+const ensureAuthUserOwnsAccountValidator = [
+ (req: express.Request, res: express.Response, next: express.NextFunction) => {
+ const user = res.locals.oauth.token.User
+
+ if (res.locals.account.id !== user.Account.id) {
+ return res.status(HttpStatusCode.FORBIDDEN_403)
+ .json({ error: 'Only owner can access ratings list.' })
+ }
+
+ return next()
+ }
+]
+
+const ensureCanManageUser = [
+ (req: express.Request, res: express.Response, next: express.NextFunction) => {
+ const authUser = res.locals.oauth.token.User
+ const onUser = res.locals.user
+
+ if (authUser.role === UserRole.ADMINISTRATOR) return next()
+ if (authUser.role === UserRole.MODERATOR && onUser.role === UserRole.USER) return next()
+
+ return res.status(HttpStatusCode.FORBIDDEN_403)
+ .json({ error: 'A moderator can only manager users.' })
+ }
+]
+