diff --git a/server/routes/device.js b/server/routes/device.js index b72ff1b..25e8e8b 100644 --- a/server/routes/device.js +++ b/server/routes/device.js @@ -319,6 +319,14 @@ router.post('/', authenticateToken, validateRequest(deviceSchema), async (req, r try { const { Device, DroneDetection, Heartbeat, Tenant } = getModels(); + // Check admin role + if (req.user.role !== 'admin') { + return res.status(403).json({ + success: false, + message: 'Admin role required for device creation' + }); + } + // Determine tenant from request const tenantId = await multiAuth.determineTenant(req); if (!tenantId) { @@ -392,6 +400,14 @@ router.put('/:id', authenticateToken, validateRequest(updateDeviceSchema), async try { const { Device, DroneDetection, Heartbeat, Tenant } = getModels(); + // Check admin role + if (req.user.role !== 'admin') { + return res.status(403).json({ + success: false, + message: 'Admin role required for device updates' + }); + } + const device = await Device.findByPk(req.params.id); if (!device) { @@ -401,6 +417,17 @@ router.put('/:id', authenticateToken, validateRequest(updateDeviceSchema), async }); } + // Check if device belongs to user's tenant + const tenantId = await multiAuth.determineTenant(req); + const tenant = await Tenant.findOne({ where: { slug: tenantId } }); + + if (device.tenant_id !== tenant.id) { + return res.status(404).json({ + success: false, + message: 'Device not found' + }); + } + console.log(`📝 Device ${req.params.id} update requested by user ${req.user.id} (${req.user.username})`); console.log('Update data:', req.body); @@ -434,6 +461,14 @@ router.delete('/:id', authenticateToken, async (req, res) => { try { const { Device, DroneDetection, Heartbeat, Tenant } = getModels(); + // Check admin role + if (req.user.role !== 'admin') { + return res.status(403).json({ + success: false, + message: 'Admin role required for device deletion' + }); + } + const device = await Device.findByPk(req.params.id); if (!device) {