fix(api): add requireRoleOrSuperUser OR-guard, replace AND-stacking on staff routes

CRITICAL: requireRole("manager") + requireSuperUser() stacked = AND logic, blocking all non-super-user managers from staff CRUD. Added requireRoleOrSuperUser() OR-guard middleware. Staff write routes now use the combined guard: manager role OR super-user flag grants access. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-29 00:38:45 +00:00
parent 1e417eccb1
commit 5f867cd048
2 changed files with 34 additions and 4 deletions
@@ -126,6 +126,37 @@ export function requireRole(
  };
 }

+/**
+ * Middleware that allows access if the staff member has any of the allowed roles OR is a super user.
+ * Use for routes where managers OR super-users should have access.
+ *
+ * @example
+ *   api.on(["POST", "PATCH", "DELETE"], "/staff/*", requireRoleOrSuperUser("manager"));
+ */
+export function requireRoleOrSuperUser(
+  ...allowedRoles: StaffRole[]
+): MiddlewareHandler<AppEnv> {
+  return async (c, next) => {
+    const staffRow = c.get("staff");
+    if (!staffRow) {
+      return c.json({ error: "Forbidden: staff record not resolved" }, 403);
+    }
+    const hasAllowedRole = (allowedRoles as string[]).includes(staffRow.role);
+    if (hasAllowedRole || staffRow.isSuperUser) {
+      await next();
+      return;
+    }
+    return c.json(
+      {
+        error: staffRow.isSuperUser
+          ? `Forbidden: role '${staffRow.role}' is not permitted`
+          : "Forbidden: super user privileges required",
+      },
+      403
+    );
+  };
+}
+
 /**
 * Middleware that enforces the staff member is a super user.
 * Must be applied after resolveStaffMiddleware and (typically) after requireRole.