From 765f8c08d12ceb00967986966e0d0d8cee5a8821 Mon Sep 17 00:00:00 2001 From: juancarmore Date: Mon, 12 Jan 2026 13:59:59 +0100 Subject: [PATCH] backend: reorder authorization logic for room member access --- .../src/middlewares/room-member.middleware.ts | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/meet-ce/backend/src/middlewares/room-member.middleware.ts b/meet-ce/backend/src/middlewares/room-member.middleware.ts index 7fa64f0d..706d9468 100644 --- a/meet-ce/backend/src/middlewares/room-member.middleware.ts +++ b/meet-ce/backend/src/middlewares/room-member.middleware.ts @@ -15,9 +15,9 @@ import { allowAnonymous, AuthValidator, tokenAndRoleValidator, withAuth } from ' /** * Middleware to authorize access to specific room member information. * + * - If the user is authenticated via room member token, checks if they are accessing their own info. * - If the user is a registered user, checks if they have management permissions (admin or owner), * or if they are accessing their own member info. - * - If the user is authenticated via room member token, checks if they are accessing their own info. */ export const authorizeRoomMemberAccess = async (req: Request, res: Response, next: NextFunction) => { const roomId = req.params.roomId as string; @@ -30,7 +30,20 @@ export const authorizeRoomMemberAccess = async (req: Request, res: Response, nex const forbiddenError = errorInsufficientPermissions(); - // Scenario 1: Registered User + // Scenario 1: Room Member Token + if (memberRoomId) { + // Check if the token belongs to the requested room + if (memberRoomId !== roomId) { + return rejectRequestFromMeetError(res, forbiddenError); + } + + // Check if the token belongs to the requested member (self access) + if (currentMemberId === memberId) { + return next(); + } + } + + // Scenario 2: Registered User if (user) { // Allow if user is admin if (user.role === MeetUserRole.ADMIN) { @@ -51,19 +64,6 @@ export const authorizeRoomMemberAccess = async (req: Request, res: Response, nex } } - // Scenario 2: Room Member Token - if (memberRoomId) { - // Check if the token belongs to the requested room - if (memberRoomId !== roomId) { - return rejectRequestFromMeetError(res, forbiddenError); - } - - // Check if the token belongs to the requested member (self access) - if (currentMemberId === memberId) { - return next(); - } - } - return rejectRequestFromMeetError(res, forbiddenError); };