letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(audit): critical C3 — enforce residential module gate on all v1 API routes

Browse Source 
Adds assertResidentialModuleEnabled(ctx.portId) as the first statement in
every residential v1 handler (24 handlers across 13 files), mirroring the
Tenancies pattern. Previously the disabled-module state was enforced only
in the page layout, so a disabled module still accepted API writes
(including partner-forward emails on residential interest creation).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-06-02 11:59:52 +02:00
parent 7aa639f195
commit 3c9310f81c
13 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/app/api/v1/residential/interests/[id]/notes/route.ts
View File

@@ -4,11 +4,13 @@ import { withAuth, withPermission } from '@/lib/api/helpers';
import { parseBody } from '@/lib/api/route-helpers';
import { createNoteSchema } from '@/lib/validators/notes';
import * as notesService from '@/lib/services/notes.service';
import { assertResidentialModuleEnabled } from '@/lib/services/residential-module.service';
import { errorResponse, NotFoundError } from '@/lib/errors';
export const GET = withAuth(
withPermission('residential_interests', 'view', async (_req, ctx, params) => {
try {
await assertResidentialModuleEnabled(ctx.portId);
const id = params.id;
if (!id) throw new NotFoundError('Residential interest');
const notes = await notesService.listForEntity(ctx.portId, 'residential_interests', id);
@@ -22,6 +24,7 @@ export const GET = withAuth(
export const POST = withAuth(
withPermission('residential_interests', 'edit', async (req, ctx, params) => {
try {
await assertResidentialModuleEnabled(ctx.portId);
const id = params.id;
if (!id) throw new NotFoundError('Residential interest');
const body = await parseBody(req, createNoteSchema);