fix: access vun

Author: potts99

apps/api/src/controllers/auth.ts

@@ -704,6 +704,32 @@ export function authRoutes(fastify: FastifyInstance) {
     async (request: FastifyRequest, reply: FastifyReply) => {
       const { id } = request.params as { id: string };
 
+      // Check if user exists
+      const userToDelete = await prisma.user.findUnique({
+        where: { id },
+      });
+
+      if (!userToDelete) {
+        return reply.code(404).send({
+          message: "User not found",
+          success: false,
+        });
+      }
+
+      // Prevent deletion of admin accounts if they're the last admin
+      if (userToDelete.isAdmin) {
+        const adminCount = await prisma.user.count({
+          where: { isAdmin: true },
+        });
+
+        if (adminCount <= 1) {
+          return reply.code(400).send({
+            message: "Cannot delete the last admin account",
+            success: false,
+          });
+        }
+      }
+
       await prisma.notes.deleteMany({ where: { userId: id } });
       await prisma.session.deleteMany({ where: { userId: id } });
       await prisma.notifications.deleteMany({ where: { userId: id } });
@@ -726,6 +752,8 @@ export function authRoutes(fastify: FastifyInstance) {
         },
       });
 
+      await checkSession(request);
+
       let user = await prisma.user.findUnique({
         where: { id: session!.userId },
       });

apps/api/src/controllers/clients.ts

@@ -1,12 +1,15 @@
 import { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { track } from "../lib/hog";
+import { requirePermission } from "../lib/roles";
 import { prisma } from "../prisma";
 
 export function clientRoutes(fastify: FastifyInstance) {
   // Register a new client
   fastify.post(
     "/api/v1/client/create",
-
+    {
+      preHandler: requirePermission(["client::create"]),
+    },
     async (request: FastifyRequest, reply: FastifyReply) => {
       const { name, email, number, contactName }: any = request.body;
 
@@ -35,7 +38,9 @@ export function clientRoutes(fastify: FastifyInstance) {
   // Update client
   fastify.post(
     "/api/v1/client/update",
-
+    {
+      preHandler: requirePermission(["client::update"]),
+    },
     async (request: FastifyRequest, reply: FastifyReply) => {
       const { name, email, number, contactName, id }: any = request.body;
 
@@ -58,7 +63,9 @@ export function clientRoutes(fastify: FastifyInstance) {
   // Get all clients
   fastify.get(
     "/api/v1/clients/all",
-
+    {
+      preHandler: requirePermission(["client::read"]),
+    },
     async (request: FastifyRequest, reply: FastifyReply) => {
       const clients = await prisma.client.findMany({});
 
@@ -72,7 +79,9 @@ export function clientRoutes(fastify: FastifyInstance) {
   // Delete client
   fastify.delete(
     "/api/v1/clients/:id/delete-client",
-
+    {
+      preHandler: requirePermission(["client::delete"]),
+    },
     async (request: FastifyRequest, reply: FastifyReply) => {
       const { id }: any = request.params;
 

apps/api/src/controllers/config.ts

@@ -10,6 +10,8 @@ const nodemailer = require("nodemailer");
 
 import { track } from "../lib/hog";
 import { createTransportProvider } from "../lib/nodemailer/transport";
+import { requirePermission } from "../lib/roles";
+import { checkSession } from "../lib/session";
 import { prisma } from "../prisma";
 
 async function tracking(event: string, properties: any) {
@@ -388,9 +390,20 @@ export function configRoutes(fastify: FastifyInstance) {
   // Toggle all roles
   fastify.patch(
     "/api/v1/config/toggle-roles",
-
+    {
+      preHandler: requirePermission(["settings::manage"]),
+    },
     async (request: FastifyRequest, reply: FastifyReply) => {
       const { isActive }: any = request.body;
+      const session = await checkSession(request);
+
+      // Double-check that user is admin
+      if (!session?.isAdmin) {
+        return reply.code(403).send({
+          message: "Unauthorized. Admin access required.",
+          success: false,
+        });
+      }
 
       const config = await prisma.config.findFirst();
 

apps/api/src/controllers/users.ts

@@ -2,14 +2,17 @@ import bcrypt from "bcrypt";
 import { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 
 import { track } from "../lib/hog";
+import { requirePermission } from "../lib/roles";
 import { checkSession } from "../lib/session";
 import { prisma } from "../prisma";
 
 export function userRoutes(fastify: FastifyInstance) {
   // All users
   fastify.get(
     "/api/v1/users/all",
-
+    {
+      preHandler: requirePermission(["user::read"]),
+    },
     async (request: FastifyRequest, reply: FastifyReply) => {
       const users = await prisma.user.findMany({
         where: {
@@ -102,9 +105,35 @@ export function userRoutes(fastify: FastifyInstance) {
   // Mark Notification as read
   fastify.get(
     "/api/v1/user/notifcation/:id",
-
     async (request: FastifyRequest, reply: FastifyReply) => {
       const { id }: any = request.params;
+      const session = await checkSession(request);
+      
+      if (!session) {
+        return reply.code(401).send({
+          message: "Unauthorized",
+          success: false,
+        });
+      }
+
+      // Get the notification and verify it belongs to the user
+      const notification = await prisma.notifications.findUnique({
+        where: { id: id }
+      });
+      
+      if (!notification) {
+        return reply.code(404).send({
+          message: "Notification not found",
+          success: false,
+        });
+      }
+      
+      if (notification.userId !== session.id) {
+        return reply.code(403).send({
+          message: "Access denied. You can only manage your own notifications.",
+          success: false,
+        });
+      }
 
       await prisma.notifications.update({
         where: { id: id },