fix permissions on audit endpoint

2025-12-12 20:35:24 +00:00 · 2025-11-27 09:56:45 -08:00 · 2025-11-27 09:56:45 -08:00 · da3c93e05a
commit da3c93e05a
parent 3863f6dd81
1 changed files with 35 additions and 33 deletions
--- a/packages/web/src/ee/features/audit/actions.ts
+++ b/packages/web/src/ee/features/audit/actions.ts
@ -5,10 +5,11 @@ import { getAuditService } from "@/ee/features/audit/factory";
 import { ErrorCode } from "@/lib/errorCodes";
 import { ServiceError } from "@/lib/serviceError";
 import { prisma } from "@/prisma";
-import { withAuthV2 } from "@/withAuthV2";
+import { withAuthV2, withMinimumOrgRole } from "@/withAuthV2";
 import { createLogger } from "@sourcebot/shared";
 import { StatusCodes } from "http-status-codes";
 import { AuditEvent } from "./types";
 import { OrgRole } from "@sourcebot/db";
 const auditService = getAuditService();
 const logger = createLogger('audit-utils');
@ -25,38 +26,39 @@ export const createAuditAction = async (event: Omit<AuditEvent, 'sourcebotVersio
 );
 export const fetchAuditRecords = async () => sew(() =>
-    withAuthV2(async ({ user, org }) => {
+    withAuthV2(async ({ user, org, role }) =>
-        try {
+        withMinimumOrgRole(role, OrgRole.OWNER, async () => {
-            const auditRecords = await prisma.audit.findMany({
+            try {
-                where: {
+                const auditRecords = await prisma.audit.findMany({
-                    orgId: org.id,
+                    where: {
-                },
+                        orgId: org.id,
-                orderBy: {
+                    },
-                    timestamp: 'desc'
+                    orderBy: {
-                }
+                        timestamp: 'desc'
-            });
+                    }
                });
-            await auditService.createAudit({
+                await auditService.createAudit({
-                action: "audit.fetch",
+                    action: "audit.fetch",
-                actor: {
+                    actor: {
-                    id: user.id,
+                        id: user.id,
-                    type: "user"
+                        type: "user"
-                },
+                    },
-                target: {
+                    target: {
-                    id: org.id.toString(),
+                        id: org.id.toString(),
-                    type: "org"
+                        type: "org"
-                },
+                    },
-                orgId: org.id
+                    orgId: org.id
-            })
+                })
-            return auditRecords;
+                return auditRecords;
-        } catch (error) {
+            } catch (error) {
-            logger.error('Error fetching audit logs', { error });
+                logger.error('Error fetching audit logs', { error });
-            return {
+                return {
-                statusCode: StatusCodes.INTERNAL_SERVER_ERROR,
+                    statusCode: StatusCodes.INTERNAL_SERVER_ERROR,
-                errorCode: ErrorCode.UNEXPECTED_ERROR,
+                    errorCode: ErrorCode.UNEXPECTED_ERROR,
-                message: "Failed to fetch audit logs",
+                    message: "Failed to fetch audit logs",
-            } satisfies ServiceError;
+                } satisfies ServiceError;
-        }
+            }
-    })
+        }))
 );