Click here to Skip to main content
15,881,424 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
i've four users super admin, admin, hod and data entry operator. super admin can access everything. but admin ,hod and data entry operator have limited access all the things should be handle in backend.

but below array i put all the api's url which user can access but when i pass id its is present in array and shows
You have no access to update data.


for example :-
"/api/masters/wing/getWing/{id}"
this is present in array but
req.originalUrl
got
"/api/masters/wing/getWing/1"

and it throw error.
You have no access to update data.


how can i match url with array.

What I have tried:

if (
           data.userroles[0].role != "Super Admin" &&
          (!Auth.aceessList[data.userroles[0].role] ||
            !Auth.aceessList[data.userroles[0].role].some((d) => req.originalUrl.includes(d)))
         ) {
           throw new Error("You have no access to update data.");
        }


and below is the array of api's that user can access.
static get aceessList() {
    return {
      ["Admin"]: [
        "/api/masters/wing/manageWing",
        "/api/masters/departments/managedepartment",
        "/api/masters/supplier/managesupplier",
        "/api/masters/expensehead/manageexpensehead",
        "/api/masters/subHead/manageSubHead",
        "/api/user/save-member",
        "/api/user/changepassword",
        "/api/masters/budget/getbudgetlist",
        "/api/masters/budget/getbudgetbywing",
        "/api/masters/budget/getbudgetbyexpensehead/{expense_head_id}/{sub_head_id}",
        "/api/masters/budget/getbudgetbyduration",
        "/api/masters/budget/getbudget",
        "/api/masters/purchaserequisitionheader/getpurchaserequisitionheaderlist",
        "/api/masters/purchaserequisitionheader/getpurchaserequisitionheader/{id}",
        "/api/masters/purchaserequisitionheader/getprdetailsList",
        "/api/masters/purchaserequisitionheader/managepurchaserequisitionheader"
      ],
      ["Data Entry Operator"]: [
        "/api/admin/upload-data",
        "/api/admin/upload-income-data",
        "/api/masters/purchaserequisitionheader/managepurchaserequisitionheader"
      ],
      ["HOD"]: [
        "/api/masters/wing/manageWing",
        "/api/masters/departments/managedepartment",
        "/api/masters/supplier/managesupplier",
        "/api/masters/expensehead/manageexpensehead",
        "/api/masters/subHead/manageSubHead",
        "/api/user/save-member",
        "/api/user/changepassword",
        "/api/masters/departments/managedepartment",
        "/api/masters/budget/getbudgetlist",
        "/api/masters/budget/getbudgetbywing/{wing_id}/{department_id}",
        "/api/masters/budget/getbudgetbyexpensehead/{expense_head_id}/{sub_head_id}",
        "/api/masters/budget/getbudgetbyduration",
        "/api/masters/budget/getbudget/{id}",
        "/api/masters/purchaserequisitionheader/getpurchaserequisitionheaderlist",
        "/api/masters/purchaserequisitionheader/getpurchaserequisitionheader",
        "/api/masters/purchaserequisitionheader/getprdetailsList",
        "/api/masters/purchaserequisitionheader/managepurchaserequisitionheader",
        "/api/masters/departments/getdepartmentlist",
        "/api/masters/departments/getdepartment/{id}",
        "/api/masters/departments/managedepartment",
        "/api/masters/wing/getWingList",
        "/api/masters/wing/getWing/{id}"
      ]
    };
  }
Posted
Updated 5-Apr-23 22:06pm

1 solution

The simplest option is probably to change your access list templates to regular expressions. That way, you can also express constraints on the type of data accepted by the parameters.
JavaScript
class Auth {
    static get accessList() {
        return {
            ["Admin"]: [
                /^\/api\/masters\/wing\/manageWing$/,
                /^\/api\/masters\/departments\/managedepartment$/,
                /^\/api\/masters\/supplier\/managesupplier$/,
                /^\/api\/masters\/expensehead\/manageexpensehead$/,
                /^\/api\/masters\/subHead\/manageSubHead$/,
                /^\/api\/user\/save-member$/,
                /^\/api\/user\/changepassword$/,
                /^\/api\/masters\/budget\/getbudgetlist$/,
                /^\/api\/masters\/budget\/getbudgetbywing$/,
                /^\/api\/masters\/budget\/getbudgetbyexpensehead\/(\d+)\/(\d+)$/,
                /^\/api\/masters\/budget\/getbudgetbyduration$/,
                /^\/api\/masters\/budget\/getbudget$/,
                /^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheaderlist$/,
                /^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheader\/(\d+)$/,
                /^\/api\/masters\/purchaserequisitionheader\/getprdetailsList$/,
                /^\/api\/masters\/purchaserequisitionheader\/managepurchaserequisitionheader$/
            ],
            ["Data Entry Operator"]: [
                /^\/api\/admin\/upload-data$/,
                /^\/api\/admin\/upload-income-data$/,
                /^\/api\/masters\/purchaserequisitionheader\/managepurchaserequisitionheader$/
            ],
            ["HOD"]: [
                /^\/api\/masters\/wing\/manageWing$/,
                /^\/api\/masters\/departments\/managedepartment$/,
                /^\/api\/masters\/supplier\/managesupplier$/,
                /^\/api\/masters\/expensehead\/manageexpensehead$/,
                /^\/api\/masters\/subHead\/manageSubHead$/,
                /^\/api\/user\/save-member$/,
                /^\/api\/user\/changepassword$/,
                /^\/api\/masters\/departments\/managedepartment$/,
                /^\/api\/masters\/budget\/getbudgetlist$/,
                /^\/api\/masters\/budget\/getbudgetbywing\/(\d+)\/(\d+)$/,
                /^\/api\/masters\/budget\/getbudgetbyexpensehead\/(\d+)\/(\d+)$/,
                /^\/api\/masters\/budget\/getbudgetbyduration$/,
                /^\/api\/masters\/budget\/getbudget\/(\d+)$/,
                /^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheaderlist$/,
                /^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheader$/,
                /^\/api\/masters\/purchaserequisitionheader\/getprdetailsList$/,
                /^\/api\/masters\/purchaserequisitionheader\/managepurchaserequisitionheader$/,
                /^\/api\/masters\/departments\/getdepartmentlist$/,
                /^\/api\/masters\/departments\/getdepartment\/(\d+)$/,
                /^\/api\/masters\/departments\/managedepartment$/,
                /^\/api\/masters\/wing\/getWingList$/,
                /^\/api\/masters\/wing\/getWing\/(\d+)$/
            ]
        };
    }
};
JavaScript
if (data.userroles[0].role != "Super Admin") {
    const accessList = Auto.accessList[data.userroles[0].role];
    if (!accessList || !accessList.some(d => req.originalUrl.match(d))) {
        throw new Error("You have no access to update data.");
    }
}
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900