borg/drone-detector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix jwt-token

Browse Source
This commit is contained in:
Alexander Borg
2025-09-17 05:21:35 +02:00
parent 8148ce9fc0
commit e82213942c
1 changed files with 35 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
server/routes/device.js
View File

@@ -319,6 +319,14 @@ router.post('/', authenticateToken, validateRequest(deviceSchema), async (req, r
try { try {
const { Device, DroneDetection, Heartbeat, Tenant } = getModels(); const { Device, DroneDetection, Heartbeat, Tenant } = getModels();
// Check admin role
if (req.user.role !== 'admin') {
return res.status(403).json({
success: false,
message: 'Admin role required for device creation'
});
}
// Determine tenant from request // Determine tenant from request
const tenantId = await multiAuth.determineTenant(req); const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) { if (!tenantId) {
@@ -392,6 +400,14 @@ router.put('/:id', authenticateToken, validateRequest(updateDeviceSchema), async
try { try {
const { Device, DroneDetection, Heartbeat, Tenant } = getModels(); const { Device, DroneDetection, Heartbeat, Tenant } = getModels();
// Check admin role
if (req.user.role !== 'admin') {
return res.status(403).json({
success: false,
message: 'Admin role required for device updates'
});
}
const device = await Device.findByPk(req.params.id); const device = await Device.findByPk(req.params.id);
if (!device) { if (!device) {
@@ -401,6 +417,17 @@ router.put('/:id', authenticateToken, validateRequest(updateDeviceSchema), async
}); });
} }
// Check if device belongs to user's tenant
const tenantId = await multiAuth.determineTenant(req);
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (device.tenant_id !== tenant.id) {
return res.status(404).json({
success: false,
message: 'Device not found'
});
}
console.log(`📝 Device ${req.params.id} update requested by user ${req.user.id} (${req.user.username})`); console.log(`📝 Device ${req.params.id} update requested by user ${req.user.id} (${req.user.username})`);
console.log('Update data:', req.body); console.log('Update data:', req.body);
@@ -434,6 +461,14 @@ router.delete('/:id', authenticateToken, async (req, res) => {
try { try {
const { Device, DroneDetection, Heartbeat, Tenant } = getModels(); const { Device, DroneDetection, Heartbeat, Tenant } = getModels();
// Check admin role
if (req.user.role !== 'admin') {
return res.status(403).json({
success: false,
message: 'Admin role required for device deletion'
});
}
const device = await Device.findByPk(req.params.id); const device = await Device.findByPk(req.params.id);
if (!device) { if (!device) {