diff --git a/server/routes/device-groups.js b/server/routes/device-groups.js index 4053c29..7b210f5 100644 --- a/server/routes/device-groups.js +++ b/server/routes/device-groups.js @@ -2,45 +2,69 @@ const express = require('express'); const router = express.Router(); const { v4: uuidv4 } = require('uuid'); const { db } = require('../db/database'); -const { ELEVATED_ROLES } = require('../middleware/auth'); +const { PLATFORM_ROLES, ELEVATED_ROLES } = require('../middleware/auth'); +// Phase 2.2i: workspace-aware access. Same pattern as devices/content/widgets. +const { accessContext } = require('../lib/tenancy'); const VALID_COLOR = /^#[0-9A-Fa-f]{6}$/; const ALLOWED_COMMANDS = ['screen_on', 'screen_off', 'launch', 'update', 'reboot', 'shutdown']; -// Verify group belongs to the authenticated user -function requireGroupOwnership(req, res, next) { - const group = db.prepare('SELECT * FROM device_groups WHERE id = ? AND user_id = ?').get(req.params.id, req.user.id); - if (!group) return res.status(404).json({ error: 'group not found' }); - req.group = group; +// Phase 2.2i: split read/write access checks. Both attach req.group on success. +function loadGroupAccessCtx(req, res) { + const group = db.prepare('SELECT * FROM device_groups WHERE id = ?').get(req.params.id); + if (!group) { res.status(404).json({ error: 'group not found' }); return null; } + if (!group.workspace_id) { res.status(403).json({ error: 'Group not assigned to a workspace' }); return null; } + const ws = db.prepare('SELECT * FROM workspaces WHERE id = ?').get(group.workspace_id); + const ctx = ws && accessContext(req.user.id, req.user.role, ws); + if (!ctx) { res.status(403).json({ error: 'Access denied' }); return null; } + return { group, ctx }; +} + +function requireGroupRead(req, res, next) { + const access = loadGroupAccessCtx(req, res); + if (!access) return; + req.group = access.group; next(); } -// List groups +function requireGroupWrite(req, res, next) { + const access = loadGroupAccessCtx(req, res); + if (!access) return; + if (!access.ctx.actingAs && access.ctx.workspaceRole === 'workspace_viewer') { + return res.status(403).json({ error: 'Read-only access' }); + } + req.group = access.group; + next(); +} + +// List groups in the caller's current workspace. router.get('/', (req, res) => { + if (!req.workspaceId) return res.json([]); const groups = db.prepare(` SELECT g.*, COUNT(dgm.device_id) as device_count FROM device_groups g LEFT JOIN device_group_members dgm ON g.id = dgm.group_id - WHERE g.user_id = ? + WHERE g.workspace_id = ? GROUP BY g.id ORDER BY g.name ASC - `).all(req.user.id); + `).all(req.workspaceId); res.json(groups); }); -// Create group +// Create group in the caller's current workspace. router.post('/', (req, res) => { + if (!req.workspaceId) return res.status(403).json({ error: 'No workspace context. Switch to a workspace before creating groups.' }); const { name, color } = req.body; if (!name) return res.status(400).json({ error: 'name required' }); if (color && !VALID_COLOR.test(color)) return res.status(400).json({ error: 'invalid color format, use #RRGGBB' }); const id = uuidv4(); - db.prepare('INSERT INTO device_groups (id, user_id, name, color) VALUES (?, ?, ?, ?)') - .run(id, req.user.id, name, color || '#3B82F6'); + db.prepare('INSERT INTO device_groups (id, user_id, workspace_id, name, color) VALUES (?, ?, ?, ?, ?)') + .run(id, req.user.id, req.workspaceId, name, color || '#3B82F6'); res.status(201).json(db.prepare('SELECT * FROM device_groups WHERE id = ?').get(id)); }); // Update group -router.put('/:id', requireGroupOwnership, (req, res) => { +router.put('/:id', requireGroupWrite, (req, res) => { const { name, color } = req.body; if (color && !VALID_COLOR.test(color)) return res.status(400).json({ error: 'invalid color format, use #RRGGBB' }); if (name) db.prepare('UPDATE device_groups SET name = ? WHERE id = ?').run(name, req.params.id); @@ -49,7 +73,7 @@ router.put('/:id', requireGroupOwnership, (req, res) => { }); // Delete group — converts group schedules to per-device schedules first -router.delete('/:id', requireGroupOwnership, (req, res) => { +router.delete('/:id', requireGroupWrite, (req, res) => { const groupId = req.params.id; const convert = db.transaction(() => { @@ -98,7 +122,7 @@ router.delete('/:id', requireGroupOwnership, (req, res) => { }); // Get devices in a group -router.get('/:id/devices', requireGroupOwnership, (req, res) => { +router.get('/:id/devices', requireGroupRead, (req, res) => { const devices = db.prepare(` SELECT d.* FROM devices d JOIN device_group_members dgm ON d.id = dgm.device_id @@ -113,13 +137,18 @@ router.get('/:id/devices', requireGroupOwnership, (req, res) => { // onto the group section and for the Manage modal's checkboxes, which both // hit this endpoint. Without this, joining a group never auto-assigned the // group's playlist, leaving the new device on whatever it had before. -router.post('/:id/devices', requireGroupOwnership, (req, res) => { +// +// Phase 2.2i: closes a pre-existing cross-tenant leak. Today the gate only +// checked device.user_id == caller; a workspace_admin who happened to own a +// device in another workspace could add it to a group in this workspace. +// Now: the device must belong to the same workspace as the group. +router.post('/:id/devices', requireGroupWrite, (req, res) => { const { device_id } = req.body; if (!device_id) return res.status(400).json({ error: 'device_id required' }); - const device = db.prepare('SELECT user_id FROM devices WHERE id = ?').get(device_id); + const device = db.prepare('SELECT workspace_id FROM devices WHERE id = ?').get(device_id); if (!device) return res.status(404).json({ error: 'Device not found' }); - if (!ELEVATED_ROLES.includes(req.user.role) && device.user_id && device.user_id !== req.user.id) { - return res.status(403).json({ error: 'Access denied' }); + if (device.workspace_id !== req.group.workspace_id) { + return res.status(403).json({ error: 'Device is not in this group\'s workspace' }); } try { db.prepare('INSERT OR IGNORE INTO device_group_members (device_id, group_id) VALUES (?, ?)').run(device_id, req.params.id); @@ -145,7 +174,7 @@ router.post('/:id/devices', requireGroupOwnership, (req, res) => { // - Remaining group(s) but none have a playlist → clear playlist. // Without this, a device dragged out of a group keeps stale playlist state // from the group it just left. -router.delete('/:id/devices/:deviceId', requireGroupOwnership, (req, res) => { +router.delete('/:id/devices/:deviceId', requireGroupWrite, (req, res) => { const deviceId = req.params.deviceId; db.prepare('DELETE FROM device_group_members WHERE device_id = ? AND group_id = ?').run(deviceId, req.params.id); @@ -163,13 +192,16 @@ router.delete('/:id/devices/:deviceId', requireGroupOwnership, (req, res) => { res.json({ success: true }); }); -// Ensure a device has a playlist; auto-create one if missing +// Ensure a device has a playlist; auto-create one if missing. +// Phase 2.2i: pre-emptive loop-closer for the future playlists.js migration. +// The auto-created playlist lives in the same workspace as the device, so +// once playlists.js scopes by workspace_id this helper's rows remain visible. function ensureDevicePlaylist(deviceId, userId) { - const device = db.prepare('SELECT playlist_id, name FROM devices WHERE id = ?').get(deviceId); + const device = db.prepare('SELECT playlist_id, workspace_id, name FROM devices WHERE id = ?').get(deviceId); if (device?.playlist_id) return device.playlist_id; const playlistId = uuidv4(); - db.prepare('INSERT INTO playlists (id, user_id, name, is_auto_generated) VALUES (?, ?, ?, 1)') - .run(playlistId, userId, `${device?.name || 'Display'} playlist`); + db.prepare('INSERT INTO playlists (id, user_id, workspace_id, name, is_auto_generated) VALUES (?, ?, ?, ?, 1)') + .run(playlistId, userId, device?.workspace_id || null, `${device?.name || 'Display'} playlist`); db.prepare('UPDATE devices SET playlist_id = ? WHERE id = ?').run(playlistId, deviceId); return playlistId; } @@ -190,14 +222,22 @@ function pushPlaylistToDevice(req, deviceId) { } catch (e) { /* silent */ } } -// Bulk assign content to all devices in a group (adds to each device's playlist) -router.post('/:id/assign-content', requireGroupOwnership, (req, res) => { +// Bulk assign content to all devices in a group (adds to each device's playlist). +// Phase 2.2i: closes a pre-existing cross-tenant leak. Today the gate only +// checked content.user_id == caller; the content could live in any workspace +// the caller had any reach into. Now: content must live in the group's +// workspace (or be a platform-template content row, workspace_id IS NULL). +router.post('/:id/assign-content', requireGroupWrite, (req, res) => { const { content_id, duration_sec } = req.body; if (!content_id) return res.status(400).json({ error: 'content_id required' }); - // Verify content belongs to the user - const content = db.prepare('SELECT id FROM content WHERE id = ? AND user_id = ?').get(content_id, req.user.id); + // Verify content lives in the same workspace as the group (or is a + // platform-template row). + const content = db.prepare('SELECT id, workspace_id FROM content WHERE id = ?').get(content_id); if (!content) return res.status(404).json({ error: 'Content not found' }); + if (content.workspace_id && content.workspace_id !== req.group.workspace_id) { + return res.status(403).json({ error: 'Content is not in this group\'s workspace' }); + } const members = db.prepare('SELECT device_id FROM device_group_members WHERE group_id = ?').all(req.params.id); @@ -217,12 +257,22 @@ router.post('/:id/assign-content', requireGroupOwnership, (req, res) => { // Assign an existing playlist to all devices in a group, and persist the // choice on the group itself so future joiners inherit it (see POST /:id/devices). -router.post('/:id/assign-playlist', requireGroupOwnership, (req, res) => { +// +// Phase 2.2i: closes a pre-existing cross-tenant leak. Today the gate only +// checked playlist.user_id == caller; the playlist could live in any +// workspace the caller could reach. Now: playlist must live in the group's +// workspace. Playlists don't currently have a NULL/template path - playlists.js +// migration is deferred, so this check uses the raw workspace_id column that +// 2.2i's ensureDevicePlaylist loop-closer also writes to. +router.post('/:id/assign-playlist', requireGroupWrite, (req, res) => { const { playlist_id } = req.body; if (!playlist_id) return res.status(400).json({ error: 'playlist_id required' }); - const playlist = db.prepare('SELECT id FROM playlists WHERE id = ? AND user_id = ?').get(playlist_id, req.user.id); + const playlist = db.prepare('SELECT id, workspace_id FROM playlists WHERE id = ?').get(playlist_id); if (!playlist) return res.status(404).json({ error: 'Playlist not found' }); + if (playlist.workspace_id && playlist.workspace_id !== req.group.workspace_id) { + return res.status(403).json({ error: 'Playlist is not in this group\'s workspace' }); + } const members = db.prepare('SELECT device_id FROM device_group_members WHERE group_id = ?').all(req.params.id); @@ -237,8 +287,8 @@ router.post('/:id/assign-playlist', requireGroupOwnership, (req, res) => { res.json({ success: true, devices_updated: members.length }); }); -// Send command to all devices in a group -router.post('/:id/command', requireGroupOwnership, (req, res) => { +// Send command to all devices in a group (reboot/shutdown/screen on/off etc.) +router.post('/:id/command', requireGroupWrite, (req, res) => { const { type, payload } = req.body; if (!type) return res.status(400).json({ error: 'command type required' }); if (!ALLOWED_COMMANDS.includes(type)) return res.status(400).json({ error: 'invalid command type' }); diff --git a/server/routes/status.js b/server/routes/status.js index c3349de..505d0e4 100644 --- a/server/routes/status.js +++ b/server/routes/status.js @@ -421,7 +421,7 @@ router.post('/import', importUpload.single('file'), async (req, res) => { for (const g of (data.device_groups || [])) { const newId = uuid.v4(); idMap.groups[g.id] = newId; - db.prepare(`INSERT INTO device_groups (id, user_id, name, color, created_at) VALUES (?, ?, ?, ?, ?)`).run(newId, userId, g.name, g.color || '#3B82F6', g.created_at || Math.floor(Date.now() / 1000)); + db.prepare(`INSERT INTO device_groups (id, user_id, workspace_id, name, color, created_at) VALUES (?, ?, ?, ?, ?, ?)`).run(newId, userId, workspaceId, g.name, g.color || '#3B82F6', g.created_at || Math.floor(Date.now() / 1000)); stats.device_groups++; } for (const gm of (data.device_group_members || [])) {