mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity

fix(api): add WorkspaceGuard to controllers and fix route ordering

Browse Source
This commit is contained in:
Jason Woltje
2026-01-29 20:15:33 -06:00
parent 9977d9bcf4
commit 48abdbba8b
8 changed files with 216 additions and 541 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
apps/api/src/events/events.controller.ts
View File

@@ -8,97 +8,71 @@ import {
Param,
Query,
UseGuards,
Request,
UnauthorizedException,
} from "@nestjs/common";
import { EventsService } from "./events.service";
import { CreateEventDto, UpdateEventDto, QueryEventsDto } from "./dto";
import { AuthGuard } from "../auth/guards/auth.guard";
import { WorkspaceGuard, PermissionGuard } from "../common/guards";
import { Workspace, Permission, RequirePermission } from "../common/decorators";
import { CurrentUser } from "../auth/decorators/current-user.decorator";
/**
* Controller for event endpoints
* All endpoints require authentication
* All endpoints require authentication and workspace context
*
* Guards are applied in order:
* 1. AuthGuard - Verifies user authentication
* 2. WorkspaceGuard - Validates workspace access and sets RLS context
* 3. PermissionGuard - Checks role-based permissions
*/
@Controller("events")
@UseGuards(AuthGuard)
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
export class EventsController {
constructor(private readonly eventsService: EventsService) {}
/**
* POST /api/events
* Create a new event
*/
@Post()
async create(@Body() createEventDto: CreateEventDto, @Request() req: any) {
const workspaceId = req.user?.workspaceId;
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new UnauthorizedException("Authentication required");
}
return this.eventsService.create(workspaceId, userId, createEventDto);
@RequirePermission(Permission.WORKSPACE_MEMBER)
async create(
@Body() createEventDto: CreateEventDto,
@Workspace() workspaceId: string,
@CurrentUser() user: any
) {
return this.eventsService.create(workspaceId, user.id, createEventDto);
}
/**
* GET /api/events
* Get paginated events with optional filters
*/
@Get()
async findAll(@Query() query: QueryEventsDto, @Request() req: any) {
const workspaceId = req.user?.workspaceId;
if (!workspaceId) {
throw new UnauthorizedException("Authentication required");
}
@RequirePermission(Permission.WORKSPACE_ANY)
async findAll(
@Query() query: QueryEventsDto,
@Workspace() workspaceId: string
) {
return this.eventsService.findAll({ ...query, workspaceId });
}
/**
* GET /api/events/:id
* Get a single event by ID
*/
@Get(":id")
async findOne(@Param("id") id: string, @Request() req: any) {
const workspaceId = req.user?.workspaceId;
if (!workspaceId) {
throw new UnauthorizedException("Authentication required");
}
@RequirePermission(Permission.WORKSPACE_ANY)
async findOne(@Param("id") id: string, @Workspace() workspaceId: string) {
return this.eventsService.findOne(id, workspaceId);
}
/**
* PATCH /api/events/:id
* Update an event
*/
@Patch(":id")
@RequirePermission(Permission.WORKSPACE_MEMBER)
async update(
@Param("id") id: string,
@Body() updateEventDto: UpdateEventDto,
@Request() req: any
@Workspace() workspaceId: string,
@CurrentUser() user: any
) {
const workspaceId = req.user?.workspaceId;
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new UnauthorizedException("Authentication required");
}
return this.eventsService.update(id, workspaceId, userId, updateEventDto);
return this.eventsService.update(id, workspaceId, user.id, updateEventDto);
}
/**
* DELETE /api/events/:id
* Delete an event
*/
@Delete(":id")
async remove(@Param("id") id: string, @Request() req: any) {
const workspaceId = req.user?.workspaceId;
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new UnauthorizedException("Authentication required");
}
return this.eventsService.remove(id, workspaceId, userId);
@RequirePermission(Permission.WORKSPACE_ADMIN)
async remove(
@Param("id") id: string,
@Workspace() workspaceId: string,
@CurrentUser() user: any
) {
return this.eventsService.remove(id, workspaceId, user.id);
}
}