QT/bigcapital
1
0
Fork 0
mirror of https://github.com/bigcapitalhq/bigcapital.git synced 2026-02-19 22:30:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add permission guards to credit note and vendor credit controllers

Browse Source 
Add AuthorizationGuard and PermissionGuard to the following controllers:
- CreditNoteRefundsController
- CreditNotesApplyInvoiceController
- VendorCreditApplyBillsController
- VendorCreditsRefundController

Add @RequirePermission decorators with appropriate actions:
- View action for GET endpoints
- Edit action for POST/DELETE endpoints
- Refund action for refund-related operations

Also fixes AuthorizationGuard to use userId from clsService instead of
user.id from request for consistency with the abilities cache.
This commit is contained in:
Ahmed Bouhuolia
2026-02-16 20:04:48 +02:00
parent 174aec78ca
commit d5402b6a9b
5 changed files with 80 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
packages/server/src/modules/Roles/Authorization.guard.ts
View File

@@ -31,9 +31,10 @@ export class AuthorizationGuard implements CanActivate {
async canActivate(context: ExecutionContext): Promise<boolean> {
const request = context.switchToHttp().getRequest<Request>();
const { user } = request as any;
const userId = this.clsService.get('userId');
if (ABILITIES_CACHE.has(user.id)) {
(request as any).ability = ABILITIES_CACHE.get(user.id);
if (ABILITIES_CACHE.has(userId)) {
(request as any).ability = ABILITIES_CACHE.get(userId);
} else {
const ability = await this.getAbilityForUser();
(request as any).ability = ability;