feat: user permission on delete

This commit is contained in:
Methapon Metanipat 2024-09-04 17:41:54 +07:00
parent 2cd92b2234
commit 05a959ee55

View file

@ -681,15 +681,47 @@ export class UserController extends Controller {
createdBy: true,
updatedBy: true,
branch: {
where: {
userId: req.user.sub,
include: {
branch: {
include: {
branch: {
include: {
headOffice: {
include: {
user: {
where: {
userId: req.user.sub,
},
},
},
},
},
},
user: {
where: {
userId: req.user.sub,
},
},
},
},
},
},
},
where: { id: userId },
});
if (!globalAllow(req.user) && !record?.branch.some((v) => v.userId === req.user.sub)) {
if (
!isSystem(req.user) &&
record?.branch.some((v) => {
const allow = v.branch.user.some((u) => u.userId === req.user.sub);
if (!globalAllow(req.user) && !allow) {
return v.branch.branch.some((b) =>
b.headOffice?.user.some((u) => u.userId === req.user.sub),
);
}
return true;
})
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",