45 lines
1.2 KiB
JavaScript
45 lines
1.2 KiB
JavaScript
import { AuthenticationError, ForbiddenError } from '@redwoodjs/api'
|
|
import { db } from 'src/lib/db'
|
|
|
|
export const requireOwnership = async ({ userId, userName, partId } = {}) => {
|
|
// IMPORTANT, don't forget to await this function, as it will only block
|
|
// unwanted db actions if it has time to look up resources in the db.
|
|
if (!context.currentUser) {
|
|
throw new AuthenticationError("You don't have permission to do that.")
|
|
}
|
|
if (!userId && !userName && !partId) {
|
|
throw new ForbiddenError("You don't have access to do that.")
|
|
}
|
|
|
|
if (context.currentUser.roles?.includes('admin')) {
|
|
return
|
|
}
|
|
|
|
const netlifyUserId = context.currentUser?.sub
|
|
if (userId && userId !== netlifyUserId) {
|
|
throw new ForbiddenError("You don't own this resource.")
|
|
}
|
|
|
|
if (userName) {
|
|
const user = await db.user.findUnique({
|
|
where: { userName },
|
|
})
|
|
|
|
if (!user || user.id !== netlifyUserId) {
|
|
throw new ForbiddenError("You don't own this resource.")
|
|
}
|
|
}
|
|
|
|
if (partId) {
|
|
const user = await db.part
|
|
.findUnique({
|
|
where: { id: partId },
|
|
})
|
|
.user()
|
|
|
|
if (!user || user.id !== netlifyUserId) {
|
|
throw new ForbiddenError("You don't own this resource.")
|
|
}
|
|
}
|
|
}
|