foxerBN/crm-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Add admin-only protection to sensitive routes

Browse Source 
- GET /admin/users now requires admin role
- GET /time-tracking/running-all now requires admin role
- GET /notes now requires admin role
- GET /audit-logs now requires admin role

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
richardtekula
2025-12-16 08:39:21 +01:00
parent 232b8608e5
commit 2d6198b5f8
4 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/routes/time-tracking.routes.js
View File

@@ -1,6 +1,7 @@
import express from 'express';
import * as timeTrackingController from '../controllers/time-tracking.controller.js';
import { authenticate } from '../middlewares/auth/authMiddleware.js';
import { requireAdmin } from '../middlewares/auth/roleMiddleware.js';
import { validateBody, validateParams } from '../middlewares/security/validateInput.js';
import {
startTimeEntrySchema,
@@ -32,8 +33,8 @@ router.post(
// Get running time entry
router.get('/running', timeTrackingController.getRunningTimeEntry);
// Get all running time entries (for dashboard)
router.get('/running-all', timeTrackingController.getAllRunningTimeEntries);
// Get all running time entries (for dashboard) - admin only
router.get('/running-all', requireAdmin, timeTrackingController.getAllRunningTimeEntries);
// Get all time entries with filters
router.get('/', timeTrackingController.getAllTimeEntries);