feat: enforce admin-only access for user management routes

2026-01-17 20:06:09 +01:00 · 2026-01-17 20:06:09 +01:00 · ffe4461016
commit ffe4461016
parent 1685df8389
4 changed files with 5 additions and 5 deletions
--- a/routes/deleteRoutes.js
+++ b/routes/deleteRoutes.js
@ -24,7 +24,7 @@ function forceCompanyForAdmin(req, res, next) {
 }
 // DELETE /admin/user/:id (moved from routes/admin.js)
-router.delete('/admin/user/:id', authMiddleware, AdminUserController.deleteUser);
+router.delete('/admin/user/:id', authMiddleware, adminOnly, AdminUserController.deleteUser);
 // DELETE /document-templates/:id (moved from routes/documentTemplates.js)
 router.delete('/document-templates/:id', authMiddleware, DocumentTemplateController.deleteTemplate);
--- a/routes/getRoutes.js
+++ b/routes/getRoutes.js
@ -54,7 +54,7 @@ router.get('/user/status-progress', authMiddleware, UserStatusController.getStat
 router.get('/users/:id/full', authMiddleware, UserController.getFullUserData);
 router.get('/user/settings', authMiddleware, UserSettingsController.getSettings);
 router.get('/users/:id/permissions', authMiddleware, PermissionController.getUserPermissions);
-router.get('/admin/users/:id/full', authMiddleware, AdminUserController.getFullUserAccountDetails);
+router.get('/admin/users/:id/full', authMiddleware, adminOnly, AdminUserController.getFullUserAccountDetails);
 router.get('/admin/users/:id/detailed', authMiddleware, requireAdmin, AdminUserController.getDetailedUserInfo);
 router.get('/users/:id/documents', authMiddleware, UserController.getUserDocumentsAndContracts);
 router.get('/verify-password-reset', (req, res) => { /* Note: was moved from PasswordResetController.verifyPasswordResetToken */ res.status(204).end(); }); // keep placeholder if controller already registered via other verb
--- a/routes/postRoutes.js
+++ b/routes/postRoutes.js
@ -73,8 +73,8 @@ router.post('/profile/personal/complete', authMiddleware, PersonalProfileControl
 router.post('/profile/company/complete', authMiddleware, CompanyProfileController.completeProfile);
 // Admin POSTs (moved from routes/admin.js)
-router.post('/admin/verify-user/:id', authMiddleware, AdminUserController.verifyUser);
+router.post('/admin/verify-user/:id', authMiddleware, adminOnly, AdminUserController.verifyUser);
-router.post('/admin/send-password-reset/:userId', authMiddleware, async (req, res) => {
+router.post('/admin/send-password-reset/:userId', authMiddleware, adminOnly, async (req, res) => {
  const userId = req.params.userId;
  // require here to avoid circular/top-level ordering issues
  const UnitOfWork = require('../database/UnitOfWork');
--- a/routes/putRoutes.js
+++ b/routes/putRoutes.js
@ -17,7 +17,7 @@ function adminOnly(req, res, next) {
 }
 // PUT /admin/users/:id/permissions (moved from routes/admin.js)
-router.put('/admin/users/:id/permissions', authMiddleware, AdminUserController.updateUserPermissions);
+router.put('/admin/users/:id/permissions', authMiddleware, adminOnly, AdminUserController.updateUserPermissions);
 // PUT /document-templates/:id (moved from routes/documentTemplates.js)
 router.put('/document-templates/:id', authMiddleware, upload.single('file'), DocumentTemplateController.updateTemplate);