Move role check to proper authorization service

app/src/authorization/authorization.module.ts

@@ -0,0 +1,8 @@
+import { Module } from "@nestjs/common";
+import { AuthorizationService } from "./authorization.service";
+
+@Module({
+  providers: [AuthorizationService],
+  exports: [AuthorizationService],
+})
+export class AuthorizationModule {}

app/src/authorization/authorization.service.ts

@@ -0,0 +1,26 @@
+import { Injectable, Logger, UnauthorizedException } from "@nestjs/common";
+import { BoltService } from "../bolt/bolt.service";
+import { UserNotFoundException } from "../common/exceptions/user-not-found.exception";
+
+@Injectable()
+export class AuthorizationService {
+  logger = new Logger(AuthorizationService.name);
+
+  constructor(private boltService: BoltService) {}
+
+  async requireOwnerRole(userId: string): Promise<void> {
+    const bolt = this.boltService.getBolt();
+    const { user } = await bolt.client.users.info({ user: userId });
+
+    if (!user) {
+      throw new UserNotFoundException();
+    }
+
+    if (!user.is_owner) {
+      this.logger.warn(
+        `User ${userId} tried to access a protected resource requiring workspace owner privileges.`,
+      );
+      throw new UnauthorizedException();
+    }
+  }
+}

app/src/common/exceptions/user-not-found.exception.ts

@@ -0,0 +1,8 @@
+import { HttpStatus } from "@nestjs/common";
+import { KaikuAppException } from "./kaiku-app.exception";
+
+export class UserNotFoundException extends KaikuAppException {
+  constructor() {
+    super("User was not found in Slack workspace.", HttpStatus.NOT_FOUND);
+  }
+}

app/src/gui/home-tab/views/settings/office-management/office-management.controller.ts

@@ -1,10 +1,6 @@
-import {
-  Controller,
-  ForbiddenException,
-  InternalServerErrorException,
-  Logger,
-} from "@nestjs/common";
+import { Controller, InternalServerErrorException, Logger } from "@nestjs/common";
 import { get } from "lodash";
+import { AuthorizationService } from "../../../../../authorization/authorization.service";
 import BoltAction from "../../../../../bolt/decorators/bolt-action.decorator";
 import BoltViewAction from "../../../../../bolt/decorators/bolt-view-action.decorator";
 import Action from "../../../../../bolt/enums/action.enum";
@@ -23,6 +19,7 @@ export class OfficeManagementController {
     private officeMgmtModal: OfficeManagementModal,
     private addOfficeModal: AddOfficeModal,
     private officeService: OfficeService,
+    private authService: AuthorizationService,
   ) {}
 
   @BoltAction(Action.OPEN_OFFICE_MANAGEMENT_MODAL)
@@ -43,10 +40,7 @@ export class OfficeManagementController {
 
   @BoltViewAction(ViewAction.CREATE_OFFICE)
   async createOffice({ view, client, body }: BoltViewActionArgs) {
-    const { user } = await client.users.info({ user: body.user.id });
-    if (!user.is_owner) {
-      throw new ForbiddenException();
-    }
+    await this.authService.requireOwnerRole(body.user.id);
 
     const officeName = get(view, "state.values.new_office.name.value");
 

app/src/gui/home-tab/views/settings/office-management/office-management.module.ts

@@ -1,11 +1,12 @@
 import { Module } from "@nestjs/common";
+import { AuthorizationModule } from "../../../../../authorization/authorization.module";
 import { OfficeModule } from "../../../../../entities/office/office.module";
 import { AddOfficeModal } from "./add-office.modal";
 import { OfficeManagementController } from "./office-management.controller";
 import { OfficeManagementModal } from "./office-management.modal";
 
 @Module({
-  imports: [OfficeModule],
+  imports: [OfficeModule, AuthorizationModule],
   providers: [OfficeManagementModal, AddOfficeModal],
   controllers: [OfficeManagementController],
 })