Display a 403 error page when a non-admin user try to access the user…

… list view or the user-groups list view
intuitem · Apr 11, 2024 · 71661df · 71661df
1 parent 52e25d4
commit 71661df
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/frontend/src/lib/components/SideBar/navData.ts b/frontend/src/lib/components/SideBar/navData.ts
@@ -190,3 +190,10 @@ export const navData = {
 		}
 	]
 };
+
+export const modelNavData = navData.items.reduce((acc, navMenu) => {
+	return [...acc,...navMenu.items];
+}, []).reduce((acc, item) => {
+	acc[item.href.substring(1)] = item;
+	return acc;
+}, {});
diff --git a/frontend/src/routes/(app)/[model=urlmodel]/+layout.server.ts b/frontend/src/routes/(app)/[model=urlmodel]/+layout.server.ts
@@ -1,12 +1,24 @@
 import { BASE_API_URL } from '$lib/utils/constants';
 import { listViewFields } from '$lib/utils/table';
 import { tableSourceMapper, type TableSource } from '@skeletonlabs/skeleton';
-
+import { modelNavData } from '$lib/components/SideBar/navData';
+import { error } from '@sveltejs/kit';
 import { CUSTOM_MODEL_FETCH_MAP } from '$lib/utils/crud';
 import type { urlModel } from '$lib/utils/types';
 import type { LayoutServerLoad } from './$types';
 
-export const load = (async ({ fetch, params }) => {
+export const load = (async ({ fetch, params, locals }) => {
+	const modelData = modelNavData[params.model];
+
+	if (locals.user && modelData.user_groups) {
+		const user_groups = new Set(locals.user.user_groups.map(user_group => user_group[0]));
+		if (!modelData.user_groups.some(
+			user_group => user_groups.has(user_group)
+		)) {
+			return error(403, "You are not allowed to access this page.");
+		}
+	}
+
 	let data = null;
 	if (Object.prototype.hasOwnProperty.call(CUSTOM_MODEL_FETCH_MAP, params.model)) {
 		const fetch_function = CUSTOM_MODEL_FETCH_MAP[params.model];