11.4.8: S_VERIFIED role

kaihaase · kaihaase · commit d4461792a824 · 2025-11-13T20:08:39.000+01:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.4.7",
+  "version": "11.4.8",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
diff --git a/spectaql.yml b/spectaql.yml
@@ -11,7 +11,7 @@ servers:
 info:
   title: lT Nest Server
   description: Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).
-  version: 11.4.7
+  version: 11.4.8
   contact:
     name: lenne.Tech GmbH
     url: https://lenne.tech
diff --git a/src/core/common/decorators/restricted.decorator.ts b/src/core/common/decorators/restricted.decorator.ts
@@ -61,7 +61,7 @@ export const getRestricted = (object: unknown, propertyKey?: string): Restricted
  */
 export const checkRestricted = (
   data: any,
-  user: { hasRole: (roles: string[]) => boolean; id: any },
+  user: { hasRole: (roles: string[]) => boolean; id: any; verified?: any; verifiedAt?: any },
   options: {
     allowCreatorOfParent?: boolean;
     checkObjectItself?: boolean;
@@ -108,9 +108,9 @@ export const checkRestricted = (
   // Array
   if (Array.isArray(data)) {
     // Check array items
-    let result = data.map(item => checkRestricted(item, user, config, processedObjects));
+    let result = data.map((item) => checkRestricted(item, user, config, processedObjects));
     if (!config.throwError && config.removeUndefinedFromResultArray) {
-      result = result.filter(item => item !== undefined);
+      result = result.filter((item) => item !== undefined);
     }
     return result;
   }
@@ -134,8 +134,8 @@ export const checkRestricted = (
       if (typeof item === 'string') {
         roles.push(item);
       } else if (
-        item?.roles?.length
-        && (config.processType && item.processType ? config.processType === item.processType : true)
+        item?.roles?.length &&
+        (config.processType && item.processType ? config.processType === item.processType : true)
       ) {
         if (Array.isArray(item.roles)) {
           roles.push(...item.roles);
@@ -156,13 +156,14 @@ export const checkRestricted = (
 
       // Check access rights
       if (
-        roles.includes(RoleEnum.S_EVERYONE)
-        || user?.hasRole?.(roles)
-        || (user?.id && roles.includes(RoleEnum.S_USER))
-        || (roles.includes(RoleEnum.S_SELF) && equalIds(data, user))
-        || (roles.includes(RoleEnum.S_CREATOR)
-          && (('createdBy' in data && equalIds(data.createdBy, user))
-            || (config.allowCreatorOfParent && !('createdBy' in data) && config.isCreatorOfParent)))
+        roles.includes(RoleEnum.S_EVERYONE) ||
+        user?.hasRole?.(roles) ||
+        (user?.id && roles.includes(RoleEnum.S_USER)) ||
+        (roles.includes(RoleEnum.S_SELF) && equalIds(data, user)) ||
+        (roles.includes(RoleEnum.S_CREATOR) &&
+          (('createdBy' in data && equalIds(data.createdBy, user)) ||
+            (config.allowCreatorOfParent && !('createdBy' in data) && config.isCreatorOfParent))) ||
+        (roles.includes(RoleEnum.S_VERIFIED) && (user?.verified || user?.verifiedAt))
       ) {
         valid = true;
       }
@@ -172,11 +173,11 @@ export const checkRestricted = (
       // Get groups
       const groups = restricted.filter((item) => {
         return (
-          typeof item === 'object'
+          typeof item === 'object' &&
           // Check if object is valid
-          && item.memberOf?.length
+          item.memberOf?.length &&
           // Check if processType is specified and is valid for current process
-          && (config.processType && item.processType ? config.processType === item.processType : true)
+          (config.processType && item.processType ? config.processType === item.processType : true)
         );
       }) as { memberOf: string | string[] }[];
 
@@ -252,8 +253,8 @@ export const checkRestricted = (
     // Check rights
     if (valid) {
       // Check if data is user or user is creator of data (for nested plain objects)
-      config.isCreatorOfParent
-        = equalIds(data, user) || ('createdBy' in data ? equalIds(data.createdBy, user) : config.isCreatorOfParent);
+      config.isCreatorOfParent =
+        equalIds(data, user) || ('createdBy' in data ? equalIds(data.createdBy, user) : config.isCreatorOfParent);
 
       // Check deep
       data[propertyKey] = checkRestricted(data[propertyKey], user, config, processedObjects);
diff --git a/src/core/common/enums/role.enum.ts b/src/core/common/enums/role.enum.ts
@@ -1,3 +1,4 @@
+/* eslint-disable perfectionist/sort-enums */
 /**
  * Enums for Resolver @Role and Model @Restricted decorator and for roles property in ServiceOptions
  *
@@ -42,9 +43,12 @@ export enum RoleEnum {
   // Everyone, including users who are not logged in, can access (see context user, e.g. @CurrentUser)
   S_EVERYONE = 's_everyone',
 
-  // No one has access, not even administrators
+  // No one has access, not even administrators (regardless of which roles are still set, access will always be denied)
   S_NO_ONE = 's_no_one',
 
+  // User must be verified (see verified or verifiedAt property of user)
+  S_VERIFIED = 's_verified',
+
   // ===================================================================================================================
   // Special system roles that check rights for DB objects and can be used via @Restricted for Models
   // (classes and properties) and via ServiceOptions for Resolver methods. These roles should not be integrated in
diff --git a/src/core/common/helpers/input.helper.ts b/src/core/common/helpers/input.helper.ts
@@ -209,7 +209,7 @@ export function assignPlain(target: Record<any, any>, ...args: Record<any, any>[
  */
 export async function check(
   value: any,
-  user: { hasRole: (roles: string[]) => boolean; id: any },
+  user: { hasRole: (roles: string[]) => boolean; id: any; verified?: any; verifiedAt?: any },
   options?: {
     allowCreatorOfParent?: boolean;
     dbObject?: any;
@@ -262,7 +262,9 @@ export async function check(
           (config.allowCreatorOfParent &&
             config.dbObject &&
             !('createdBy' in config.dbObject) &&
-            config.isCreatorOfParent)))
+            config.isCreatorOfParent))) ||
+      // check if the is verified
+      (roles.includes(RoleEnum.S_VERIFIED) && (user?.verified || user?.verifiedAt))
     ) {
       valid = true;
     }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@lenne.tech/nest-server",`
`3`		`- "version": "11.4.7",`
	`3`	`+ "version": "11.4.8",`
`4`	`4`	`"description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",`
`5`	`5`	`"keywords": [`
`6`	`6`	`"node",`