jmacuga · jmacuga · Mar 14, 2025 · Mar 12, 2025 · Mar 12, 2025
diff --git a/components/boards/board-cards.tsx b/components/boards/board-cards.tsx
@@ -13,7 +13,14 @@ import { getColorForIndex } from "@/lib/utils/colors";
 import { format } from "date-fns";
 import { DeleteBoardDialog } from "@/components/boards/delete-board-dialog";
 
-export function BoardCards({ teamBoards }: { teamBoards: Board[] | null }) {
+export function BoardCards({
+  teamBoards,
+  userRole,
+}: {
+  teamBoards: Board[] | null;
+  userRole: string;
+}) {
+  console.log(userRole);
   return (
     <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
       {teamBoards ? (
@@ -34,11 +41,13 @@ export function BoardCards({ teamBoards }: { teamBoards: Board[] | null }) {
                 />
                 {board.name}
               </CardTitle>
-              <DeleteBoardDialog
-                boardId={board.id}
-                boardName={board.name}
-                teamId={board.teamId}
-              />
+              {userRole === "Admin" && (
+                <DeleteBoardDialog
+                  boardId={board.id}
+                  boardName={board.name}
+                  teamId={board.teamId}
+                />
+              )}
             </CardHeader>
             <CardContent className="text-sm text-muted-foreground">
               <p>
@@ -47,7 +56,7 @@ export function BoardCards({ teamBoards }: { teamBoards: Board[] | null }) {
               </p>
             </CardContent>
             <CardFooter className="relative justify-end">
-              <Link href={`/board/${board.id}`} className="ml-auto">
+              <Link href={`/boards/${board.id}`} className="ml-auto">
                 <Button
                   variant="ghost"
                   className="hover:bg-accent/50 transition-colors flex items-center gap-2"

diff --git a/lib/auth/permission-utils.ts b/lib/auth/permission-utils.ts
@@ -0,0 +1,49 @@
+import { BoardService } from "../services/board/board-service";
+import { TeamService } from "../services/team/team-service";
+
+export async function hasTeamPermission(
+  userId: string,
+  teamId: string
+): Promise<boolean> {
+  const userRole = await TeamService.getUserTeamRole(userId, teamId);
+  if (!userRole) {
+    return false;
+  }
+
+  return true;
+}
+
+export async function hasBoardPermission(
+  userId: string,
+  boardId: string
+): Promise<boolean> {
+  const teamId = await BoardService.getTeamIdByBoardId(boardId);
+  if (!teamId) {
+    return false;
+  }
+  const userRole = await TeamService.getUserTeamRole(userId, teamId);
+  if (!userRole) {
+    return false;
+  }
+
+  return true;
+}
+
+export async function isTeamAdmin(
+  userId: string,
+  teamId: string
+): Promise<boolean> {
+  const userRole = await TeamService.getUserTeamRole(userId, teamId);
+  return userRole === "Admin";
+}
+
+export async function isBoardAdmin(
+  userId: string,
+  boardId: string
+): Promise<boolean> {
+  const teamId = await BoardService.getTeamIdByBoardId(boardId);
+  if (!teamId) {
+    return false;
+  }
+  return isTeamAdmin(userId, teamId);
+}
diff --git a/lib/services/board/board-service.ts b/lib/services/board/board-service.ts
@@ -3,7 +3,7 @@ import { IBoardService } from "./types";
 import dbConnect from "@/db/dbConnect";
 import { LayerSchema } from "@/types/KonvaNodeSchema";
 import { createAutomergeServer } from "@/lib/automerge-server";
-import { createBoard, deleteBoard } from "@/db/data";
+import { createBoard, deleteBoard, getBoardById } from "@/db/data";
 import { Board } from "@prisma/client";
 export class BoardService implements IBoardService {
   constructor() {}
@@ -36,4 +36,15 @@ export class BoardService implements IBoardService {
       throw error;
     }
   }
+
+  static async getTeamIdByBoardId(boardId: string): Promise<string | null> {
+    try {
+      await dbConnect();
+      const board = await getBoardById(boardId);
+      return board?.teamId || null;
+    } catch (error) {
+      console.error(error);
+      throw error;
+    }
+  }
 }
diff --git a/lib/services/team/team-service.ts b/lib/services/team/team-service.ts
@@ -5,13 +5,32 @@ export class TeamService {
     userId: string,
     teamId: string
   ): Promise<boolean> {
-    const member = await prisma.teamMember.findFirst({
+    const teamMember = await prisma.teamMember.findFirst({
       where: {
         userId,
         teamId,
       },
     });
+    return teamMember !== null;
+  }
+
+  static async getUserTeamRole(
+    userId: string,
+    teamId: string
+  ): Promise<string | null> {
+    const teamMember = await prisma.teamMember.findFirst({
+      where: {
+        userId,
+        teamId,
+      },
+      include: {
+        role: true,
+      },
+    });
+    if (teamMember == null) {
+      return null;
+    }
 
-    return !!member;
+    return teamMember.role.name;
   }
 }
diff --git a/middleware.ts b/middleware.ts
@@ -0,0 +1,66 @@
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+import { getToken } from "next-auth/jwt";
+
+const publicPaths = [
+  "/auth/login",
+  "/auth/register",
+  "/auth/error",
+  "/auth/verify",
+  "/api/auth",
+  "/api/socket",
+];
+
+const isPublicPath = (path: string) => {
+  const normalizedPath = path.endsWith("/") ? path.slice(0, -1) : path;
+  console.log(`Checking path: ${normalizedPath}`);
+
+  return publicPaths.some(
+    (publicPath) =>
+      normalizedPath === publicPath ||
+      normalizedPath.startsWith(`${publicPath}/`)
+  );
+};
+
+export async function middleware(request: NextRequest) {
+  const { pathname } = request.nextUrl;
+
+  if (pathname === "/api/auth/session" || pathname === "/api/auth/session/") {
+    return NextResponse.next();
+  }
+
+  if (isPublicPath(pathname)) {
+    return NextResponse.next();
+  }
+
+  const token = await getToken({
+    req: request,
+    secret: process.env.NEXTAUTH_SECRET,
+  });
+
+  if (!token && !isPublicPath(pathname)) {
+    const url = request.nextUrl.clone();
+    url.pathname = "/auth/login";
+    return NextResponse.redirect(url);
+  }
+
+  if (
+    pathname.startsWith("/api/") &&
+    !pathname.startsWith("/api/auth/") &&
+    !pathname.startsWith("/api/socket") &&
+    !token
+  ) {
+    return new NextResponse(null, {
+      status: 401,
+      headers: {
+        "Content-Type": "application/json",
+      },
+    });
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ["/((?!_next/static|_next/image|favicon.ico|public).*)"],
+};
diff --git a/pages/_app.tsx b/pages/_app.tsx
@@ -12,7 +12,6 @@ type AppPropsWithSession = AppProps & {
   };
 };
 function MyApp({ Component, pageProps, router }: AppPropsWithSession) {
-  console.log(router.pathname);
   const isTeamRoute = router.pathname.startsWith("/teams");
   const isTeamsRoute = router.pathname === "/teams";
 

diff --git a/pages/api/boards/[id]/delete.ts b/pages/api/boards/[id]/delete.ts
@@ -2,6 +2,7 @@ import type { NextApiRequest, NextApiResponse } from "next";
 import { BoardService } from "@/lib/services/board";
 import { getServerSession } from "next-auth/next";
 import { authOptions } from "@/lib/auth/auth";
+import { isBoardAdmin } from "@/lib/auth/permission-utils";
 
 export default async function handler(
   req: NextApiRequest,
@@ -23,15 +24,12 @@ export default async function handler(
     }
 
     const boardService = new BoardService();
-    // const hasTeamAccess = await boardService.verifyTeamAccess(
-    //   session.user.id,
-    //   teamId
-    // );
-    // if (!hasTeamAccess) {
-    //   return res
-    //     .status(403)
-    //     .json({ message: "Forbidden: No access to this team" });
-    // }
+    const isAdmin = await isBoardAdmin(session.user.id, boardId);
+    if (!isAdmin) {
+      return res
+        .status(403)
+        .json({ message: "Forbidden: No access to this board" });
+    }
 
     const board = await boardService.delete(boardId);
 

diff --git a/pages/api/boards/[id]/url.ts b/pages/api/boards/[id]/url.ts
@@ -2,6 +2,7 @@ import type { NextApiRequest, NextApiResponse } from "next";
 import { getServerSession } from "next-auth/next";
 import { authOptions } from "@/lib/auth/auth";
 import { getBoardDocUrl } from "@/db/data";
+import { hasBoardPermission } from "@/lib/auth/permission-utils";
 
 export default async function handler(
   req: NextApiRequest,
@@ -22,6 +23,13 @@ export default async function handler(
       return res.status(400).json({ message: "Board ID is required" });
     }
 
+    const hasPermission = await hasBoardPermission(session.user.id, boardId);
+    if (!hasPermission) {
+      return res
+        .status(403)
+        .json({ message: "Forbidden: No access to this board" });
+    }
+
     const docUrl = await getBoardDocUrl(boardId);
 
     return res.status(200).json({ docUrl });

diff --git a/pages/api/boards/create.ts b/pages/api/boards/create.ts
@@ -4,6 +4,7 @@ import { BoardService } from "@/lib/services/board";
 import { getServerSession } from "next-auth/next";
 import { authOptions } from "@/lib/auth/auth";
 import { ZodError } from "zod";
+import { hasTeamPermission } from "@/lib/auth/permission-utils";
 
 export default async function handler(
   req: NextApiRequest,
@@ -27,15 +28,13 @@ export default async function handler(
     const validatedData = schemaBoard.parse(data);
 
     const boardService = new BoardService();
-    // const hasTeamAccess = await boardService.verifyTeamAccess(
-    //   session.user.id,
-    //   teamId
-    // );
-    // if (!hasTeamAccess) {
-    //   return res
-    //     .status(403)
-    //     .json({ message: "Forbidden: No access to this team" });
-    // }
+
+    const hasPermission = await hasTeamPermission(session.user.id, teamId);
+    if (!hasPermission) {
+      return res
+        .status(403)
+        .json({ message: "Forbidden: No access to this team" });
+    }
 
     const board = await boardService.create({
       name: validatedData.name,

diff --git a/pages/board/[id]/index.tsx b/pages/board/[id]/index.tsx
diff --git a/pages/boards/[id]/index.tsx b/pages/boards/[id]/index.tsx
@@ -0,0 +1,51 @@
+import { GetServerSideProps } from "next";
+import { getBoardById } from "@/db/data";
+import { BoardProvider } from "@/components/board/board-provider";
+import { hasBoardPermission } from "@/lib/auth/permission-utils";
+import { getSession } from "next-auth/react";
+
+interface BoardPageProps {
+  boardId: string;
+  docUrl: string;
+}
+
+export default function BoardPage({ boardId, docUrl }: BoardPageProps) {
+  return <BoardProvider boardId={boardId} docUrl={docUrl} />;
+}
+
+export const getServerSideProps: GetServerSideProps = async ({
+  req,
+  params,
+}) => {
+  const boardId = params?.id as string;
+  const session = await getSession({ req });
+
+  if (!session?.user) {
+    return {
+      redirect: {
+        destination: "/auth/signin",
+        permanent: false,
+      },
+    };
+  }
+
+  const hasPermission = await hasBoardPermission(session.user.id, boardId);
+
+  if (!hasPermission) {
+    return {
+      redirect: {
+        destination: "/teams",
+        permanent: false,
+      },
+    };
+  }
+
+  const board = await getBoardById(boardId);
+
+  return {
+    props: {
+      boardId,
+      docUrl: board?.docUrl?.toString() || "",
+    },
+  };
+};
diff --git a/pages/board/[id]/preview.tsx → pages/boards/[id]/preview.tsx b/pages/board/[id]/preview.tsx → pages/boards/[id]/preview.tsx