fix(audit): MEDIUMs sweep — mobile More-sheet, portal profile, inline override, dialog UX, ext-EOI gate
R2-M11: mobile More-sheet missing 4 destinations. Added Reservations, Notifications, Residential, Website analytics — anyone using mobile chrome to triage on the go can now reach those domains. R2-M12: portal had no profile / change-password surface. New /portal/profile page with read-only contact details + a ChangePasswordForm component, backed by a new POST /api/portal/auth/change-password endpoint and changePortalPassword() service function. Audits both ok and failure cases at warning severity. Added Profile to PortalNav. R2-M1: portal dashboard "My Memberships" tile had no href and no /portal/memberships route — dead-end on tap. Hidden until a memberships page ships; the count remains in the underlying data. R2-M7: InlineStagePicker never sent override:true so users with interests.override_stage couldn't actually use the perm from the inline chip — they had to fall back to the modal picker. Now the picker auto-detects when a transition isn't legal AND the user has override_stage, sets override:true, and supplies a default reason. Frontend M2: hard-delete-dialog confirm stage now has a "Send a new code" link in case the original expired before the user could enter it. Avoids forcing a full Cancel + reopen. Frontend M4: audit-log-list date-range validation. From > To now shows an inline error and skips the request rather than firing an empty-range query that surfaces "no entries found". R2-M6: external-EOI route now requires interests.edit AND documents.upload_signed (defense-in-depth) — uploading a signed EOI mutates interest state, so the upload-signed perm alone shouldn't let a custom role flip an interest. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
44
src/app/api/portal/auth/change-password/route.ts
Normal file
44
src/app/api/portal/auth/change-password/route.ts
Normal file
@@ -0,0 +1,44 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { z } from 'zod';
|
||||
import { eq } from 'drizzle-orm';
|
||||
|
||||
import { db } from '@/lib/db';
|
||||
import { portalUsers } from '@/lib/db/schema/portal';
|
||||
import { errorResponse, UnauthorizedError, ValidationError } from '@/lib/errors';
|
||||
import { getPortalSession } from '@/lib/portal/auth';
|
||||
import { changePortalPassword } from '@/lib/services/portal-auth.service';
|
||||
|
||||
const bodySchema = z.object({
|
||||
currentPassword: z.string().min(1),
|
||||
newPassword: z.string().min(9),
|
||||
});
|
||||
|
||||
export async function POST(req: NextRequest): Promise<NextResponse> {
|
||||
try {
|
||||
const session = await getPortalSession();
|
||||
if (!session) throw new UnauthorizedError('Portal session required');
|
||||
|
||||
let body: unknown;
|
||||
try {
|
||||
body = await req.json();
|
||||
} catch {
|
||||
throw new ValidationError('Invalid request body');
|
||||
}
|
||||
const { currentPassword, newPassword } = bodySchema.parse(body);
|
||||
|
||||
const user = await db.query.portalUsers.findFirst({
|
||||
where: eq(portalUsers.email, session.email),
|
||||
});
|
||||
if (!user) throw new UnauthorizedError('Portal account not found');
|
||||
|
||||
await changePortalPassword({
|
||||
portalUserId: user.id,
|
||||
currentPassword,
|
||||
newPassword,
|
||||
});
|
||||
|
||||
return NextResponse.json({ data: { ok: true } });
|
||||
} catch (error) {
|
||||
return errorResponse(error);
|
||||
}
|
||||
}
|
||||
@@ -2,7 +2,7 @@ import { NextResponse } from 'next/server';
|
||||
|
||||
import { withAuth, withPermission } from '@/lib/api/helpers';
|
||||
import { uploadExternallySignedEoi } from '@/lib/services/external-eoi.service';
|
||||
import { errorResponse, NotFoundError, ValidationError } from '@/lib/errors';
|
||||
import { errorResponse, ForbiddenError, NotFoundError, ValidationError } from '@/lib/errors';
|
||||
|
||||
export const POST = withAuth(
|
||||
withPermission('documents', 'upload_signed', async (req, ctx, params) => {
|
||||
@@ -10,6 +10,15 @@ export const POST = withAuth(
|
||||
const interestId = params.id;
|
||||
if (!interestId) throw new NotFoundError('Interest');
|
||||
|
||||
// Defense-in-depth: uploading an externally-signed EOI mutates
|
||||
// the interest's effective state (flips it to "signed"). Require
|
||||
// interests.edit in addition to documents.upload_signed so a
|
||||
// custom role with the upload bit but no interest-edit can't flip
|
||||
// an interest. Super-admin bypasses (audit R2-M6).
|
||||
if (!ctx.isSuperAdmin && !ctx.permissions?.interests?.edit) {
|
||||
throw new ForbiddenError('interests.edit required to upload an external EOI');
|
||||
}
|
||||
|
||||
const form = await req.formData();
|
||||
const file = form.get('file');
|
||||
if (!file || !(file instanceof File)) {
|
||||
|
||||
Reference in New Issue
Block a user