Allow Admin scope toggle to filter data via ?teams= param

requireTeam() now respects an optional ?teams= query param from Admin users as a voluntary scope filter. When the Admin Scope Toggle is set to 'My Teams', the frontend sends ?teams=STEAM,ACCESS-ENG and the backend applies the filter. When set to 'All BUs' (no param), Admin gets the full unfiltered view. Non-admin users continue to be enforced by their bu_teams assignment regardless of any query param.
2026-06-24 17:04:06 -06:00
parent 221eb6a1a1
commit 5d3d4b1eab
1 changed files with 14 additions and 1 deletions
--- a/backend/middleware/auth.js
+++ b/backend/middleware/auth.js
@@ -99,6 +99,8 @@ function requireGroup(...allowedGroups) {

 // Require team assignment — enforces team-scoped data access.
 // Admin group bypasses (req.teamScope = null means "no filter").
+// However, if an Admin passes a ?teams= query param (via the scope toggle),
+// it is respected as a voluntary filter.
 // Non-admin users without teams get 403.
 // Non-admin users with teams get req.teamScope = { short: [...], ivanti: [...] }.
 function requireTeam() {
@@ -107,8 +109,19 @@ function requireTeam() {
            return res.status(401).json({ error: 'Authentication required' });
        }

-        // Admin bypass — full access to all teams
+        // Admin bypass — but respect optional ?teams= param as voluntary scope
        if (req.user.group === 'Admin') {
+            const teamsParam = req.query?.teams;
+            if (teamsParam) {
+                const teams = teamsParam.split(',').map(t => t.trim()).filter(Boolean);
+                if (teams.length > 0) {
+                    req.teamScope = {
+                        short: teams,
+                        ivanti: teams.map(t => teamToIvanti(t))
+                    };
+                    return next();
+                }
+            }
            req.teamScope = null;
            return next();
        }