QT/bigcapital
1
0
Fork 0
mirror of https://github.com/bigcapitalhq/bigcapital.git synced 2026-02-20 06:40:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(server): premissions guard for read and write endpoints

Browse Source
This commit is contained in:
Ahmed Bouhuolia
2026-02-15 22:55:10 +02:00
parent af80afcf59
commit 2d39e38578
31 changed files with 423 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
packages/server/src/modules/VendorCredit/VendorCredits.controller.ts
View File

@@ -7,6 +7,7 @@ import {
Post,
Put,
Query,
UseGuards,
} from '@nestjs/common';
import { VendorCreditsApplicationService } from './VendorCreditsApplication.service';
import { IVendorCreditsQueryDTO } from './types/VendorCredit.types';
@@ -26,17 +27,24 @@ import {
BulkDeleteDto,
ValidateBulkDeleteResponseDto,
} from '@/common/dtos/BulkDelete.dto';
import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
import { PermissionGuard } from '@/modules/Roles/Permission.guard';
import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
import { AbilitySubject } from '@/modules/Roles/Roles.types';
import { VendorCreditAction } from './types/VendorCredit.types';
@Controller('vendor-credits')
@ApiTags('Vendor Credits')
@ApiCommonHeaders()
@ApiExtraModels(ValidateBulkDeleteResponseDto)
@UseGuards(AuthorizationGuard, PermissionGuard)
export class VendorCreditsController {
constructor(
private readonly vendorCreditsApplication: VendorCreditsApplicationService,
) { }
@Post('validate-bulk-delete')
@RequirePermission(VendorCreditAction.Delete, AbilitySubject.VendorCredit)
@ApiOperation({
summary:
'Validates which vendor credits can be deleted and returns the results.',
@@ -58,6 +66,7 @@ export class VendorCreditsController {
}
@Post('bulk-delete')
@RequirePermission(VendorCreditAction.Delete, AbilitySubject.VendorCredit)
@ApiOperation({ summary: 'Deletes multiple vendor credits.' })
@ApiResponse({
status: 200,
@@ -73,24 +82,28 @@ export class VendorCreditsController {
}
@Post()
@RequirePermission(VendorCreditAction.Create, AbilitySubject.VendorCredit)
@ApiOperation({ summary: 'Create a new vendor credit.' })
async createVendorCredit(@Body() dto: CreateVendorCreditDto) {
return this.vendorCreditsApplication.createVendorCredit(dto);
}
@Put(':id/open')
@RequirePermission(VendorCreditAction.Edit, AbilitySubject.VendorCredit)
@ApiOperation({ summary: 'Open the given vendor credit.' })
async openVendorCredit(@Param('id') vendorCreditId: number) {
return this.vendorCreditsApplication.openVendorCredit(vendorCreditId);
}
@Get()
@RequirePermission(VendorCreditAction.View, AbilitySubject.VendorCredit)
@ApiOperation({ summary: 'Retrieves the vendor credits.' })
async getVendorCredits(@Query() filterDTO: IVendorCreditsQueryDTO) {
return this.vendorCreditsApplication.getVendorCredits(filterDTO);
}
@Put(':id')
@RequirePermission(VendorCreditAction.Edit, AbilitySubject.VendorCredit)
@ApiOperation({ summary: 'Edit the given vendor credit.' })
async editVendorCredit(
@Param('id') vendorCreditId: number,
@@ -100,12 +113,14 @@ export class VendorCreditsController {
}
@Delete(':id')
@RequirePermission(VendorCreditAction.Delete, AbilitySubject.VendorCredit)
@ApiOperation({ summary: 'Delete the given vendor credit.' })
async deleteVendorCredit(@Param('id') vendorCreditId: number) {
return this.vendorCreditsApplication.deleteVendorCredit(vendorCreditId);
}
@Get(':id')
@RequirePermission(VendorCreditAction.View, AbilitySubject.VendorCredit)
@ApiOperation({ summary: 'Retrieves the vendor credit details.' })
async getVendorCredit(@Param('id') vendorCreditId: number) {
return this.vendorCreditsApplication.getVendorCredit(vendorCreditId);