foxerBN/crm-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Add admin-only protection to sensitive routes

Browse Source 
- GET /admin/users now requires admin role
- GET /time-tracking/running-all now requires admin role
- GET /notes now requires admin role
- GET /audit-logs now requires admin role

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
richardtekula
2025-12-16 08:39:21 +01:00
parent 232b8608e5
commit 2d6198b5f8
4 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/routes/note.routes.js
View File

@@ -1,6 +1,7 @@
import express from 'express';
import * as noteController from '../controllers/note.controller.js';
import { authenticate } from '../middlewares/auth/authMiddleware.js';
import { requireAdmin } from '../middlewares/auth/roleMiddleware.js';
import { validateBody, validateParams } from '../middlewares/security/validateInput.js';
import { createNoteSchema, updateNoteSchema } from '../validators/crm.validators.js';
import { z } from 'zod';
@@ -14,8 +15,8 @@ router.use(authenticate);
* Note management
*/
// Get all notes
router.get('/', noteController.getAllNotes);
// Get all notes (admin only - returns all notes system-wide)
router.get('/', requireAdmin, noteController.getAllNotes);
// Get my reminders (must be before /:noteId to avoid route conflict)
router.get('/my-reminders', noteController.getMyReminders);