add perm filter

server/api/files/upload/[destination].post.ts

@@ -1,6 +1,18 @@
 import { IncomingForm } from "formidable";
 
-export default defineEventHandler((event) => {
+export default defineEventHandler(async (event) => {
+    const email = getHeader(event, "x-token-user-email");
+    if (!email) {
+        setResponseStatus(event, 401);
+        return;
+    }
+
+    const perms = await getPermissions(email);
+    if (!perms?.admin) {
+        setResponseStatus(event, 403);
+        return;
+    }
+
     const destination = getRouterParam(event, "destination");
     if (!destination) {
         return;
@@ -20,7 +32,7 @@ export default defineEventHandler((event) => {
         createDirsFromUploads: true,
     });
 
-    return new Promise((resolve, reject) => {
+    await new Promise((resolve, reject) => {
         form.parse(event.node.req, (err, fields, files) => {
             if (err) {
                 reject(err);

server/api/vx/[id]/preview.get.ts

@@ -1,4 +1,16 @@
 export default defineEventHandler(async (event) => {
+    const email = getHeader(event, "x-token-user-email");
+    if (!email) {
+        setResponseStatus(event, 401);
+        return;
+    }
+
+    const perms = await getPermissions(email);
+    if (!perms?.admin) {
+        setResponseStatus(event, 403);
+        return;
+    }
+
     const id = getRouterParam(event, "id");
 
     const config = useRuntimeConfig().api.cantemo;

server/api/vx/[id]/transcription.get.ts

@@ -1,4 +1,16 @@
 export default defineEventHandler(async (event) => {
+    const email = getHeader(event, "x-token-user-email");
+    if (!email) {
+        setResponseStatus(event, 401);
+        return;
+    }
+
+    const perms = await getPermissions(email);
+    if (!perms?.admin) {
+        setResponseStatus(event, 403);
+        return;
+    }
+
     const id = getRouterParam(event, "id");
 
     const config = useRuntimeConfig().api.cantemo;