45 lines
1.2 KiB
TypeScript
45 lines
1.2 KiB
TypeScript
import {
|
|
CanActivate,
|
|
ExecutionContext,
|
|
ForbiddenException,
|
|
Injectable,
|
|
} from '@nestjs/common';
|
|
import { Reflector } from '@nestjs/core';
|
|
import { ROLES_KEY } from '../decorators/roles.decorator';
|
|
import { IS_PUBLIC_KEY } from '../decorators/public.decorator';
|
|
import { UserRole } from '../../users/entities/user.entity';
|
|
|
|
@Injectable()
|
|
export class RolesGuard implements CanActivate {
|
|
constructor(private reflector: Reflector) {}
|
|
|
|
canActivate(context: ExecutionContext): boolean {
|
|
const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
|
|
context.getHandler(),
|
|
context.getClass(),
|
|
]);
|
|
if (isPublic) return true;
|
|
|
|
const requiredRoles = this.reflector.getAllAndOverride<UserRole[]>(ROLES_KEY, [
|
|
context.getHandler(),
|
|
context.getClass(),
|
|
]);
|
|
if (!requiredRoles || requiredRoles.length === 0) return true;
|
|
|
|
const request = context.switchToHttp().getRequest();
|
|
const user = request.user;
|
|
|
|
if (!user) {
|
|
throw new ForbiddenException('Access denied');
|
|
}
|
|
|
|
if (!requiredRoles.includes(user.role)) {
|
|
throw new ForbiddenException(
|
|
`Access denied. Required roles: ${requiredRoles.join(', ')}`,
|
|
);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
}
|