From e5c2e4d2552311cce19e48c7090b9b91ec0c9aff Mon Sep 17 00:00:00 2001
From: Oyinlola Olasunkanmi Raymond
 <60177090+olasunkanmi-SE@users.noreply.github.com>
Date: Fri, 16 Feb 2024 07:53:09 +0800
Subject: [PATCH] update the authorization technique to check if user role
 matches ite priority (#488)

Co-authored-by: Olasunkanmi Oyinlola <olasunkanmioyinlola@Olasunkanmis-Mac-mini.local>
---
 backend/src/application/constants/constants.ts      |  6 ++++--
 .../repositories/schemas/singleclient.schema.ts     |  4 ++--
 .../src/shared/services/access_control.service.ts   | 13 +++++++++----
 3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/backend/src/application/constants/constants.ts b/backend/src/application/constants/constants.ts
index 2acba4d7..406d78e6 100644
--- a/backend/src/application/constants/constants.ts
+++ b/backend/src/application/constants/constants.ts
@@ -23,13 +23,15 @@ export const tokenExpiresIn = 3600000;
 export enum Role {
   ADMIN = 'ADMIN',
   USER = 'USER',
-  GUEST = 'CLIENT',
+  CLIENT = 'CLIENT',
+  SUPERADMIN = 'SUPERADMIN',
 }
 
 export const RoleOrder: Record<Role, number> = {
-  [Role.GUEST]: 1,
+  [Role.CLIENT]: 1,
   [Role.USER]: 2,
   [Role.ADMIN]: 3,
+  [Role.SUPERADMIN]: 4,
 };
 
 export const ROLE_KEY = 'role';
diff --git a/backend/src/infrastructure/data_access/repositories/schemas/singleclient.schema.ts b/backend/src/infrastructure/data_access/repositories/schemas/singleclient.schema.ts
index 6f8967e1..dcf5e214 100644
--- a/backend/src/infrastructure/data_access/repositories/schemas/singleclient.schema.ts
+++ b/backend/src/infrastructure/data_access/repositories/schemas/singleclient.schema.ts
@@ -2,7 +2,7 @@ import { Prop, Schema, SchemaFactory } from '@nestjs/mongoose';
 import { Document } from 'mongoose';
 import { BaseDocument } from '../../../database';
 import { ISingleClientData } from '../models/singleclient-model.interface';
-import { SingleClientStatus } from '../../../../application/constants/constants';
+import { Role, SingleClientStatus } from '../../../../application/constants/constants';
 
 export type SingleClientDocument = SingleClientDataModel & Document;
 
@@ -29,7 +29,7 @@ export class SingleClientDataModel extends BaseDocument implements ISingleClient
   @Prop({ type: String, required: true })
   passwordHash: string;
 
-  @Prop({ type: String, default: 'admin' })
+  @Prop({ type: String, enum: Object.values(Role), default: Role.USER })
   role: string;
 
   @Prop({ type: Boolean, default: false })
diff --git a/backend/src/shared/services/access_control.service.ts b/backend/src/shared/services/access_control.service.ts
index 5faa9490..6a38e82a 100644
--- a/backend/src/shared/services/access_control.service.ts
+++ b/backend/src/shared/services/access_control.service.ts
@@ -27,14 +27,19 @@ export class AccessControlService implements IAccessControlService {
   }
 
   public isAuthorized({ currentRole, requiredRole }: IIsAuthorizedProps): boolean {
-    let authorized = false;
+    let isAuthorized = false;
     for (const hierarchy of this.hierarchies) {
       const priority = hierarchy.get(currentRole);
       const requirePriority = hierarchy.get(requiredRole);
-      if (priority && requirePriority && priority >= requirePriority) {
-        authorized = true;
+      if (priority && requirePriority) {
+        if (priority >= requirePriority) {
+          isAuthorized = true;
+        }
+        if (priority === requirePriority) {
+          isAuthorized = true;
+        }
       }
     }
-    return authorized;
+    return isAuthorized;
   }
 }