add endpoint to safely get company individual settings for non-admin

ticketz-oss · Nov 14, 2024 · d088018 · d088018
1 parent 81959da
commit d088018
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 0 deletions.
diff --git a/backend/src/controllers/SettingController.ts b/backend/src/controllers/SettingController.ts
@@ -6,6 +6,7 @@ import AppError from "../errors/AppError";
 import UpdateSettingService from "../services/SettingServices/UpdateSettingService";
 import ListSettingsService from "../services/SettingServices/ListSettingsService";
 import GetPublicSettingService from "../services/SettingServices/GetPublicSettingService";
+import { GetCompanySettingService } from "../services/SettingServices/GetCompanySettingService";
 
 type LogoRequest = {
   mode: string;
@@ -59,6 +60,17 @@ export const publicShow = async (
   return res.status(200).json(settingValue);
 };
 
+export const companyShow = async (
+  req: Request,
+  res: Response
+): Promise<Response> => {
+  const { settingKey: key } = req.params;
+
+  const settingValue = await GetCompanySettingService({ key, user: req.user });
+
+  return res.status(200).json(settingValue);
+};
+
 export const storeLogo = async (
   req: Request,
   res: Response

diff --git a/backend/src/routes/settingRoutes.ts b/backend/src/routes/settingRoutes.ts
@@ -19,6 +19,12 @@ settingRoutes.get(
   SettingController.publicShow
 );
 
+settingRoutes.get(
+  "/company-settings/:settingKey",
+  isAuth,
+  SettingController.companyShow
+);
+
 // change setting key to key in future
 settingRoutes.put(
   "/settings/:settingKey",

diff --git a/backend/src/services/SettingServices/GetCompanySettingService.ts b/backend/src/services/SettingServices/GetCompanySettingService.ts
@@ -0,0 +1,39 @@
+import AppError from "../../errors/AppError";
+import Setting from "../../models/Setting";
+
+interface Request {
+  key: string;
+  user: {
+    profile: string;
+    companyId: number;
+  };
+}
+
+// keys that can be accessed by non-admin users
+// with respective default values
+const safeSettingsKeys = {
+  groupsTab: "disabled",
+  CheckMsgIsGroup: "disabled"
+};
+
+export const GetCompanySettingService = async ({
+  key,
+  user
+}: Request): Promise<string> => {
+  if (user.profile !== "admin" && !(key in safeSettingsKeys)) {
+    throw new AppError("ERR_NO_PERMISSION", 403);
+  }
+
+  const setting = await Setting.findOne({
+    where: {
+      companyId: user.companyId,
+      key
+    }
+  });
+
+  if (!setting && key in safeSettingsKeys) {
+    return safeSettingsKeys[key];
+  }
+
+  return setting?.value || "";
+};