josh/TicketingSystem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add requireAgent guard to analytics and export routes

Browse Source 
Both endpoints were authenticated but had no role check, allowing any
logged-in USER to view company-wide analytics and export all tickets.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Josh Wright
2026-04-21 20:25:19 -04:00
parent a9bf332369
commit 5acc252921
2 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/routes/analytics.ts
+2 -1
View File
@@ -1,9 +1,10 @@
import { Router } from 'express'; import { Router } from 'express';
import * as analyticsService from '../services/analyticsService'; import * as analyticsService from '../services/analyticsService';
import { requireAgent } from '../middleware/auth';
const router = Router(); const router = Router();
router.get('/summary', async (req, res) => { router.get('/summary', requireAgent, async (req, res) => {
const raw = Number(req.query.window); const raw = Number(req.query.window);
const window: analyticsService.AnalyticsWindow = const window: analyticsService.AnalyticsWindow =
raw === 14 || raw === 30 || raw === 90 ? raw : 30; raw === 14 || raw === 30 || raw === 90 ? raw : 30;
server/src/routes/export.ts
+2 -1
View File
@@ -1,5 +1,6 @@
import { Router } from 'express'; import { Router } from 'express';
import * as ticketService from '../services/ticketService'; import * as ticketService from '../services/ticketService';
import { requireAgent } from '../middleware/auth';
const router = Router(); const router = Router();
@@ -10,7 +11,7 @@ function csvEscape(v: unknown): string {
return s; return s;
} }
router.get('/tickets.csv', async (req, res) => { router.get('/tickets.csv', requireAgent, async (req, res) => {
const { status, severity, assigneeId, categoryId, typeId, itemId, search } = req.query; const { status, severity, assigneeId, categoryId, typeId, itemId, search } = req.query;
const tickets = await ticketService.listTickets({ const tickets = await ticketService.listTickets({