security: Enforce multi-tenant isolation on job listings and admin operations

simpaticohr · simpaticohr · commit ccf425e0516f · 2026-05-17T13:37:49.000+05:30
diff --git a/backend/simpatico-ats.js b/backend/simpatico-ats.js
@@ -1213,6 +1213,8 @@ route("GET", "/payroll/payslips/:employeeId", handleGetPayslips);
 // Recruitment / ATS
 route("POST", "/recruitment/jobs", handleCreateJob);
 route("GET", "/recruitment/jobs", handleListJobs);
+route("PATCH", "/recruitment/jobs/:id", handleUpdateJob);
+route("DELETE", "/recruitment/jobs/:id", handleDeleteJob);
 route("GET", "/recruitment/public/jobs", handlePublicJobs);
 route("POST", "/recruitment/applications", handleCreateApplication);
 route("POST", "/interviews/schedule", handleScheduleInterviewEmail);
@@ -3405,6 +3407,62 @@ async function handleListJobs(request, env, ctx, _, url) {
   return apiResponse({ jobs: await res.json() });
 }
 
+/**
+ * PATCH /recruitment/jobs/:id — Update a job (tenant-isolated).
+ */
+async function handleUpdateJob(request, env, ctx, [jobId]) {
+  requireRole(ctx, "hr", "admin", "superadmin", "client_admin");
+  const body = await safeJson(request);
+
+  // Only allow safe fields to be updated
+  const allowed = ["title", "description", "department", "location", "job_type", "employment_type",
+    "skills", "salary_min", "salary_max", "status", "level", "experience_required"];
+  const update = {};
+  for (const key of allowed) {
+    if (body[key] !== undefined) update[key] = body[key];
+  }
+
+  if (Object.keys(update).length === 0) {
+    throw new ValidationError("No valid fields to update");
+  }
+
+  // sbFetch enforces tenant_id filter → prevents cross-tenant edits
+  const res = await sbFetch(
+    env,
+    "PATCH",
+    `/rest/v1/jobs?id=eq.${jobId}`,
+    update,
+    false,
+    ctx.tenantId,
+  );
+  const [job] = await res.json();
+
+  await audit(env, ctx, "job.updated", "jobs", jobId, { fields: Object.keys(update) });
+  await invalidateCache(env, `analytics:summary:${ctx.tenantId}`);
+  return apiResponse({ job });
+}
+
+/**
+ * DELETE /recruitment/jobs/:id — Delete a job (tenant-isolated).
+ */
+async function handleDeleteJob(request, env, ctx, [jobId]) {
+  requireRole(ctx, "hr", "admin", "superadmin", "client_admin");
+
+  // sbFetch enforces tenant_id filter → prevents cross-tenant deletes
+  const res = await sbFetch(
+    env,
+    "DELETE",
+    `/rest/v1/jobs?id=eq.${jobId}`,
+    null,
+    false,
+    ctx.tenantId,
+  );
+
+  await audit(env, ctx, "job.deleted", "jobs", jobId, {});
+  await invalidateCache(env, `analytics:summary:${ctx.tenantId}`);
+  return apiResponse({ deleted: true, id: jobId });
+}
+
 async function handlePublicJobs(request, env, ctx, _, url) {
   // Unauthenticated endpoint for embeddable Careers Widget
   const company_id = url.searchParams.get("company_id");
@@ -3413,6 +3471,27 @@ async function handlePublicJobs(request, env, ctx, _, url) {
       "company_id parameter is required for public job listings",
     );
 
+  // ── Check if company is blocked before serving public jobs ──
+  try {
+    const compRes = await fetch(
+      `${env.SUPABASE_URL}/rest/v1/companies?id=eq.${company_id}&select=is_blocked`,
+      {
+        headers: {
+          apikey: env.SUPABASE_SERVICE_KEY,
+          Authorization: `Bearer ${env.SUPABASE_SERVICE_KEY}`,
+        },
+      },
+    );
+    if (compRes.ok) {
+      const companies = await compRes.json();
+      if (companies.length > 0 && companies[0].is_blocked) {
+        return apiResponse({ jobs: [] }); // Blocked company — return no jobs
+      }
+    }
+  } catch (e) {
+    console.warn("[PublicJobs] Company block check failed:", e.message);
+  }
+
   // Pass company_id as the tenant parameter to sbFetch to auto-filter and isolate tenant records securely
   const res = await sbFetch(
     env,
diff --git a/jobs.html b/jobs.html
@@ -255,23 +255,31 @@ <h3>🗑️ Delete Job</h3>
 <div class="toast" id="toast"></div>
 
 <div class="footer">
-  © 2025 <a href="/">Simpatico HR Consultancy</a>  AI-Powered Recruitment
+  © 2025 <a href="/">Simpatico HR Consultancy</a> • AI-Powered Recruitment
 </div>
 
 <script>
 // ---------------------------------------------------------------
-// CONFIG  NO EXPOSED CREDENTIALS
+// CONFIG — MULTI-TENANT SAFE
 // ---------------------------------------------------------------
-const WORKER_URL = "https://evalis-ai.simpaticohrconsultancy.workers.dev";
+const WORKER_URL = window.SIMPATICO_CONFIG?.workerUrl || "https://evalis-ai.simpaticohrconsultancy.workers.dev";
 
 let allJobs = [];
 let currentFilter = 'all';
 let isAdmin = false;
 let HR_TOKEN = null;
 let HR_USER = null;
 
+// Get the current tenant/company ID from the logged-in user context
+function getCurrentCompanyId() {
+  try {
+    const user = HR_USER || JSON.parse(localStorage.getItem('simpatico_user') || '{}');
+    return user?.company_id || user?.tenant_id || null;
+  } catch { return null; }
+}
+
 // ---------------------------------------------------------------
-// API HELPER  All calls go through the worker
+// API HELPER — All calls go through the worker (tenant-isolated)
 // ---------------------------------------------------------------
 async function api(method, path, body = null, auth = false) {
   const opts = {
@@ -281,11 +289,14 @@ <h3>🗑️ Delete Job</h3>
   if (auth && HR_TOKEN) {
     opts.headers['Authorization'] = 'Bearer ' + HR_TOKEN;
   }
+  // Always send tenant context header for backend isolation
+  const cid = getCurrentCompanyId();
+  if (cid) opts.headers['X-Tenant-ID'] = cid;
   if (body) opts.body = JSON.stringify(body);
 
   const res = await fetch(WORKER_URL + path, opts);
   const data = await res.json();
-  if (!res.ok) throw new Error(data.error || 'HTTP ' + res.status);
+  if (!res.ok) throw new Error(data.error?.message || data.error || 'HTTP ' + res.status);
   return data;
 }
 
@@ -297,32 +308,49 @@ <h3>🗑️ Delete Job</h3>
   t.textContent = msg;
   t.className = `toast ${type} show`;
   setTimeout(() => t.classList.remove('show'), 3000);
-}// ---------------------------------------------------------------
-// LOAD JOBS — Public endpoint GET /jobs
+}
+// ---------------------------------------------------------------
+// LOAD JOBS — Tenant-Isolated via Worker API
 // ---------------------------------------------------------------
 async function loadJobs() {
   const el = document.getElementById("jobsList");
   try {
-    const params = new URLSearchParams();
     const search = document.getElementById('searchInput')?.value?.trim();
-    
-    const SUPABASE_URL = window.SIMPATICO_CONFIG?.supabaseUrl;
-    const SUPABASE_ANON_KEY = window.SIMPATICO_CONFIG?.supabaseAnonKey;
-    
-    // Default query for open job postings
-    let sbUrl = `${SUPABASE_URL}/rest/v1/jobs?status=eq.open&select=*,job_applications(count)&order=created_at.desc`;
-    
-    if (search) sbUrl += '&title=ilike.*' + encodeURIComponent(search) + '*';
-    if (currentFilter && currentFilter !== 'all') sbUrl += '&type=eq.' + currentFilter;
-    
-    const res = await fetch(sbUrl, { 
-      headers: { 
-        apikey: SUPABASE_ANON_KEY, 
-        Authorization: 'Bearer ' + SUPABASE_ANON_KEY 
-      } 
-    });
-    
-    const jobs = (await res.json()) || [];
+    const companyId = getCurrentCompanyId();
+    let jobs = [];
+
+    if (isAdmin && HR_TOKEN && companyId) {
+      // ADMIN MODE: Fetch only this company's jobs via authenticated Worker endpoint
+      const statusParam = (currentFilter && currentFilter !== 'all') ? currentFilter : 'open';
+      const data = await api('GET', `/recruitment/jobs?status=${statusParam}`, null, true);
+      jobs = data.jobs || data || [];
+    } else if (companyId) {
+      // LOGGED-IN USER: Fetch own company jobs via public endpoint
+      const data = await api('GET', `/recruitment/public/jobs?company_id=${companyId}`);
+      jobs = data.jobs || data || [];
+    } else {
+      // PUBLIC VIEW (no company context): Show Simpatico HR's own jobs only
+      // Use the configured default tenant ID as fallback
+      const defaultTenant = window.SIMPATICO_CONFIG?.tenantId || 'SIMP_PRO_MAIN';
+      const data = await api('GET', `/recruitment/public/jobs?company_id=${defaultTenant}`);
+      jobs = data.jobs || data || [];
+    }
+
+    // Client-side search filter
+    if (search) {
+      const q = search.toLowerCase();
+      jobs = jobs.filter(j => 
+        (j.title || '').toLowerCase().includes(q) ||
+        (j.department || '').toLowerCase().includes(q) ||
+        (j.location || '').toLowerCase().includes(q) ||
+        (j.description || '').toLowerCase().includes(q)
+      );
+    }
+
+    // Client-side type filter (only for public/non-admin mode)
+    if (!isAdmin && currentFilter && currentFilter !== 'all') {
+      jobs = jobs.filter(j => (j.job_type || j.employment_type || '') === currentFilter);
+    }
 
     if (!jobs.length) {
       el.innerHTML = `<div class="empty">
@@ -573,12 +601,21 @@ <h2>${job.title || 'Untitled'}</h2>
   };
 
   try {
-    await api('POST', '/db', {
-      action: 'update',
-      table: 'jobs',
-      data: updateData,
-      filters: { id: jobId }
-    }, true);
+    // ★ TENANT-ISOLATED: Use authenticated Worker endpoint with job ID
+    // Backend enforces tenant_id check via sbFetch to prevent cross-tenant edits
+    const res = await fetch(WORKER_URL + `/recruitment/jobs/${jobId}`, {
+      method: 'PATCH',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': 'Bearer ' + HR_TOKEN,
+        'X-Tenant-ID': getCurrentCompanyId() || ''
+      },
+      body: JSON.stringify(updateData)
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(err.error?.message || err.error || 'Update failed');
+    }
 
     showToast("✅ Job updated!", "success");
     closeEditModal();
@@ -605,9 +642,20 @@ <h2>${job.title || 'Untitled'}</h2>
   btn.disabled = true; btn.textContent = '⏳...';
 
   try {
-    await api('POST', '/db', {
-      action: 'delete', table: 'jobs', filters: { id: jobId }
-    }, true);
+    // ★ TENANT-ISOLATED: Use authenticated Worker endpoint
+    // Backend enforces tenant_id check via sbFetch to prevent cross-tenant deletes
+    const res = await fetch(WORKER_URL + `/recruitment/jobs/${jobId}`, {
+      method: 'DELETE',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': 'Bearer ' + HR_TOKEN,
+        'X-Tenant-ID': getCurrentCompanyId() || ''
+      }
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(err.error?.message || err.error || 'Delete failed');
+    }
 
     showToast("🗑️ Job deleted", "success");
     closeDeleteModal();
