From 5d3d4b1eab6f731fb9fa054bc3262fe378b2154a Mon Sep 17 00:00:00 2001 From: Jordan Ramos Date: Wed, 24 Jun 2026 17:04:06 -0600 Subject: [PATCH] Allow Admin scope toggle to filter data via ?teams= param requireTeam() now respects an optional ?teams= query param from Admin users as a voluntary scope filter. When the Admin Scope Toggle is set to 'My Teams', the frontend sends ?teams=STEAM,ACCESS-ENG and the backend applies the filter. When set to 'All BUs' (no param), Admin gets the full unfiltered view. Non-admin users continue to be enforced by their bu_teams assignment regardless of any query param. --- backend/middleware/auth.js | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/backend/middleware/auth.js b/backend/middleware/auth.js index 1bc1dcc..5fa29a7 100644 --- a/backend/middleware/auth.js +++ b/backend/middleware/auth.js @@ -99,6 +99,8 @@ function requireGroup(...allowedGroups) { // Require team assignment — enforces team-scoped data access. // Admin group bypasses (req.teamScope = null means "no filter"). +// However, if an Admin passes a ?teams= query param (via the scope toggle), +// it is respected as a voluntary filter. // Non-admin users without teams get 403. // Non-admin users with teams get req.teamScope = { short: [...], ivanti: [...] }. function requireTeam() { @@ -107,8 +109,19 @@ function requireTeam() { return res.status(401).json({ error: 'Authentication required' }); } - // Admin bypass — full access to all teams + // Admin bypass — but respect optional ?teams= param as voluntary scope if (req.user.group === 'Admin') { + const teamsParam = req.query?.teams; + if (teamsParam) { + const teams = teamsParam.split(',').map(t => t.trim()).filter(Boolean); + if (teams.length > 0) { + req.teamScope = { + short: teams, + ivanti: teams.map(t => teamToIvanti(t)) + }; + return next(); + } + } req.teamScope = null; return next(); }