forked from boxyhq/saas-starter-kit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrbac.ts
52 lines (49 loc) · 1.44 KB
/
rbac.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import { Role } from '@prisma/client';
import { ApiError } from './errors';
import { getTeamMember } from 'models/team';
export async function validateMembershipOperation(
memberId: string,
teamMember,
operationMeta?: {
role?: Role;
}
) {
const updatingMember = await getTeamMember(memberId, teamMember.team.slug);
// Member and Admin can't update the role of Owner
if (
(teamMember.role === Role.MEMBER || teamMember.role === Role.ADMIN) &&
updatingMember.role === Role.OWNER
) {
throw new ApiError(
403,
'You do not have permission to update the role of this member.'
);
}
// Member can't update the role of Admin & Owner
if (
teamMember.role === Role.MEMBER &&
(updatingMember.role === Role.ADMIN || updatingMember.role === Role.OWNER)
) {
throw new ApiError(
403,
'You do not have permission to update the role of this member.'
);
}
// Admin can't make anyone an Owner
if (teamMember.role === Role.ADMIN && operationMeta?.role === Role.OWNER) {
throw new ApiError(
403,
'You do not have permission to update the role of this member to Owner.'
);
}
// Member can't make anyone an Admin or Owner
if (
teamMember.role === Role.MEMBER &&
(operationMeta?.role === Role.ADMIN || operationMeta?.role === Role.OWNER)
) {
throw new ApiError(
403,
'You do not have permission to update the role of this member to Admin.'
);
}
}