From 27e6541425afecce809e8591febbe31630d5d460 Mon Sep 17 00:00:00 2001 From: Tetardtek Date: Sat, 14 Mar 2026 15:14:03 +0100 Subject: [PATCH] =?UTF-8?q?fix:=20requireAdmin=20r=C3=A9sout=20le=20user?= =?UTF-8?q?=20local=20par=20superOAuthId?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- backend/src/middleware/admin.middleware.ts | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/backend/src/middleware/admin.middleware.ts b/backend/src/middleware/admin.middleware.ts index 58f0236..72c75fb 100644 --- a/backend/src/middleware/admin.middleware.ts +++ b/backend/src/middleware/admin.middleware.ts @@ -1,12 +1,13 @@ import { Response, NextFunction } from "express"; import { AppDataSource } from "../config/data-source"; +import { User } from "../entities/User"; import { UserRole } from "../entities/UserRole"; import { AuthenticatedRequest } from "./auth.middleware"; /** * Middleware requireAdmin — s'exécute APRÈS requireAuth. - * Charge les rôles de l'utilisateur depuis la DB et vérifie - * la présence du slug "admin" ou "super_admin". + * Résout l'utilisateur local par superOAuthId (req.user.id est l'ID SuperOAuth), + * charge ses rôles et vérifie la présence du slug "admin" ou "super_admin". * Retourne 403 FORBIDDEN si la condition n'est pas remplie. */ export const requireAdmin = async ( @@ -15,10 +16,17 @@ export const requireAdmin = async ( next: NextFunction ): Promise => { try { - const userId = req.user.id; + const localUser = await AppDataSource.getRepository(User).findOne({ + where: { superOAuthId: req.user.id }, + }); + + if (!localUser) { + res.status(403).json({ success: false, error: "FORBIDDEN" }); + return; + } const userRoles = await AppDataSource.getRepository(UserRole).find({ - where: { userId }, + where: { userId: localUser.id }, relations: ["role"], });