QT/bigcapital
1
0
Fork 0
mirror of https://github.com/bigcapitalhq/bigcapital.git synced 2026-02-17 21:30:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(server): premissions guard for read and write endpoints

Browse Source
This commit is contained in:
Ahmed Bouhuolia
2026-02-15 22:55:10 +02:00
parent af80afcf59
commit 2d39e38578
31 changed files with 423 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
packages/server/src/modules/Items/Item.controller.ts
View File

@@ -9,6 +9,7 @@ import {
Put,
Query,
HttpCode,
UseGuards,
} from '@nestjs/common';
import { TenantController } from '../Tenancy/Tenant.controller';
import { ItemsApplicationService } from './ItemsApplication.service';
@@ -35,6 +36,11 @@ import {
ValidateBulkDeleteItemsResponseDto,
} from './dtos/BulkDeleteItems.dto';
import { ItemApiErrorResponseDto } from './dtos/ItemErrorResponse.dto';
import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
import { PermissionGuard } from '@/modules/Roles/Permission.guard';
import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
import { AbilitySubject } from '@/modules/Roles/Roles.types';
import { ItemAction } from '@/interfaces/Item';
@Controller('/items')
@ApiTags('Items')
@@ -48,12 +54,14 @@ import { ItemApiErrorResponseDto } from './dtos/ItemErrorResponse.dto';
@ApiExtraModels(ValidateBulkDeleteItemsResponseDto)
@ApiExtraModels(ItemApiErrorResponseDto)
@ApiCommonHeaders()
@UseGuards(AuthorizationGuard, PermissionGuard)
export class ItemsController extends TenantController {
constructor(private readonly itemsApplication: ItemsApplicationService) {
super();
}
@Get()
@RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
@ApiOperation({ summary: 'Retrieves the item list.' })
@ApiResponse({
status: 200,
@@ -144,6 +152,7 @@ export class ItemsController extends TenantController {
* @returns The updated item id.
*/
@Put(':id')
@RequirePermission(ItemAction.EDIT, AbilitySubject.Item)
@ApiOperation({ summary: 'Edit the given item (product or service).' })
@ApiResponse({
status: 200,
@@ -174,6 +183,7 @@ export class ItemsController extends TenantController {
@Post('validate-bulk-delete')
@HttpCode(200)
@RequirePermission(ItemAction.DELETE, AbilitySubject.Item)
@ApiOperation({
summary:
'Validates which items can be deleted and returns counts of deletable and non-deletable items.',
@@ -194,6 +204,7 @@ export class ItemsController extends TenantController {
@Post('bulk-delete')
@HttpCode(200)
@RequirePermission(ItemAction.DELETE, AbilitySubject.Item)
@ApiOperation({ summary: 'Deletes multiple items in bulk.' })
@ApiResponse({
status: 200,
@@ -208,6 +219,7 @@ export class ItemsController extends TenantController {
}
@Post()
@RequirePermission(ItemAction.CREATE, AbilitySubject.Item)
@ApiOperation({ summary: 'Create a new item (product or service).' })
@ApiResponse({
status: 200,
@@ -230,6 +242,7 @@ export class ItemsController extends TenantController {
}
@Delete(':id')
@RequirePermission(ItemAction.DELETE, AbilitySubject.Item)
@ApiOperation({ summary: 'Delete the given item (product or service).' })
@ApiResponse({
status: 200,
@@ -255,6 +268,7 @@ export class ItemsController extends TenantController {
}
@Patch(':id/inactivate')
@RequirePermission(ItemAction.EDIT, AbilitySubject.Item)
@ApiOperation({ summary: 'Inactivate the given item (product or service).' })
@ApiResponse({
status: 200,
@@ -273,6 +287,7 @@ export class ItemsController extends TenantController {
}
@Patch(':id/activate')
@RequirePermission(ItemAction.EDIT, AbilitySubject.Item)
@ApiOperation({ summary: 'Activate the given item (product or service).' })
@ApiResponse({
status: 200,
@@ -291,6 +306,7 @@ export class ItemsController extends TenantController {
}
@Get(':id')
@RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
@ApiOperation({ summary: 'Get the given item (product or service).' })
@ApiResponse({
status: 200,
@@ -312,6 +328,7 @@ export class ItemsController extends TenantController {
}
@Get(':id/invoices')
@RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
@ApiOperation({
summary: 'Retrieves the item associated invoices transactions.',
})
@@ -337,6 +354,7 @@ export class ItemsController extends TenantController {
}
@Get(':id/bills')
@RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
@ApiOperation({
summary: 'Retrieves the item associated bills transactions.',
})
@@ -362,6 +380,7 @@ export class ItemsController extends TenantController {
}
@Get(':id/estimates')
@RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
@ApiOperation({
summary: 'Retrieves the item associated estimates transactions.',
})
@@ -387,6 +406,7 @@ export class ItemsController extends TenantController {
}
@Get(':id/receipts')
@RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
@ApiOperation({
summary: 'Retrieves the item associated receipts transactions.',
})