QT/bigcapital
1
0
Fork 0
mirror of https://github.com/bigcapitalhq/bigcapital.git synced 2026-02-19 14:20:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(server): premissions guard for read and write endpoints

Browse Source
This commit is contained in:
Ahmed Bouhuolia
2026-02-15 22:55:10 +02:00
parent af80afcf59
commit 2d39e38578
31 changed files with 423 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
packages/server/src/modules/SaleEstimates/SaleEstimates.controller.ts
View File

@@ -19,6 +19,7 @@ import {
Put,
Query,
Res,
UseGuards,
} from '@nestjs/common';
import { SaleEstimatesApplication } from './SaleEstimates.application';
import {
@@ -40,6 +41,11 @@ import {
BulkDeleteDto,
ValidateBulkDeleteResponseDto,
} from '@/common/dtos/BulkDelete.dto';
import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
import { PermissionGuard } from '@/modules/Roles/Permission.guard';
import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
import { AbilitySubject } from '@/modules/Roles/Roles.types';
import { SaleEstimateAction } from './types/SaleEstimates.types';
@Controller('sale-estimates')
@ApiTags('Sale Estimates')
@@ -48,8 +54,10 @@ import {
@ApiExtraModels(SaleEstiamteStateResponseDto)
@ApiCommonHeaders()
@ApiExtraModels(ValidateBulkDeleteResponseDto)
@UseGuards(AuthorizationGuard, PermissionGuard)
export class SaleEstimatesController {
@Post('validate-bulk-delete')
@RequirePermission(SaleEstimateAction.Delete, AbilitySubject.SaleEstimate)
@ApiOperation({
summary:
'Validates which sale estimates can be deleted and returns the results.',
@@ -71,6 +79,7 @@ export class SaleEstimatesController {
}
@Post('bulk-delete')
@RequirePermission(SaleEstimateAction.Delete, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Deletes multiple sale estimates.' })
@ApiResponse({
status: 200,
@@ -93,6 +102,7 @@ export class SaleEstimatesController {
) { }
@Post()
@RequirePermission(SaleEstimateAction.Create, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Create a new sale estimate.' })
@ApiResponse({
status: 200,
@@ -105,6 +115,7 @@ export class SaleEstimatesController {
}
@Put(':id')
@RequirePermission(SaleEstimateAction.Edit, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Edit the given sale estimate.' })
@ApiResponse({
status: 200,
@@ -131,6 +142,7 @@ export class SaleEstimatesController {
}
@Delete(':id')
@RequirePermission(SaleEstimateAction.Delete, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Delete the given sale estimate.' })
@ApiResponse({
status: 200,
@@ -153,6 +165,7 @@ export class SaleEstimatesController {
}
@Get('state')
@RequirePermission(SaleEstimateAction.View, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Retrieves the sale estimate state.' })
@ApiResponse({
status: 200,
@@ -166,6 +179,7 @@ export class SaleEstimatesController {
}
@Get()
@RequirePermission(SaleEstimateAction.View, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Retrieves the sale estimates.' })
@ApiResponse({
status: 200,
@@ -189,6 +203,7 @@ export class SaleEstimatesController {
}
@Post(':id/deliver')
@RequirePermission(SaleEstimateAction.Edit, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Deliver the given sale estimate.' })
@ApiResponse({
status: 200,
@@ -207,6 +222,7 @@ export class SaleEstimatesController {
}
@Put(':id/approve')
@RequirePermission(SaleEstimateAction.Edit, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Approve the given sale estimate.' })
@ApiParam({
name: 'id',
@@ -221,6 +237,7 @@ export class SaleEstimatesController {
}
@Put(':id/reject')
@RequirePermission(SaleEstimateAction.Edit, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Reject the given sale estimate.' })
@ApiParam({
name: 'id',
@@ -235,6 +252,7 @@ export class SaleEstimatesController {
}
@Post(':id/notify-sms')
@RequirePermission(SaleEstimateAction.NotifyBySms, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Notify the given sale estimate by SMS.' })
@ApiParam({
name: 'id',
@@ -251,6 +269,7 @@ export class SaleEstimatesController {
}
@Get(':id/sms-details')
@RequirePermission(SaleEstimateAction.View, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Retrieves the sale estimate SMS details.' })
public getSaleEstimateSmsDetails(
@Param('id', ParseIntPipe) saleEstimateId: number,
@@ -262,6 +281,7 @@ export class SaleEstimatesController {
@Post(':id/mail')
@HttpCode(200)
@RequirePermission(SaleEstimateAction.Edit, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Send the given sale estimate by mail.' })
@ApiParam({
name: 'id',
@@ -280,6 +300,7 @@ export class SaleEstimatesController {
}
@Get(':id/mail')
@RequirePermission(SaleEstimateAction.View, AbilitySubject.SaleEstimate)
@ApiOperation({ summary: 'Retrieves the sale estimate mail state.' })
@ApiParam({
name: 'id',
@@ -296,6 +317,7 @@ export class SaleEstimatesController {
}
@Get(':id')
@RequirePermission(SaleEstimateAction.View, AbilitySubject.SaleEstimate)
@ApiOperation({
summary: 'Retrieves the sale estimate details.',
})