From bfcbe086f29d8fa893b1a45de5c16940db81f902 Mon Sep 17 00:00:00 2001 From: olsch01 Date: Sun, 1 Mar 2026 09:21:09 -0500 Subject: [PATCH] Fix WriteAccessGuard: use req.userRole from middleware (runs before guards) The global WriteAccessGuard was checking req.user.role, but req.user is set by JwtAuthGuard (a per-controller guard) which runs AFTER global guards. TenantMiddleware sets req.userRole from the JWT before guards execute, so we now check that property first. Co-Authored-By: Claude Opus 4.6 --- backend/src/common/guards/write-access.guard.ts | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/backend/src/common/guards/write-access.guard.ts b/backend/src/common/guards/write-access.guard.ts index bd12619..f0b4e91 100644 --- a/backend/src/common/guards/write-access.guard.ts +++ b/backend/src/common/guards/write-access.guard.ts @@ -13,9 +13,10 @@ export class WriteAccessGuard implements CanActivate { // Allow all read methods if (['GET', 'HEAD', 'OPTIONS'].includes(method)) return true; - // If no user on request (unauthenticated endpoints like login/register), allow - const user = request.user; - if (!user) return true; + // Determine role from either req.userRole (set by TenantMiddleware which runs + // before guards) or req.user.role (set by JwtAuthGuard Passport strategy). + const role = request.userRole || request.user?.role; + if (!role) return true; // unauthenticated endpoints like login/register // Check for @AllowViewer() exemption on handler or class const allowViewer = this.reflector.getAllAndOverride(ALLOW_VIEWER_KEY, [ @@ -25,7 +26,7 @@ export class WriteAccessGuard implements CanActivate { if (allowViewer) return true; // Block viewer role from write operations - if (user.role === 'viewer') { + if (role === 'viewer') { throw new ForbiddenException('Read-only users cannot modify data'); }