unregister global HasPermissionGuard and apply inline using UseGuard()

2 years ago · 93763deeeb
16 changed files with 58 additions and 47 deletions
--- a/apps/api/src/app/access/access.controller.ts
+++ b/apps/api/src/app/access/access.controller.ts
@ -20,6 +20,7 @@ import { StatusCodes, getReasonPhrase } from 'http-status-codes';
 import { AccessService } from './access.service';
 import { CreateAccessDto } from './create-access.dto';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('access')
 export class AccessController {
@ -59,7 +60,7 @@ export class AccessController {
  }

  @Post()
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.createAccess)
  public async createAccess(
    @Body() data: CreateAccessDto
@ -74,7 +75,7 @@ export class AccessController {
  }

  @Delete(':id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.deleteAccess)
  public async deleteAccess(@Param('id') id: string): Promise<AccessModel> {
    const access = await this.accessService.access({ id });
--- a/apps/api/src/app/account-balance/account-balance.controller.ts
+++ b/apps/api/src/app/account-balance/account-balance.controller.ts
@ -14,6 +14,7 @@ import { StatusCodes, getReasonPhrase } from 'http-status-codes';
 import { AccountBalance } from '@prisma/client';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
 import { AccountBalanceService } from './account-balance.service';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('account-balance')
 export class AccountBalanceController {
@ -23,7 +24,7 @@ export class AccountBalanceController {
  ) {}

  @Delete(':id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.deleteAccountBalance)
  public async deleteAccountBalance(
    @Param('id') id: string
--- a/apps/api/src/app/account/account.controller.ts
+++ b/apps/api/src/app/account/account.controller.ts
@ -36,6 +36,7 @@ import { CreateAccountDto } from './create-account.dto';
 import { TransferBalanceDto } from './transfer-balance.dto';
 import { UpdateAccountDto } from './update-account.dto';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('account')
 export class AccountController {
@ -48,7 +49,7 @@ export class AccountController {
  ) {}

  @Delete(':id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.deleteAccount)
  public async deleteAccount(@Param('id') id: string): Promise<AccountModel> {
    const account = await this.accountService.accountWithOrders(
@ -127,7 +128,7 @@ export class AccountController {
  }

  @Post()
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.createAccount)
  public async createAccount(
    @Body() data: CreateAccountDto
@ -158,7 +159,7 @@ export class AccountController {
  }

  @Post('transfer-balance')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.updateAccount)
  public async transferAccountBalance(
    @Body() { accountIdFrom, accountIdTo, balance }: TransferBalanceDto
@ -212,7 +213,7 @@ export class AccountController {
  }

  @Put(':id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.updateAccount)
  public async update(@Param('id') id: string, @Body() data: UpdateAccountDto) {
    const originalAccount = await this.accountService.account({
--- a/apps/api/src/app/admin/admin.controller.ts
+++ b/apps/api/src/app/admin/admin.controller.ts
@ -48,6 +48,7 @@ import { UpdateAssetProfileDto } from './update-asset-profile.dto';
 import { UpdateBulkMarketDataDto } from './update-bulk-market-data.dto';
 import { UpdateMarketDataDto } from './update-market-data.dto';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('admin')
 export class AdminController {
@ -60,21 +61,21 @@ export class AdminController {
  ) {}

  @Get()
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async getAdminData(): Promise<AdminData> {
    return this.adminService.get();
  }

  @Post('gather')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async gather7Days(): Promise<void> {
    this.dataGatheringService.gather7Days();
  }

  @Post('gather/max')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async gatherMax(): Promise<void> {
    const uniqueAssets = await this.dataGatheringService.getUniqueAssets();
@ -99,7 +100,7 @@ export class AdminController {
  }

  @Post('gather/profile-data')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async gatherProfileData(): Promise<void> {
    const uniqueAssets = await this.dataGatheringService.getUniqueAssets();
@ -122,7 +123,7 @@ export class AdminController {
  }

  @Post('gather/profile-data/:dataSource/:symbol')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async gatherProfileDataForSymbol(
    @Param('dataSource') dataSource: DataSource,
@ -142,7 +143,7 @@ export class AdminController {
  }

  @Post('gather/:dataSource/:symbol')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async gatherSymbol(
    @Param('dataSource') dataSource: DataSource,
@ -154,7 +155,7 @@ export class AdminController {
  }

  @Post('gather/:dataSource/:symbol/:dateString')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async gatherSymbolForDate(
    @Param('dataSource') dataSource: DataSource,
@ -178,7 +179,7 @@ export class AdminController {
  }

  @Get('market-data')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async getMarketData(
    @Query('assetSubClasses') filterByAssetSubClasses?: string,
@ -205,7 +206,7 @@ export class AdminController {
  }

  @Get('market-data/:dataSource/:symbol')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async getMarketDataBySymbol(
    @Param('dataSource') dataSource: DataSource,
@ -215,7 +216,7 @@ export class AdminController {
  }

  @Post('market-data/:dataSource/:symbol')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async updateMarketData(
    @Body() data: UpdateBulkMarketDataDto,
@ -241,7 +242,7 @@ export class AdminController {
   * @deprecated
   */
  @Put('market-data/:dataSource/:symbol/:dateString')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async update(
    @Param('dataSource') dataSource: DataSource,
@ -264,7 +265,7 @@ export class AdminController {
  }

  @Post('profile-data/:dataSource/:symbol')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  @UseInterceptors(TransformDataSourceInRequestInterceptor)
  public async addProfileData(
@ -279,7 +280,7 @@ export class AdminController {
  }

  @Delete('profile-data/:dataSource/:symbol')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async deleteProfileData(
    @Param('dataSource') dataSource: DataSource,
@ -289,7 +290,7 @@ export class AdminController {
  }

  @Patch('profile-data/:dataSource/:symbol')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async patchAssetProfileData(
    @Body() assetProfileData: UpdateAssetProfileDto,
@ -304,7 +305,7 @@ export class AdminController {
  }

  @Put('settings/:key')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async updateProperty(
    @Param('key') key: string,
--- a/apps/api/src/app/admin/queue/queue.controller.ts
+++ b/apps/api/src/app/admin/queue/queue.controller.ts
@ -13,13 +13,14 @@ import { JobStatus } from 'bull';

 import { QueueService } from './queue.service';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('admin/queue')
 export class QueueController {
  public constructor(private readonly queueService: QueueService) {}

  @Delete('job')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async deleteJobs(
    @Query('status') filterByStatus?: string
@ -29,7 +30,7 @@ export class QueueController {
  }

  @Get('job')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async getJobs(
    @Query('status') filterByStatus?: string
@ -39,7 +40,7 @@ export class QueueController {
  }

  @Delete('job/:id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async deleteJob(@Param('id') id: string): Promise<void> {
    return this.queueService.deleteJob(id);
--- a/apps/api/src/app/app.module.ts
+++ b/apps/api/src/app/app.module.ts
@ -109,12 +109,6 @@ import { HasPermissionGuard } from '../guards/has-permission.guard';
    UserModule
  ],
  controllers: [AppController],
-  providers: [
-    CronService,
-    {
-      provide: APP_GUARD,
-      useClass: HasPermissionGuard
-    }
-  ]
+  providers: [CronService]
 })
 export class AppModule {}
--- a/apps/api/src/app/auth-device/auth-device.controller.ts
+++ b/apps/api/src/app/auth-device/auth-device.controller.ts
@ -1,5 +1,6 @@
 import { AuthDeviceService } from '@ghostfolio/api/app/auth-device/auth-device.service';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';
 import { permissions } from '@ghostfolio/common/permissions';
 import { Controller, Delete, Param, UseGuards } from '@nestjs/common';
 import { AuthGuard } from '@nestjs/passport';
@ -9,7 +10,7 @@ export class AuthDeviceController {
  public constructor(private readonly authDeviceService: AuthDeviceService) {}

  @Delete(':id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.deleteAuthDevice)
  public async deleteAuthDevice(@Param('id') id: string): Promise<void> {
    await this.authDeviceService.deleteAuthDevice({ id });
--- a/apps/api/src/app/benchmark/benchmark.controller.ts
+++ b/apps/api/src/app/benchmark/benchmark.controller.ts
@ -24,13 +24,14 @@ import { StatusCodes, getReasonPhrase } from 'http-status-codes';

 import { BenchmarkService } from './benchmark.service';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('benchmark')
 export class BenchmarkController {
  public constructor(private readonly benchmarkService: BenchmarkService) {}

  @Post()
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async addBenchmark(@Body() { dataSource, symbol }: UniqueAsset) {
    try {
@ -56,7 +57,7 @@ export class BenchmarkController {
  }

  @Delete(':dataSource/:symbol')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async deleteBenchmark(
    @Param('dataSource') dataSource: DataSource,
--- a/apps/api/src/app/cache/cache.controller.ts
+++ b/apps/api/src/app/cache/cache.controller.ts
@ -1,5 +1,6 @@
 import { RedisCacheService } from '@ghostfolio/api/app/redis-cache/redis-cache.service';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';
 import { permissions } from '@ghostfolio/common/permissions';
 import { Controller, Post, UseGuards } from '@nestjs/common';
 import { AuthGuard } from '@nestjs/passport';
@ -9,7 +10,7 @@ export class CacheController {
  public constructor(private readonly redisCacheService: RedisCacheService) {}

  @Post('flush')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.accessAdminControl)
  public async flushCache(): Promise<void> {
    return this.redisCacheService.reset();
--- a/apps/api/src/app/export/export.controller.ts
+++ b/apps/api/src/app/export/export.controller.ts
@ -5,6 +5,7 @@ import { REQUEST } from '@nestjs/core';
 import { AuthGuard } from '@nestjs/passport';

 import { ExportService } from './export.service';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('export')
 export class ExportController {
--- a/apps/api/src/app/import/import.controller.ts
+++ b/apps/api/src/app/import/import.controller.ts
@ -25,6 +25,7 @@ import { StatusCodes, getReasonPhrase } from 'http-status-codes';
 import { ImportDataDto } from './import-data.dto';
 import { ImportService } from './import.service';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('import')
 export class ImportController {
@ -35,7 +36,7 @@ export class ImportController {
  ) {}

  @Post()
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.createOrder)
  @UseInterceptors(TransformDataSourceInRequestInterceptor)
  @UseInterceptors(TransformDataSourceInResponseInterceptor)
--- a/apps/api/src/app/order/order.controller.ts
+++ b/apps/api/src/app/order/order.controller.ts
@ -33,6 +33,7 @@ import { Activities } from './interfaces/activities.interface';
 import { OrderService } from './order.service';
 import { UpdateOrderDto } from './update-order.dto';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('order')
 export class OrderController {
@ -45,7 +46,7 @@ export class OrderController {
  ) {}

  @Delete()
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.deleteOrder)
  public async deleteOrders(): Promise<number> {
    return this.orderService.deleteOrders({
@ -114,7 +115,7 @@ export class OrderController {
  }

  @Post()
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.createOrder)
  @UseInterceptors(TransformDataSourceInRequestInterceptor)
  public async createOrder(@Body() data: CreateOrderDto): Promise<OrderModel> {
@ -156,7 +157,7 @@ export class OrderController {
  }

  @Put(':id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.updateOrder)
  @UseInterceptors(TransformDataSourceInRequestInterceptor)
  public async update(@Param('id') id: string, @Body() data: UpdateOrderDto) {
--- a/apps/api/src/app/platform/platform.controller.ts
+++ b/apps/api/src/app/platform/platform.controller.ts
@ -18,6 +18,7 @@ import { CreatePlatformDto } from './create-platform.dto';
 import { PlatformService } from './platform.service';
 import { UpdatePlatformDto } from './update-platform.dto';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('platform')
 export class PlatformController {
@ -30,7 +31,7 @@ export class PlatformController {
  }

  @Post()
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.createPlatform)
  public async createPlatform(
    @Body() data: CreatePlatformDto
@ -39,7 +40,7 @@ export class PlatformController {
  }

  @Put(':id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.updatePlatform)
  public async updatePlatform(
    @Param('id') id: string,
@ -67,7 +68,7 @@ export class PlatformController {
  }

  @Delete(':id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.deletePlatform)
  public async deletePlatform(@Param('id') id: string) {
    const originalPlatform = await this.platformService.getPlatform({
--- a/apps/api/src/app/tag/tag.controller.ts
+++ b/apps/api/src/app/tag/tag.controller.ts
@ -18,6 +18,7 @@ import { CreateTagDto } from './create-tag.dto';
 import { TagService } from './tag.service';
 import { UpdateTagDto } from './update-tag.dto';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('tag')
 export class TagController {
@ -30,14 +31,14 @@ export class TagController {
  }

  @Post()
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.createTag)
  public async createTag(@Body() data: CreateTagDto): Promise<Tag> {
    return this.tagService.createTag(data);
  }

  @Put(':id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.updateTag)
  public async updateTag(@Param('id') id: string, @Body() data: UpdateTagDto) {
    const originalTag = await this.tagService.getTag({
@ -62,7 +63,7 @@ export class TagController {
  }

  @Delete(':id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.deleteTag)
  public async deleteTag(@Param('id') id: string) {
    const originalTag = await this.tagService.getTag({
--- a/apps/api/src/app/user/user.controller.ts
+++ b/apps/api/src/app/user/user.controller.ts
@ -26,6 +26,7 @@ import { UserItem } from './interfaces/user-item.interface';
 import { UpdateUserSettingDto } from './update-user-setting.dto';
 import { UserService } from './user.service';
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
+import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';

@Controller('user')
 export class UserController {
@ -37,7 +38,7 @@ export class UserController {
  ) {}

  @Delete(':id')
-  @UseGuards(AuthGuard('jwt'))
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  @HasPermission(permissions.deleteUser)
  public async deleteUser(@Param('id') id: string): Promise<UserModel> {
    if (id === this.request.user.id) {
--- a/apps/api/src/guards/has-permission.guard.ts
+++ b/apps/api/src/guards/has-permission.guard.ts
@ -20,6 +20,9 @@ export class HasPermissionGuard implements CanActivate {
      context.getHandler()
    );

+    console.log('requiredPermission', requiredPermission);
+    console.log('user', user);
+
    if (!requiredPermission) {
      return true; // No specific permissions required
    }