feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only)

- Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention
2026-04-06 16:18:07 -06:00
parent 1ef57b0504
commit 73fd747576
19 changed files with 1171 additions and 149 deletions
--- a/backend/routes/archerTickets.js
+++ b/backend/routes/archerTickets.js
@@ -1,6 +1,6 @@
 // routes/archerTickets.js
 const express = require('express');
-const { requireAuth, requireRole } = require('../middleware/auth');
+const { requireAuth, requireGroup } = require('../middleware/auth');
 const logAudit = require('../helpers/auditLog');

 // Validation helpers
@@ -48,7 +48,7 @@ function createArcherTicketsRouter(db) {
  });

  // Create Archer ticket
-  router.post('/', requireAuth(db), requireRole('editor', 'admin'), (req, res) => {
+  router.post('/', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
    const { exc_number, archer_url, status, cve_id, vendor } = req.body;

    // Validation
@@ -74,9 +74,9 @@ function createArcherTicketsRouter(db) {
    const validatedStatus = status || 'Draft';

    db.run(
-      `INSERT INTO archer_tickets (exc_number, archer_url, status, cve_id, vendor)
-       VALUES (?, ?, ?, ?, ?)`,
-      [exc_number.trim(), archer_url || null, validatedStatus, cve_id, vendor],
+      `INSERT INTO archer_tickets (exc_number, archer_url, status, cve_id, vendor, created_by)
+       VALUES (?, ?, ?, ?, ?, ?)`,
+      [exc_number.trim(), archer_url || null, validatedStatus, cve_id, vendor, req.user.id],
      function(err) {
        if (err) {
          console.error('Error creating Archer ticket:', err);
@@ -104,7 +104,7 @@ function createArcherTicketsRouter(db) {
  });

  // Update Archer ticket
-  router.put('/:id', requireAuth(db), requireRole('editor', 'admin'), (req, res) => {
+  router.put('/:id', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
    const { id } = req.params;
    const { exc_number, archer_url, status } = req.body;

@@ -184,8 +184,29 @@ function createArcherTicketsRouter(db) {
    });
  });

+  // Helper: perform the actual Archer ticket deletion
+  function performArcherDelete(db, req, res, id, ticket) {
+    db.run('DELETE FROM archer_tickets WHERE id = ?', [id], function(err) {
+      if (err) {
+        console.error(err);
+        return res.status(500).json({ error: 'Internal server error.' });
+      }
+
+      logAudit(db, {
+        userId: req.user.id,
+        action: 'DELETE_ARCHER_TICKET',
+        targetType: 'archer_ticket',
+        targetId: id,
+        details: { deleted: ticket },
+        ipAddress: req.ip
+      });
+
+      res.json({ message: 'Archer ticket deleted successfully' });
+    });
+  }
+
  // Delete Archer ticket
-  router.delete('/:id', requireAuth(db), requireRole('editor', 'admin'), (req, res) => {
+  router.delete('/:id', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
    const { id } = req.params;

    db.get('SELECT * FROM archer_tickets WHERE id = ?', [id], (err, ticket) => {
@@ -197,23 +218,45 @@ function createArcherTicketsRouter(db) {
        return res.status(404).json({ error: 'Archer ticket not found.' });
      }

-      db.run('DELETE FROM archer_tickets WHERE id = ?', [id], function(err) {
-        if (err) {
-          console.error(err);
-          return res.status(500).json({ error: 'Internal server error.' });
+      // Admin bypasses all delete restrictions
+      if (req.user.group === 'Admin') {
+        return performArcherDelete(db, req, res, id, ticket);
+      }
+
+      // Standard_User: ownership check
+      if (ticket.created_by && ticket.created_by !== req.user.id) {
+        return res.status(403).json({ error: 'You can only delete resources you created' });
+      }
+
+      // Standard_User: compliance linkage check
+      const excNumber = ticket.exc_number;
+      db.all(
+        `SELECT ci.id, ci.extra_json
+         FROM compliance_items ci
+         JOIN compliance_uploads cu ON ci.upload_id = cu.id
+         WHERE ci.status = 'active' AND ci.extra_json LIKE ?`,
+        [`%${excNumber}%`],
+        (compErr, compLinks) => {
+          // If compliance_items table doesn't exist yet, treat as no linkage
+          if (compErr && compErr.message && compErr.message.includes('no such table')) {
+            compLinks = [];
+          } else if (compErr) {
+            console.error(compErr);
+            return res.status(500).json({ error: 'Internal server error.' });
+          }
+
+          const isLinked = (compLinks || []).some(cl => {
+            const json = cl.extra_json || '';
+            return json.includes(excNumber);
+          });
+
+          if (isLinked) {
+            return res.status(403).json({ error: 'Cannot delete ticket linked to compliance report. Contact an admin.' });
+          }
+
+          return performArcherDelete(db, req, res, id, ticket);
        }
-
-        logAudit(db, {
-          userId: req.user.id,
-          action: 'DELETE_ARCHER_TICKET',
-          targetType: 'archer_ticket',
-          targetId: id,
-          details: { deleted: ticket },
-          ipAddress: req.ip
-        });
-
-        res.json({ message: 'Archer ticket deleted successfully' });
-      });
+      );
    });
  });