fix: Add admin-only protection to sensitive routes

- GET /admin/users now requires admin role - GET /time-tracking/running-all now requires admin role - GET /notes now requires admin role - GET /audit-logs now requires admin role 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-16 08:39:21 +01:00
parent 232b8608e5
commit 2d6198b5f8
4 changed files with 13 additions and 13 deletions
--- a/src/routes/admin.routes.js
+++ b/src/routes/admin.routes.js
@@ -9,18 +9,14 @@ import { z } from 'zod';
 const router = express.Router();

 /**
- * Routes accessible to all authenticated users
+ * All admin routes require authentication and admin role
 */
 router.use(authenticate);
-
-// Zoznam všetkých userov (dostupné pre všetkých autentifikovaných používateľov)
-router.get('/users', adminController.getAllUsers);
-
-/**
- * Admin-only routes
- */
 router.use(requireAdmin);

+// Zoznam všetkých userov (admin only)
+router.get('/users', adminController.getAllUsers);
+
 /**
 * User management
 */
--- a/src/routes/audit.routes.js
+++ b/src/routes/audit.routes.js
@@ -1,9 +1,11 @@
 import { Router } from 'express';
 import { getRecentAuditLogs } from '../controllers/audit.controller.js';
 import { authenticate } from '../middlewares/auth/authMiddleware.js';
+import { requireAdmin } from '../middlewares/auth/roleMiddleware.js';

 const router = Router();

-router.get('/', authenticate, getRecentAuditLogs);
+// Audit logs are admin only
+router.get('/', authenticate, requireAdmin, getRecentAuditLogs);

 export default router;
--- a/src/routes/note.routes.js
+++ b/src/routes/note.routes.js
@@ -1,6 +1,7 @@
 import express from 'express';
 import * as noteController from '../controllers/note.controller.js';
 import { authenticate } from '../middlewares/auth/authMiddleware.js';
+import { requireAdmin } from '../middlewares/auth/roleMiddleware.js';
 import { validateBody, validateParams } from '../middlewares/security/validateInput.js';
 import { createNoteSchema, updateNoteSchema } from '../validators/crm.validators.js';
 import { z } from 'zod';
@@ -14,8 +15,8 @@ router.use(authenticate);
 * Note management
 */

-// Get all notes
-router.get('/', noteController.getAllNotes);
+// Get all notes (admin only - returns all notes system-wide)
+router.get('/', requireAdmin, noteController.getAllNotes);

 // Get my reminders (must be before /:noteId to avoid route conflict)
 router.get('/my-reminders', noteController.getMyReminders);
--- a/src/routes/time-tracking.routes.js
+++ b/src/routes/time-tracking.routes.js
@@ -1,6 +1,7 @@
 import express from 'express';
 import * as timeTrackingController from '../controllers/time-tracking.controller.js';
 import { authenticate } from '../middlewares/auth/authMiddleware.js';
+import { requireAdmin } from '../middlewares/auth/roleMiddleware.js';
 import { validateBody, validateParams } from '../middlewares/security/validateInput.js';
 import {
  startTimeEntrySchema,
@@ -32,8 +33,8 @@ router.post(
 // Get running time entry
 router.get('/running', timeTrackingController.getRunningTimeEntry);

-// Get all running time entries (for dashboard)
-router.get('/running-all', timeTrackingController.getAllRunningTimeEntries);
+// Get all running time entries (for dashboard) - admin only
+router.get('/running-all', requireAdmin, timeTrackingController.getAllRunningTimeEntries);

 // Get all time entries with filters
 router.get('/', timeTrackingController.getAllTimeEntries);