feat: add permission guards to credit note and vendor credit controllers

Add AuthorizationGuard and PermissionGuard to the following controllers: - CreditNoteRefundsController - CreditNotesApplyInvoiceController - VendorCreditApplyBillsController - VendorCreditsRefundController Add @RequirePermission decorators with appropriate actions: - View action for GET endpoints - Edit action for POST/DELETE endpoints - Refund action for refund-related operations Also fixes AuthorizationGuard to use userId from clsService instead of user.id from request for consistency with the abilities cache.
2026-02-18 05:40:31 +00:00 · 2026-02-16 20:04:48 +02:00
parent 174aec78ca
commit d5402b6a9b
5 changed files with 80 additions and 6 deletions
--- a/packages/server/src/modules/CreditNoteRefunds/CreditNoteRefunds.controller.ts
+++ b/packages/server/src/modules/CreditNoteRefunds/CreditNoteRefunds.controller.ts
@@ -1,20 +1,35 @@
 import { ApiOperation, ApiTags } from '@nestjs/swagger';
-import { Body, Controller, Delete, Get, Param, Post } from '@nestjs/common';
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Post,
+  UseGuards,
+} from '@nestjs/common';
 import { ICreditNoteRefundDTO } from '../CreditNotes/types/CreditNotes.types';
 import { CreditNotesRefundsApplication } from './CreditNotesRefundsApplication.service';
 import { RefundCreditNote } from './models/RefundCreditNote';
 import { CreditNoteRefundDto } from './dto/CreditNoteRefund.dto';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { CreditNoteAction } from '../CreditNotes/types/CreditNotes.types';

@Controller('credit-notes')
@ApiTags('Credit Note Refunds')
@ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class CreditNoteRefundsController {
  constructor(
    private readonly creditNotesRefundsApplication: CreditNotesRefundsApplication,
  ) {}

  @Get(':creditNoteId/refunds')
+  @RequirePermission(CreditNoteAction.View, AbilitySubject.CreditNote)
  @ApiOperation({ summary: 'Retrieve the credit note graph.' })
  getCreditNoteRefunds(@Param('creditNoteId') creditNoteId: number) {
    return this.creditNotesRefundsApplication.getCreditNoteRefunds(
@@ -29,6 +44,7 @@ export class CreditNoteRefundsController {
   * @returns {Promise<RefundCreditNote>}
   */
  @Post(':creditNoteId/refunds')
+  @RequirePermission(CreditNoteAction.Refund, AbilitySubject.CreditNote)
  @ApiOperation({ summary: 'Create a refund for the given credit note.' })
  createRefundCreditNote(
    @Param('creditNoteId') creditNoteId: number,
@@ -46,6 +62,7 @@ export class CreditNoteRefundsController {
   * @returns {Promise<void>}
   */
  @Delete('refunds/:refundCreditId')
+  @RequirePermission(CreditNoteAction.Refund, AbilitySubject.CreditNote)
  @ApiOperation({ summary: 'Delete a refund for the given credit note.' })
  deleteRefundCreditNote(
    @Param('refundCreditId') refundCreditId: number,