feat: CE-1046 - Added read only capabilities to case management

backend/src/auth/jwtrole.guard.ts

@@ -1,7 +1,14 @@
-import { ExecutionContext, Injectable, CanActivate, UnauthorizedException, Logger } from "@nestjs/common";
+import {
+  ExecutionContext,
+  Injectable,
+  CanActivate,
+  UnauthorizedException,
+  Logger,
+  ForbiddenException,
+} from "@nestjs/common";
 import { Reflector } from "@nestjs/core";
 import { AuthGuard } from "@nestjs/passport";
-import { Role } from "src/enum/role.enum";
+import { Role } from "../enum/role.enum";
 import { ROLES_KEY } from "./decorators/roles.decorator";
 import { GqlExecutionContext } from "@nestjs/graphql";
 
@@ -38,6 +45,18 @@ export class JwtRoleGuard extends AuthGuard("jwt") implements CanActivate {
       throw new UnauthorizedException("Cannot verify user authorization");
     }
 
+    const userRoles: string[] = user.client_roles;
+    // Check if the user has the readonly role
+    const hasReadOnlyRole = userRoles.includes(Role.READ_ONLY);
+
+    // If the user has readonly role, allow only GET requests
+    if (hasReadOnlyRole) {
+      if (request.method !== "GET") {
+        this.logger.debug(`User with readonly role attempted ${request.method} method`);
+        throw new ForbiddenException("Access denied: Read-only users cannot perform this action");
+      }
+    }
+
     // if there aren't any required roles, don't allow the user to access any api.  Unless the API is marked as public, at least one role is required.
     if (!requiredRoles) {
       this.logger.error(
@@ -46,9 +65,6 @@ export class JwtRoleGuard extends AuthGuard("jwt") implements CanActivate {
       return false;
     }
 
-    // roles that the user has
-    const userRoles: string[] = user.client_roles;
-
     this.logger.debug(`User Roles: ${userRoles}`);
 
     // does the user have a required role?

backend/src/enum/role.enum.ts

@@ -2,4 +2,5 @@ export enum Role {
   COS_OFFICER = "COS Officer",
   COS_ADMIN = "COS Admin",
   CEEB = "CEEB",
+  READ_ONLY = "READ ONLY",
 }