chamomind/jws-backend
chamomind/jws-backend
7
0
Fork 0
Code Issues Projects 1 Releases Packages 1 Wiki Activity Actions

refactor: use helper function instead for easier fix

Browse source
This commit is contained in:
Methapon Metanipat 2024-09-10 13:23:03 +07:00
parent f79650a9bd
commit 06919a0205
4 changed files with 77 additions and 385 deletions
Download patch file Download diff file Expand all files Collapse all files

186
src/controllers/02-user-controller.ts
View file

@ -31,6 +31,11 @@ import {
import { isSystem } from "../utils/keycloak";
import { fileLocation, listFile } from "../utils/minio";
import { filterStatus } from "../services/prisma";
import {
branchRelationPermInclude,
createPermCheck,
createPermCondition,
} from "../services/permission";
if (!process.env.MINIO_BUCKET) {
throw Error("Require MinIO bucket.");
@ -138,7 +143,10 @@ type UserUpdate = {
branchId?: string | string[];
};
async function permissionCheck(user: RequestWithUser["user"], userId: string) {
const permissionCond = createPermCondition(globalAllow);
const permissionCheck = createPermCheck(globalAllow);
async function permissionCheckGetUser(user: RequestWithUser["user"], userId: string) {
const record = await prisma.user.findFirst({
include: {
province: true,
@ -245,26 +253,7 @@ export class UserController extends Controller {
: {
some: {
branch: {
OR: [
{
user: { some: { userId: req.user.sub } },
},
{
branch: globalAllow(req.user)
? { some: { user: { some: { userId: req.user.sub } } } }
: undefined,
},
{
headOffice: globalAllow(req.user)
? { branch: { some: { user: { some: { userId: req.user.sub } } } } }
: undefined,
},
{
headOffice: globalAllow(req.user)
? { user: { some: { userId: req.user.sub } } }
: undefined,
},
],
OR: permissionCond(req.user),
},
},
},
@ -313,26 +302,7 @@ export class UserController extends Controller {
: {
some: {
branch: {
OR: [
{
user: { some: { userId: req.user.sub } },
},
{
branch: globalAllow(req.user)
? { some: { user: { some: { userId: req.user.sub } } } }
: undefined,
},
{
headOffice: globalAllow(req.user)
? { branch: { some: { user: { some: { userId: req.user.sub } } } } }
: undefined,
},
{
headOffice: globalAllow(req.user)
? { user: { some: { userId: req.user.sub } } }
: undefined,
},
],
OR: permissionCond(req.user),
},
},
},
@ -395,15 +365,7 @@ export class UserController extends Controller {
prisma.district.findFirst({ where: { id: body.districtId ?? undefined } }),
prisma.subDistrict.findFirst({ where: { id: body.subDistrictId ?? undefined } }),
prisma.branch.findMany({
include: {
headOffice: {
include: {
branch: { where: { user: { some: { userId: req.user.sub } } } },
user: { where: { userId: req.user.sub } },
},
},
user: { where: { userId: req.user.sub } },
},
include: branchRelationPermInclude(req.user),
where: { id: { in: Array.isArray(body.branchId) ? body.branchId : [body.branchId] } },
}),
prisma.user.findFirst({
@ -439,28 +401,7 @@ export class UserController extends Controller {
);
}
if (!isSystem(req.user)) {
branch.forEach((v) => {
if (!globalAllow(req.user) && v.user.length === 0) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
} else {
if (
(v.user.length === 0 && !v.headOffice) ||
(v.headOffice && v.headOffice.user.length === 0 && v.headOffice.branch.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
});
}
await Promise.all([...branch.map(async (branch) => await permissionCheck(req.user, branch))]);
if (user) {
throw new HttpError(HttpStatus.BAD_REQUEST, "User exists.", "userExists");
@ -576,15 +517,7 @@ export class UserController extends Controller {
branch: {
include: {
branch: {
include: {
headOffice: {
include: {
branch: { where: { user: { some: { userId: req.user.sub } } } },
user: { where: { userId: req.user.sub } },
},
},
user: { where: { userId: req.user.sub } },
},
include: branchRelationPermInclude(req.user),
},
},
},
@ -592,15 +525,7 @@ export class UserController extends Controller {
where: { id: userId },
}),
prisma.branch.findMany({
include: {
headOffice: {
include: {
branch: { where: { user: { some: { userId: req.user.sub } } } },
user: { where: { userId: req.user.sub } },
},
},
user: { where: { userId: req.user.sub } },
},
include: branchRelationPermInclude(req.user),
where: {
id: {
in: Array.isArray(body.branchId) ? body.branchId : body.branchId ? [body.branchId] : [],
@ -636,48 +561,10 @@ export class UserController extends Controller {
"minimumBranchNotMet",
);
}
if (!isSystem(req.user)) {
user.branch.forEach(({ branch: v }) => {
if (!globalAllow(req.user) && v.user.length === 0) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
} else {
if (
(v.user.length === 0 && !v.headOffice) ||
(v.headOffice && v.headOffice.user.length === 0 && v.headOffice.branch.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
});
branch.forEach((v) => {
if (!globalAllow(req.user) && v.user.length === 0) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
} else {
if (
(v.user.length === 0 && !v.headOffice) ||
(v.headOffice && v.headOffice.user.length === 0 && v.headOffice.branch.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
});
}
await Promise.all([
...user.branch.map(async ({ branch }) => await permissionCheck(req.user, branch)),
...branch.map(async (branch) => await permissionCheck(req.user, branch)),
]);
const setRoleIndex = MANAGE_ROLES.findIndex((v) => v === body.userRole);
const userRoleIndex = MANAGE_ROLES.reduce(
(a, c, i) => (req.user.roles?.includes(c) ? i : a),
@ -839,30 +726,9 @@ export class UserController extends Controller {
throw new HttpError(HttpStatus.NOT_FOUND, "User cannot be found.", "userNotFound");
}
if (!isSystem(req.user)) {
record.branch.forEach(({ branch }) => {
if (!globalAllow(req.user) && branch.user.length === 0) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
} else {
if (
(branch.user.length === 0 && !branch.headOffice) ||
(branch.headOffice &&
branch.headOffice.user.length === 0 &&
branch.headOffice.branch.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
});
}
await Promise.all([
...record.branch.map(async ({ branch }) => await permissionCheck(req.user, branch)),
]);
if (record.status !== Status.CREATED) {
throw new HttpError(HttpStatus.FORBIDDEN, "User is in used.", "userInUsed");
@ -916,7 +782,7 @@ export class UserProfileController extends Controller {
@Put("{name}")
@Security("keycloak")
async putImage(@Request() req: RequestWithUser, @Path() userId: string, @Path() name: string) {
await permissionCheck(req.user, userId);
await permissionCheckGetUser(req.user, userId);
return req.res?.redirect(
await minio.presignedPutObject(
MINIO_BUCKET,
@ -929,7 +795,7 @@ export class UserProfileController extends Controller {
@Delete("{name}")
@Security("keycloak")
async deleteImage(@Request() req: RequestWithUser, @Path() userId: string, @Path() name: string) {
await permissionCheck(req.user, userId);
await permissionCheckGetUser(req.user, userId);
await minio.removeObject(MINIO_BUCKET, fileLocation.user.profile(userId, name), {
forceDelete: true,
});
@ -970,7 +836,7 @@ export class UserAttachmentController extends Controller {
@Path() userId: string,
@Body() payload: { file: string[] },
) {
await permissionCheck(req.user, userId);
await permissionCheckGetUser(req.user, userId);
return await Promise.all(
payload.file.map(async (v) => ({
@ -991,7 +857,7 @@ export class UserAttachmentController extends Controller {
@Path() userId: string,
@Body() payload: { file: string[] },
) {
await permissionCheck(req.user, userId);
await permissionCheckGetUser(req.user, userId);
await Promise.all(
payload.file.map(async (v) => {
await minio.removeObject(MINIO_BUCKET, fileLocation.user.attachment(userId, v), {