/warehouses.routes.ts @@ -1,6 +1,7 @@ import { Router } from 'express'; import { warehousesController } from './warehouses.controller.js'; -import { authenticate, requireRoles } from '../../shared/middleware/auth.middleware.js'; +import { authenticate } from '../../shared/middleware/auth.middleware.js'; +import { requireAccess } from '../../shared/middleware/rbac.middleware.js'; const router = Router(); @@ -15,17 +16,17 @@ router.get('/locations', (req, res, next) => warehousesController.findAllLocatio router.get('/locations/:id', (req, res, next) => warehousesController.findLocationById(req, res, next)); // Create location -router.post('/locations', requireRoles('admin', 'manager', 'inventory', 'super_admin'), (req, res, next) => +router.post('/locations', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'locations:create' }), (req, res, next) => warehousesController.createLocation(req, res, next) ); // Update location -router.patch('/locations/:id', requireRoles('admin', 'manager', 'inventory', 'super_admin'), (req, res, next) => +router.patch('/locations/:id', requireAccess({ roles: ['admin', 'manager', 'warehouse'], permission: 'locations:update' }), (req, res, next) => warehousesController.updateLocation(req, res, next) ); // Delete location -router.delete('/locations/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/locations/:id', requireAccess({ roles: ['admin'], permission: 'locations:delete' }), (req, res, next) => warehousesController.deleteLocation(req, res, next) ); @@ -50,17 +51,17 @@ router.get('/', (req, res, next) => warehousesController.findAll(req, res, next) router.get('/:id', (req, res, next) => warehousesController.findById(req, res, next)); // Create warehouse -router.post('/', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.post('/', requireAccess({ roles: ['admin', 'manager'], permission: 'warehouses:create' }), (req, res, next) => warehousesController.create(req, res, next) ); // Update warehouse -router.patch('/:id', requireRoles('admin', 'manager', 'super_admin'), (req, res, next) => +router.patch('/:id', requireAccess({ roles: ['admin', 'manager'], permission: 'warehouses:update' }), (req, res, next) => warehousesController.update(req, res, next) ); // Delete warehouse -router.delete('/:id', requireRoles('admin', 'super_admin'), (req, res, next) => +router.delete('/:id', requireAccess({ roles: ['admin'], permission: 'warehouses:delete' }), (req, res, next) => warehousesController.delete(req, res, next) );