From 05a959ee55a819bd6606c360f4df7af8f4ed7bb8 Mon Sep 17 00:00:00 2001
From: Methapon Metanipat <methapon@frappet.com>
Date: Wed, 4 Sep 2024 17:41:54 +0700
Subject: [PATCH] feat: user permission on delete

---
 src/controllers/user-controller.ts | 38 +++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/src/controllers/user-controller.ts b/src/controllers/user-controller.ts
index 7d98743..9292113 100644
--- a/src/controllers/user-controller.ts
+++ b/src/controllers/user-controller.ts
@@ -681,15 +681,47 @@ export class UserController extends Controller {
         createdBy: true,
         updatedBy: true,
         branch: {
-          where: {
-            userId: req.user.sub,
+          include: {
+            branch: {
+              include: {
+                branch: {
+                  include: {
+                    headOffice: {
+                      include: {
+                        user: {
+                          where: {
+                            userId: req.user.sub,
+                          },
+                        },
+                      },
+                    },
+                  },
+                },
+                user: {
+                  where: {
+                    userId: req.user.sub,
+                  },
+                },
+              },
+            },
           },
         },
       },
       where: { id: userId },
     });
 
-    if (!globalAllow(req.user) && !record?.branch.some((v) => v.userId === req.user.sub)) {
+    if (
+      !isSystem(req.user) &&
+      record?.branch.some((v) => {
+        const allow = v.branch.user.some((u) => u.userId === req.user.sub);
+        if (!globalAllow(req.user) && !allow) {
+          return v.branch.branch.some((b) =>
+            b.headOffice?.user.some((u) => u.userId === req.user.sub),
+          );
+        }
+        return true;
+      })
+    ) {
       throw new HttpError(
         HttpStatus.FORBIDDEN,
         "You do not have permission to perform this action.",