fix: address all 11 review items for group-based access control

Bugs fixed: - knowledgeBase.js: logAudit calls converted from positional args to object signature - archerTickets.js: targetType/targetId renamed to entityType/entityId - server.js: single CVE delete now has cascade/compliance check for Standard_User Unprotected endpoints secured: - ivantiTodoQueue.js: POST/PUT/DELETE now require Admin or Standard_User - ivantiFindings.js: PUT note and POST sync now require Admin or Standard_User - compliance.js: POST notes now requires Admin or Standard_User - ivantiWorkflows.js: POST sync now requires Admin or Standard_User - auth.js: cleanup-sessions now requires Admin via requireAuth + requireGroup Additional fixes: - ExportsPage.js: canExport() guard blocks Read_Only users - knowledgeBase.js: Standard_User delete checks created_by ownership - Migration: added INSERT/UPDATE triggers to enforce valid user_group values
2026-04-07 09:52:26 -06:00
parent d910af847e
commit e9e2c0961d
10 changed files with 154 additions and 64 deletions
--- a/backend/routes/archerTickets.js
+++ b/backend/routes/archerTickets.js
@@ -89,8 +89,8 @@ function createArcherTicketsRouter(db) {
        logAudit(db, {
          userId: req.user.id,
          action: 'CREATE_ARCHER_TICKET',
-          targetType: 'archer_ticket',
-          targetId: this.lastID,
+          entityType: 'archer_ticket',
+          entityId: String(this.lastID),
          details: { exc_number, archer_url, status: validatedStatus, cve_id, vendor },
          ipAddress: req.ip
        });
@@ -172,8 +172,8 @@ function createArcherTicketsRouter(db) {
          logAudit(db, {
            userId: req.user.id,
            action: 'UPDATE_ARCHER_TICKET',
-            targetType: 'archer_ticket',
-            targetId: id,
+            entityType: 'archer_ticket',
+            entityId: String(id),
            details: { before: existing, changes: req.body },
            ipAddress: req.ip
          });
@@ -195,8 +195,8 @@ function createArcherTicketsRouter(db) {
      logAudit(db, {
        userId: req.user.id,
        action: 'DELETE_ARCHER_TICKET',
-        targetType: 'archer_ticket',
-        targetId: id,
+        entityType: 'archer_ticket',
+        entityId: String(id),
        details: { deleted: ticket },
        ipAddress: req.ip
      });