chore: update routes to use new RBAC rules

natalierobbins · natalierobbins · commit 081ba922a9d9 · 2025-10-28T03:59:27.000-07:00
diff --git a/server/src/routes/v2/surveys.ts b/server/src/routes/v2/surveys.ts
@@ -1,4 +1,3 @@
-import { subject } from '@casl/ability';
 import { accessibleBy } from '@casl/mongoose';
 import express, { NextFunction, Response } from 'express';
 
@@ -40,15 +39,14 @@ router.get(
 	'/',
 	[auth],
 	async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
+		if (!req.authorization?.can(ACTIONS.CASL.READ, SUBJECTS.SURVEY)) {
+			return res.sendStatus(403);
+		}
 		try {
 			const result = await Survey.find({
 				$and: [
 					req.query,
-					req?.authorization
-						? accessibleBy(req.authorization).ofType(
-								Survey.modelName
-							)
-						: {},
+					accessibleBy(req.authorization).ofType(Survey.modelName),
 					{ deletedAt: null }
 				]
 			});
@@ -94,22 +92,26 @@ router.get(
 	'/:objectId',
 	[auth],
 	async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
-		if (
-			!req.authorization?.can(
-				ACTIONS.CASL.READ,
-				subject(SUBJECTS.SURVEY, { _id: req.params.objectId })
-			)
-		) {
+		// Check for basic read permission (more permission checks happen within Mongo query)
+		if (!req.authorization?.can(ACTIONS.CASL.READ, SUBJECTS.SURVEY)) {
 			return res.sendStatus(403);
 		}
 		try {
 			const result = await Survey.findOne({
-				_id: req.params.objectId,
-				deletedAt: null
+				$and: [
+					{ _id: req.params.objectId },
+					accessibleBy(req.authorization).ofType(Survey.modelName), // Need to pass in dynamic filter here because access is determined by `createdAt` and `locationObjectId` inside of Survey
+					{ deletedAt: null }
+				]
 			});
 			// Survey not found
 			if (!result) {
-				return res.status(404).json({ message: 'Survey not found' });
+				return res
+					.status(404)
+					.json({
+						message:
+							'Survey not found or you do not have permission to read this survey'
+					});
 			}
 			// Successfully fetched survey
 			res.status(200).json({
@@ -154,22 +156,33 @@ router.patch(
 	'/:objectId',
 	[auth, validate(updateSurveySchema)],
 	async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
-		if (
-			!req.authorization?.can(
-				ACTIONS.CASL.UPDATE,
-				subject(SUBJECTS.SURVEY, { _id: req.params.objectId })
-			)
-		) {
+		// Basic check if user is allowed to update any survey at all
+		if (!req.authorization?.can(ACTIONS.CASL.UPDATE, SUBJECTS.SURVEY)) {
 			return res.sendStatus(403);
 		}
 		try {
+			// Update access is document-dependent but not field-dependent, so we only need to pass in
+			// an accessibleBy filter here
 			const result = await Survey.findOneAndUpdate(
-				{ _id: req.params.objectId, deletedAt: null },
+				{
+					$and: [
+						{ _id: req.params.objectId },
+						accessibleBy(req.authorization).ofType(
+							Survey.modelName
+						),
+						{ deletedAt: null }
+					]
+				},
 				req.body,
 				{ new: true }
 			);
 			if (!result) {
-				return res.status(404).json({ message: 'Survey not found' });
+				return res
+					.status(404)
+					.json({
+						message:
+							'Survey not found or you do not have permission to update this survey'
+					});
 			}
 			res.status(200).json({
 				message: 'Survey updated successfully',
@@ -202,8 +215,14 @@ router.post(
 	'/',
 	[auth, validate(createSurveySchema)],
 	async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
-		if (!req.authorization?.can(ACTIONS.CASL.CREATE, SUBJECTS.SURVEY)) {
-			return res.sendStatus(403);
+		// Different permissions based on creation with or without referral
+		// Check permission based on the action type based on query param `new`
+		let createActionType = ACTIONS.CASL.CREATE;
+		if (req.query.new === 'true') {
+			createActionType = ACTIONS.CUSTOM.CREATE_WITHOUT_REFERRAL;
+		}
+		if (!req.authorization?.can(createActionType, SUBJECTS.USER)) {
+			return res.status(403).json({ message: 'Forbidden' });
 		}
 		try {
 			const surveyData: ISurvey = req.body;
@@ -280,6 +299,11 @@ router.delete(
 	'/:objectId',
 	[auth],
 	async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
+		// TODO: may want to revisit here and see if we need to make a distinction for
+		// hard/soft-delete in permissions
+		if (!req.authorization?.can(ACTIONS.CASL.DELETE, SUBJECTS.SURVEY)) {
+			return res.sendStatus(403);
+		}
 		try {
 			// TODO: Delete specific fields within survey document as well
 			const result = await Survey.findByIdAndUpdate(
diff --git a/server/src/routes/v2/users.ts b/server/src/routes/v2/users.ts
@@ -1,3 +1,4 @@
+import { subject } from '@casl/ability';
 import { accessibleBy } from '@casl/mongoose';
 import express, { NextFunction, Response } from 'express';
 
@@ -32,15 +33,16 @@ const router = express.Router();
  */
 router.get(
 	'/',
-	[auth], // TODO: add `read_users` permission check
+	[auth],
 	async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
+		if (!req.authorization?.can(ACTIONS.CASL.READ, SUBJECTS.USER)) {
+			return res.sendStatus(403);
+		}
 		try {
 			const result = await User.find({
 				$and: [
 					req.query,
-					req?.authorization
-						? accessibleBy(req.authorization).ofType(User.modelName)
-						: {},
+					accessibleBy(req.authorization).ofType(User.modelName),
 					{ deletedAt: null }
 				]
 			});
@@ -83,8 +85,16 @@ router.get(
  */
 router.get(
 	'/:objectId',
-	[auth], // TODO: add `read_users` permission check
+	[auth],
 	async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
+		if (
+			!req.authorization?.can(
+				ACTIONS.CASL.READ,
+				subject(SUBJECTS.USER, { _id: req.params.objectId })
+			)
+		) {
+			return res.status(403).json({ message: 'Forbidden' });
+		}
 		try {
 			const result = await User.findById(req.params.objectId);
 			if (!result) {
@@ -123,8 +133,11 @@ router.get(
  */
 router.post(
 	'/',
-	[auth, validate(createUserSchema)], // TODO: add `create_users` permission check
+	[auth, validate(createUserSchema)],
 	async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
+		if (!req.authorization?.can(ACTIONS.CASL.CREATE, SUBJECTS.USER)) {
+			return res.status(403).json({ message: 'Forbidden' });
+		}
 		try {
 			const result = await User.create(req.body);
 			res.status(201).json({
@@ -167,9 +180,47 @@ router.post(
  */
 router.patch(
 	'/:objectId',
-	[auth, validate(updateUserSchema)], // TODO: add `update_users` permission check
+	[auth, validate(updateUserSchema)],
 	async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
+		// Basic check if permissible _id to update for user
+		if (
+			!req.authorization?.can(
+				ACTIONS.CASL.UPDATE,
+				subject(SUBJECTS.USER, { _id: req.params.objectId })
+			)
+		) {
+			return res.status(403).json({ message: 'Forbidden' });
+		}
 		try {
+			// Update access if document-dependent AND field-dependent (i.e. fields in our request body)
+			// so we first need to fetch the document and check permissions (more below)
+			const user = await User.findById(req.params.objectId);
+			if (!user) {
+				return res.status(404).json({ message: 'User not found' });
+			}
+
+			// Check if we are allowed to update all fields in request body
+			// These checks depend on interactions between our current user's role and location and the target user's role and location
+			// ex. a manager can only approve users with 'VOLUNTEER' role at their current location today, but are also allowed to update their own profile
+			// if the request tries to update a field that is impermissible for the document we fetched, we will return a 403 error
+			if (
+				!Object.keys(req.body).every(field =>
+					req.authorization?.can(
+						ACTIONS.CASL.UPDATE,
+						subject(SUBJECTS.USER, user.toObject()),
+						field
+					)
+				)
+			) {
+				return res
+					.status(403)
+					.json({
+						message:
+							'You are not allowed to make this update on this user'
+					});
+			}
+
+			// Passed permission checks, update user document
 			const result = await User.findByIdAndUpdate(
 				req.params.objectId,
 				req.body,
@@ -216,8 +267,16 @@ router.patch(
  */
 router.delete(
 	'/:objectId',
-	[auth], // TODO: add `delete_users` permission check
+	[auth],
 	async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
+		if (
+			!req.authorization?.can(
+				ACTIONS.CASL.DELETE,
+				subject(SUBJECTS.USER, { _id: req.params.objectId })
+			)
+		) {
+			return res.status(403).json({ message: 'Forbidden' });
+		}
 		try {
 			const result = await User.findByIdAndUpdate(
 				req.params.objectId,
