diff --git a/src/app/api/admin/OfficeFoldersController.ts b/src/app/api/admin/OfficeFoldersController.ts index 612ad17f..34c03cfa 100644 --- a/src/app/api/admin/OfficeFoldersController.ts +++ b/src/app/api/admin/OfficeFoldersController.ts @@ -63,8 +63,10 @@ export default class OfficeFoldersController extends ApiController { } const userId: string = req.body.user.userId; + const officeId: string = req.body.user.office_Id; if (query.where?.stakeholders) delete query.where.stakeholders; - const officeFoldersWhereInput: Prisma.OfficeFoldersWhereInput = { ...query.where, stakeholders: { some: { uid: userId } } }; + if (query.where?.office_uid) delete query.where.office_uid; + const officeFoldersWhereInput: Prisma.OfficeFoldersWhereInput = { ...query.where, stakeholders: { some: { uid: userId } }, office_uid: officeId }; query.where = officeFoldersWhereInput; //call service to get prisma entity diff --git a/src/app/api/notary/OfficeFoldersController.ts b/src/app/api/notary/OfficeFoldersController.ts index 2d8f7792..3dee02ce 100644 --- a/src/app/api/notary/OfficeFoldersController.ts +++ b/src/app/api/notary/OfficeFoldersController.ts @@ -60,8 +60,10 @@ export default class OfficeFoldersController extends ApiController { } const userId: string = req.body.user.userId; + const officeId: string = req.body.user.office_Id; if (query.where?.stakeholders) delete query.where.stakeholders; - const officeFoldersWhereInput: Prisma.OfficeFoldersWhereInput = { ...query.where, stakeholders: { some: { uid: userId } } }; + if (query.where?.office_uid) delete query.where.office_uid; + const officeFoldersWhereInput: Prisma.OfficeFoldersWhereInput = { ...query.where, stakeholders: { some: { uid: userId } }, office_uid: officeId }; query.where = officeFoldersWhereInput; //call service to get prisma entity @@ -253,6 +255,7 @@ export default class OfficeFoldersController extends ApiController { protected async getOneByUid(req: Request, response: Response) { try { const uid = req.params["uid"]; + const officeId: string = req.body.user.office_Id; if (!uid) { this.httpBadRequest(response, "No uid provided"); return; @@ -270,6 +273,12 @@ export default class OfficeFoldersController extends ApiController { return; } + // Add office-level validation + if (officeFolderEntity.office_uid !== officeId) { + this.httpUnauthorized(response, "Not authorized to access this folder"); + return; + } + //Hydrate ressource with prisma entity const officeFolder = OfficeFolder.hydrate(officeFolderEntity); diff --git a/src/app/api/super-admin/OfficeFoldersController.ts b/src/app/api/super-admin/OfficeFoldersController.ts index 988c55c4..258a06ca 100644 --- a/src/app/api/super-admin/OfficeFoldersController.ts +++ b/src/app/api/super-admin/OfficeFoldersController.ts @@ -61,8 +61,10 @@ export default class OfficeFoldersController extends ApiController { } const userId: string = req.body.user.userId; + const officeId: string = req.body.user.office_Id; if (query.where?.stakeholders) delete query.where.stakeholders; - const officeFoldersWhereInput: Prisma.OfficeFoldersWhereInput = { ...query.where, stakeholders: { some: { uid: userId } } }; + if (query.where?.office_uid) delete query.where.office_uid; + const officeFoldersWhereInput: Prisma.OfficeFoldersWhereInput = { ...query.where, stakeholders: { some: { uid: userId } }, office_uid: officeId }; query.where = officeFoldersWhereInput; //call service to get prisma entity