ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-18 03:30:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

fix: harden public routine trigger auth

Browse source
This commit is contained in:
dotta 2026-03-20 13:23:31 -05:00
parent 13fd656e2b
commit a62c264ddf
2 changed files with 10 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
server/src/routes/routines.ts
View file

@ -17,7 +17,7 @@ export function routineRoutes(db: Db) {
const router = Router();
const svc = routineService(db);
async function assertCanManageCompanyRoutine(req: Request, companyId: string, assigneeAgentId?: string | null) {
function assertCanManageCompanyRoutine(req: Request, companyId: string, assigneeAgentId?: string | null) {
assertCompanyAccess(req, companyId);
if (req.actor.type === "board") return;
if (req.actor.type !== "agent" || !req.actor.agentId) throw unauthorized();
@ -47,7 +47,7 @@ export function routineRoutes(db: Db) {
router.post("/companies/:companyId/routines", validate(createRoutineSchema), async (req, res) => {
const companyId = req.params.companyId as string;
await assertCanManageCompanyRoutine(req, companyId, req.body.assigneeAgentId);
assertCanManageCompanyRoutine(req, companyId, req.body.assigneeAgentId);
const created = await svc.create(companyId, req.body, {
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,