feat: user permission on delete

2024-09-04 17:41:54 +07:00 · 2024-09-04 17:41:54 +07:00 · 05a959ee55
commit 05a959ee55
parent 2cd92b2234
1 changed files with 35 additions and 3 deletions
--- a/src/controllers/user-controller.ts
+++ b/src/controllers/user-controller.ts
@ -681,15 +681,47 @@ export class UserController extends Controller {
        createdBy: true,
        updatedBy: true,
        branch: {
-          where: {
-            userId: req.user.sub,
+          include: {
+            branch: {
+              include: {
+                branch: {
+                  include: {
+                    headOffice: {
+                      include: {
+                        user: {
+                          where: {
+                            userId: req.user.sub,
+                          },
+                        },
+                      },
+                    },
+                  },
+                },
+                user: {
+                  where: {
+                    userId: req.user.sub,
+                  },
+                },
+              },
+            },
          },
        },
      },
      where: { id: userId },
    });

-    if (!globalAllow(req.user) && !record?.branch.some((v) => v.userId === req.user.sub)) {
+    if (
+      !isSystem(req.user) &&
+      record?.branch.some((v) => {
+        const allow = v.branch.user.some((u) => u.userId === req.user.sub);
+        if (!globalAllow(req.user) && !allow) {
+          return v.branch.branch.some((b) =>
+            b.headOffice?.user.some((u) => u.userId === req.user.sub),
+          );
+        }
+        return true;
+      })
+    ) {
      throw new HttpError(
        HttpStatus.FORBIDDEN,
        "You do not have permission to perform this action.",