jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
04eb21a7d3c9f2e5e5ff1b77551ddfea531f921b
cve-dashboard/backend/routes/archerTickets.js

270 lines
9.0 KiB
JavaScript
Raw Normal View History

added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
// routes/archerTickets.js
const express = require('express');
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
const pool = require('../db');
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention
2026-04-06 16:18:07 -06:00
const { requireAuth, requireGroup } = require('../middleware/auth');
Add Archer Risk Acceptance Tickets feature - Add archer_tickets table with EXC number, Archer URL, status, CVE, and vendor - Create backend routes for CRUD operations on Archer tickets - Add right panel section displaying active Archer tickets - Implement modals for creating and editing Archer tickets - Validate EXC number format (EXC-XXXX) - Support statuses: Draft, Open, Under Review, Accepted - Purple theme (#8B5CF6) to distinguish from JIRA tickets - Role-based access control for create/edit/delete operations Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-18 15:07:07 -07:00
const logAudit = require('../helpers/auditLog');
// Validation helpers
const CVE_ID_PATTERN = /^CVE-\d{4}-\d{4,}$/;
function isValidCveId(cveId) {
return typeof cveId === 'string' && CVE_ID_PATTERN.test(cveId);
}
function isValidVendor(vendor) {
return typeof vendor === 'string' && vendor.trim().length > 0 && vendor.length <= 200;
}
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
function createArcherTicketsRouter() {
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
const router = express.Router();
// Get all Archer tickets (with optional filters)
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
router.get('/', requireAuth(), async (req, res) => {
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
const { cve_id, vendor, status } = req.query;
let query = 'SELECT * FROM archer_tickets WHERE 1=1';
const params = [];
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
let paramIndex = 1;
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
if (cve_id) {
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
query += ` AND cve_id = $${paramIndex++}`;
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
params.push(cve_id);
}
if (vendor) {
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
query += ` AND vendor = $${paramIndex++}`;
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
params.push(vendor);
}
if (status) {
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
query += ` AND status = $${paramIndex++}`;
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
params.push(status);
}
query += ' ORDER BY created_at DESC';
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
try {
const { rows } = await pool.query(query, params);
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
res.json(rows);
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
} catch (err) {
console.error('Error fetching Archer tickets:', err);
res.status(500).json({ error: 'Internal server error.' });
}
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
});
// Create Archer ticket
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
router.post('/', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
const { exc_number, archer_url, status, cve_id, vendor } = req.body;
// Validation
if (!exc_number || typeof exc_number !== 'string' || exc_number.trim().length === 0) {
return res.status(400).json({ error: 'EXC number is required.' });
}
if (!/^EXC-\d+$/.test(exc_number.trim())) {
return res.status(400).json({ error: 'EXC number must be in format EXC-XXXX (e.g., EXC-5754).' });
}
if (!cve_id || !isValidCveId(cve_id)) {
return res.status(400).json({ error: 'Valid CVE ID is required.' });
}
if (!vendor || !isValidVendor(vendor)) {
return res.status(400).json({ error: 'Valid vendor is required.' });
}
if (archer_url && (typeof archer_url !== 'string' || archer_url.length > 500)) {
return res.status(400).json({ error: 'Archer URL must be under 500 characters.' });
}
if (status && !['Draft', 'Open', 'Under Review', 'Accepted'].includes(status)) {
return res.status(400).json({ error: 'Invalid status. Must be Draft, Open, Under Review, or Accepted.' });
}
const validatedStatus = status || 'Draft';
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
try {
const { rows } = await pool.query(
`INSERT INTO archer_tickets (exc_number, archer_url, status, cve_id, vendor, created_by)
VALUES ($1, $2, $3, $4, $5, $6)
RETURNING id`,
[exc_number.trim(), archer_url || null, validatedStatus, cve_id, vendor, req.user.id]
);
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
logAudit({
userId: req.user.id,
action: 'CREATE_ARCHER_TICKET',
entityType: 'archer_ticket',
entityId: String(rows[0].id),
details: { exc_number, archer_url, status: validatedStatus, cve_id, vendor },
ipAddress: req.ip
});
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
res.status(201).json({
id: rows[0].id,
message: 'Archer ticket created successfully'
});
} catch (err) {
console.error('Error creating Archer ticket:', err);
if (err.code === '23505') {
return res.status(409).json({ error: 'An Archer ticket with this EXC number already exists.' });
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
}
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
res.status(500).json({ error: 'Internal server error.' });
}
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
});
// Update Archer ticket
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
router.put('/:id', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
const { id } = req.params;
const { exc_number, archer_url, status } = req.body;
// Validation
if (exc_number !== undefined) {
if (typeof exc_number !== 'string' || exc_number.trim().length === 0) {
return res.status(400).json({ error: 'EXC number cannot be empty.' });
}
if (!/^EXC-\d+$/.test(exc_number.trim())) {
return res.status(400).json({ error: 'EXC number must be in format EXC-XXXX (e.g., EXC-5754).' });
}
}
if (archer_url !== undefined && archer_url !== null && (typeof archer_url !== 'string' || archer_url.length > 500)) {
return res.status(400).json({ error: 'Archer URL must be under 500 characters.' });
}
if (status !== undefined && !['Draft', 'Open', 'Under Review', 'Accepted'].includes(status)) {
return res.status(400).json({ error: 'Invalid status. Must be Draft, Open, Under Review, or Accepted.' });
}
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
try {
const { rows } = await pool.query('SELECT * FROM archer_tickets WHERE id = $1', [id]);
const existing = rows[0];
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
if (!existing) {
return res.status(404).json({ error: 'Archer ticket not found.' });
}
const updates = [];
const params = [];
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
let paramIndex = 1;
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
if (exc_number !== undefined) {
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
updates.push(`exc_number = $${paramIndex++}`);
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
params.push(exc_number.trim());
}
if (archer_url !== undefined) {
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
updates.push(`archer_url = $${paramIndex++}`);
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
params.push(archer_url || null);
}
if (status !== undefined) {
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
updates.push(`status = $${paramIndex++}`);
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
params.push(status);
}
if (updates.length === 0) {
return res.status(400).json({ error: 'No fields to update.' });
}
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
updates.push('updated_at = NOW()');
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
params.push(id);
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
const result = await pool.query(
`UPDATE archer_tickets SET ${updates.join(', ')} WHERE id = $${paramIndex}`,
params
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
);
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
logAudit({
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention
2026-04-06 16:18:07 -06:00
userId: req.user.id,
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
action: 'UPDATE_ARCHER_TICKET',
fix: address all 11 review items for group-based access control Bugs fixed: - knowledgeBase.js: logAudit calls converted from positional args to object signature - archerTickets.js: targetType/targetId renamed to entityType/entityId - server.js: single CVE delete now has cascade/compliance check for Standard_User Unprotected endpoints secured: - ivantiTodoQueue.js: POST/PUT/DELETE now require Admin or Standard_User - ivantiFindings.js: PUT note and POST sync now require Admin or Standard_User - compliance.js: POST notes now requires Admin or Standard_User - ivantiWorkflows.js: POST sync now requires Admin or Standard_User - auth.js: cleanup-sessions now requires Admin via requireAuth + requireGroup Additional fixes: - ExportsPage.js: canExport() guard blocks Read_Only users - knowledgeBase.js: Standard_User delete checks created_by ownership - Migration: added INSERT/UPDATE triggers to enforce valid user_group values
2026-04-07 09:52:26 -06:00
entityType: 'archer_ticket',
entityId: String(id),
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
details: { before: existing, changes: req.body },
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention
2026-04-06 16:18:07 -06:00
ipAddress: req.ip
});
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
res.json({ message: 'Archer ticket updated successfully', changes: result.rowCount });
} catch (err) {
console.error(err);
if (err.code === '23505') {
return res.status(409).json({ error: 'An Archer ticket with this EXC number already exists.' });
}
res.status(500).json({ error: 'Internal server error.' });
}
});
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention
2026-04-06 16:18:07 -06:00
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
// Delete Archer ticket
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
router.delete('/:id', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
const { id } = req.params;
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
try {
const { rows } = await pool.query('SELECT * FROM archer_tickets WHERE id = $1', [id]);
const ticket = rows[0];
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
if (!ticket) {
return res.status(404).json({ error: 'Archer ticket not found.' });
}
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention
2026-04-06 16:18:07 -06:00
// Admin bypasses all delete restrictions
if (req.user.group === 'Admin') {
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
return performArcherDelete();
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention
2026-04-06 16:18:07 -06:00
}
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention
2026-04-06 16:18:07 -06:00
// Standard_User: ownership check
if (ticket.created_by && ticket.created_by !== req.user.id) {
return res.status(403).json({ error: 'You can only delete resources you created' });
}
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention
2026-04-06 16:18:07 -06:00
// Standard_User: compliance linkage check
const excNumber = ticket.exc_number;
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
try {
const { rows: compLinks } = await pool.query(
`SELECT ci.id, ci.extra_json
FROM compliance_items ci
JOIN compliance_uploads cu ON ci.upload_id = cu.id
WHERE ci.status = 'active' AND ci.extra_json ILIKE $1`,
[`%${excNumber}%`]
);
const isLinked = (compLinks || []).some(cl => {
const json = cl.extra_json || '';
return json.includes(excNumber);
});
if (isLinked) {
return res.status(403).json({ error: 'Cannot delete ticket linked to compliance report. Contact an admin.' });
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention
2026-04-06 16:18:07 -06:00
}
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
} catch (compErr) {
if (!compErr.message.includes('does not exist')) throw compErr;
}
return performArcherDelete();
async function performArcherDelete() {
await pool.query('DELETE FROM archer_tickets WHERE id = $1', [id]);
logAudit({
userId: req.user.id,
action: 'DELETE_ARCHER_TICKET',
entityType: 'archer_ticket',
entityId: String(id),
details: { deleted: ticket },
ipAddress: req.ip
});
res.json({ message: 'Archer ticket deleted successfully' });
}
} catch (err) {
console.error(err);
res.status(500).json({ error: 'Internal server error.' });
}
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
});
feat(compliance): add time-based trend charts to Compliance page Add 6 Recharts charts in a collapsible Historical Trends panel on the Compliance page, covering all Tier-1 recommendations from the reporting design doc. Backend — 5 new API endpoints: - GET /api/compliance/trends — active totals + per-team counts per upload - GET /api/compliance/mttr — mean days to resolution per team - GET /api/compliance/top-recurring — most persistent active findings by seen_count - GET /api/compliance/category-trend — category breakdown per upload (future use) - GET /api/archer-tickets/status-trend — ticket pipeline by creation date + status Frontend — new ComplianceChartsPanel component: - Active Findings Over Time (multi-line: total + per-team dashed) - Change per Report Cycle (stacked bar: new/recurring + resolved) - Team Compliance Health (multi-line per team) - Mean Time to Resolution (horizontal bar per team) - Most Persistent Findings (horizontal bar top-10 by seen_count) - Archer Exception Pipeline (stacked bar by date + status) All charts degrade gracefully to a no-data placeholder until uploads accumulate. Panel is collapsible to stay out of the way when not needed. Adds recharts dependency to frontend. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-02 09:49:32 -06:00
// GET /status-trend — ticket counts grouped by creation date + status
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite)
2026-05-06 11:44:17 -06:00
router.get('/status-trend', requireAuth(), async (req, res) => {
try {
const { rows } = await pool.query(
`SELECT DATE(created_at) AS date, status, COUNT(*) AS count
FROM archer_tickets
GROUP BY DATE(created_at), status
ORDER BY date ASC`
);
res.json({ statusTrend: rows });
} catch (err) {
console.error('Error fetching Archer status trend:', err);
res.status(500).json({ error: 'Internal server error.' });
}
feat(compliance): add time-based trend charts to Compliance page Add 6 Recharts charts in a collapsible Historical Trends panel on the Compliance page, covering all Tier-1 recommendations from the reporting design doc. Backend — 5 new API endpoints: - GET /api/compliance/trends — active totals + per-team counts per upload - GET /api/compliance/mttr — mean days to resolution per team - GET /api/compliance/top-recurring — most persistent active findings by seen_count - GET /api/compliance/category-trend — category breakdown per upload (future use) - GET /api/archer-tickets/status-trend — ticket pipeline by creation date + status Frontend — new ComplianceChartsPanel component: - Active Findings Over Time (multi-line: total + per-team dashed) - Change per Report Cycle (stacked bar: new/recurring + resolved) - Team Compliance Health (multi-line per team) - Mean Time to Resolution (horizontal bar per team) - Most Persistent Findings (horizontal bar top-10 by seen_count) - Archer Exception Pipeline (stacked bar by date + status) All charts degrade gracefully to a no-data placeholder until uploads accumulate. Panel is collapsible to stay out of the way when not needed. Adds recharts dependency to frontend. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-02 09:49:32 -06:00
});
added migration and feature set for archer ticekts
2026-02-18 15:02:25 -07:00
return router;
}
module.exports = createArcherTicketsRouter;
Reference in New Issue Copy Permalink