rick/rosterchirp-dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v0.9.39 bugs fixes

Browse Source
This commit is contained in:
Ricky Stretch
2026-03-16 18:29:51 -04:00
parent 5025f0043d
commit de5912c206
6 changed files with 30 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
backend/src/routes/usergroups.js
View File

@@ -1,7 +1,7 @@
const express = require('express');
const router = express.Router();
const { getDb } = require('../models/db');
const { authMiddleware, adminMiddleware } = require('../middleware/auth');
const { authMiddleware, adminMiddleware, teamManagerMiddleware } = require('../middleware/auth');
module.exports = function(io) {
@@ -55,7 +55,7 @@ router.get('/me', authMiddleware, (req, res) => {
// ── MULTI-GROUP DMs — must come before /:id ───────────────────────────────────
router.get('/multigroup', authMiddleware, adminMiddleware, (req, res) => {
router.get('/multigroup', authMiddleware, teamManagerMiddleware, (req, res) => {
const db = getDb();
const dms = db.prepare(`
SELECT mgd.*,
@@ -166,7 +166,7 @@ router.delete('/multigroup/:id', authMiddleware, adminMiddleware, (req, res) =>
// ── USER GROUPS ───────────────────────────────────────────────────────────────
router.get('/', authMiddleware, adminMiddleware, (req, res) => {
router.get('/', authMiddleware, teamManagerMiddleware, (req, res) => {
const db = getDb();
const groups = db.prepare(`
SELECT ug.*,
@@ -176,7 +176,7 @@ router.get('/', authMiddleware, adminMiddleware, (req, res) => {
res.json({ groups });
});
router.get('/:id', authMiddleware, adminMiddleware, (req, res) => {
router.get('/:id', authMiddleware, teamManagerMiddleware, (req, res) => {
const db = getDb();
const group = db.prepare('SELECT * FROM user_groups WHERE id = ?').get(req.params.id);
if (!group) return res.status(404).json({ error: 'Not found' });
@@ -252,11 +252,9 @@ router.patch('/:id', authMiddleware, adminMiddleware, (req, res) => {
for (const uid of currentSet) {
if (!newIds.has(uid)) {
db.prepare('DELETE FROM user_group_members WHERE user_group_id = ? AND user_id = ?').run(ug.id, uid);
const stillHasAccess = db.prepare(`SELECT 1 FROM user_group_members ugm WHERE ugm.user_id = ? AND ugm.user_group_id != ? AND EXISTS (SELECT 1 FROM group_members gm WHERE gm.group_id = ? AND gm.user_id = ?)`).get(uid, ug.id, ug.dm_group_id, uid);
if (!stillHasAccess) {
removeUser(db, ug.dm_group_id, uid, req.user.id);
removedUids.push(uid);
}
// For managed DMs, membership is controlled solely by the user group — always remove
removeUser(db, ug.dm_group_id, uid, req.user.id);
removedUids.push(uid);
}
}