diff --git a/src/controllers/03-employee-controller.ts b/src/controllers/03-employee-controller.ts index e473622..16af98f 100644 --- a/src/controllers/03-employee-controller.ts +++ b/src/controllers/03-employee-controller.ts @@ -18,13 +18,34 @@ import prisma from "../db"; import HttpStatus from "../interfaces/http-status"; import HttpError from "../interfaces/http-error"; import minio, { presignedGetObjectIfExist } from "../services/minio"; +import { isSystem } from "../utils/keycloak"; if (!process.env.MINIO_BUCKET) { throw Error("Require MinIO bucket."); } const MINIO_BUCKET = process.env.MINIO_BUCKET; -const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager", "head_of_sale", "sale"]; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "branch_manager", + "head_of_sale", + "sale", + "head_of_account", + "account", +]; +function globalAllow(user: RequestWithUser["user"]) { + const allowList = [ + "system", + "head_of_admin", + "admin", + "branch_manager", + "head_of_sale", + "head_of_account", + ]; + return allowList.some((v) => user.roles?.includes(v)); +} function imageLocation(id: string) { return `employee/${id}/profile-image`; @@ -257,6 +278,7 @@ export class EmployeeController extends Controller { @Get() @Security("keycloak") async list( + @Request() req: RequestWithUser, @Query() zipCode?: string, @Query() gender?: string, @Query() status?: Status, @@ -283,7 +305,23 @@ export class EmployeeController extends Controller { ], AND: { ...filterStatus(status), - customerBranch: customerId ? { customerId } : undefined, + customerBranch: { + customerId, + customer: isSystem(req.user) + ? undefined + : { + registeredBranch: { + OR: [ + { user: { some: { userId: req.user.sub } } }, + { + headOffice: !globalAllow(req.user) + ? { user: { some: { userId: req.user.sub } } } + : undefined, + }, + ], + }, + }, + }, subDistrict: zipCode ? { zipCode } : undefined, gender, },