fix: wrong permission condition
This commit is contained in:
Methapon Metanipat
parent
ed2b3a5a41
commit
102f0216f8
1 changed files with 97 additions and 30 deletions
|
|
@ -304,10 +304,20 @@ export class EmployeeController extends Controller {
|
|||
: {
|
||||
registeredBranch: {
|
||||
OR: [
|
||||
{ user: { some: { userId: req.user.sub } } },
|
||||
{
|
||||
branch: globalAllow(req.user)
|
||||
? { some: { user: { some: { userId: req.user.sub } } } }
|
||||
user: { some: { userId: req.user.sub } },
|
||||
},
|
||||
{
|
||||
branch: { some: { user: { some: { userId: req.user.sub } } } },
|
||||
},
|
||||
{
|
||||
headOffice: globalAllow(req.user)
|
||||
? { branch: { some: { user: { some: { userId: req.user.sub } } } } }
|
||||
: undefined,
|
||||
},
|
||||
{
|
||||
headOffice: globalAllow(req.user)
|
||||
? { user: { some: { userId: req.user.sub } } }
|
||||
: undefined,
|
||||
},
|
||||
],
|
||||
|
|
@ -400,16 +410,13 @@ export class EmployeeController extends Controller {
|
|||
include: {
|
||||
registeredBranch: {
|
||||
include: {
|
||||
user: {
|
||||
where: { userId: req.user.sub },
|
||||
},
|
||||
headOffice: {
|
||||
include: {
|
||||
user: {
|
||||
where: { userId: req.user.sub },
|
||||
},
|
||||
branch: { where: { user: { some: { userId: req.user.sub } } } },
|
||||
user: { where: { userId: req.user.sub } },
|
||||
},
|
||||
},
|
||||
user: { where: { userId: req.user.sub } },
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -442,20 +449,20 @@ export class EmployeeController extends Controller {
|
|||
"relationCustomerBranchNotFound",
|
||||
);
|
||||
if (!isSystem(req.user)) {
|
||||
const _branch = customerBranch.customer.registeredBranch;
|
||||
const affilationBranch = _branch && _branch.user.length !== 0;
|
||||
const affilationHeadBranch =
|
||||
_branch && _branch.headOffice && _branch.headOffice.user.length !== 0;
|
||||
if (!globalAllow(req.user)) {
|
||||
if (!affilationBranch) {
|
||||
throw new HttpError(
|
||||
HttpStatus.FORBIDDEN,
|
||||
"You do not have permission to perform this action.",
|
||||
"noPermission",
|
||||
);
|
||||
}
|
||||
const _record = customerBranch.customer.registeredBranch;
|
||||
if (!globalAllow(req.user) && _record?.user.length === 0) {
|
||||
throw new HttpError(
|
||||
HttpStatus.FORBIDDEN,
|
||||
"You do not have permission to perform this action.",
|
||||
"noPermission",
|
||||
);
|
||||
} else {
|
||||
if (!affilationBranch && !affilationHeadBranch) {
|
||||
if (
|
||||
(_record?.user.length === 0 && !_record.headOffice) ||
|
||||
(_record?.headOffice &&
|
||||
_record.headOffice.user.length === 0 &&
|
||||
_record.headOffice.branch.length === 0)
|
||||
) {
|
||||
throw new HttpError(
|
||||
HttpStatus.FORBIDDEN,
|
||||
"You do not have permission to perform this action.",
|
||||
|
|
@ -599,8 +606,24 @@ export class EmployeeController extends Controller {
|
|||
prisma.district.findFirst({ where: { id: body.districtId || undefined } }),
|
||||
prisma.subDistrict.findFirst({ where: { id: body.subDistrictId || undefined } }),
|
||||
prisma.customerBranch.findFirst({
|
||||
where: { id: body.customerBranchId || undefined },
|
||||
include: { customer: true },
|
||||
where: { id: body.customerBranchId },
|
||||
include: {
|
||||
customer: {
|
||||
include: {
|
||||
registeredBranch: {
|
||||
include: {
|
||||
headOffice: {
|
||||
include: {
|
||||
branch: { where: { user: { some: { userId: req.user.sub } } } },
|
||||
user: { where: { userId: req.user.sub } },
|
||||
},
|
||||
},
|
||||
user: { where: { userId: req.user.sub } },
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
prisma.employee.findFirst({
|
||||
where: { id: employeeId },
|
||||
|
|
@ -611,16 +634,13 @@ export class EmployeeController extends Controller {
|
|||
include: {
|
||||
registeredBranch: {
|
||||
include: {
|
||||
user: {
|
||||
where: { userId: req.user.sub },
|
||||
},
|
||||
headOffice: {
|
||||
include: {
|
||||
user: {
|
||||
where: { userId: req.user.sub },
|
||||
},
|
||||
branch: { where: { user: { some: { userId: req.user.sub } } } },
|
||||
user: { where: { userId: req.user.sub } },
|
||||
},
|
||||
},
|
||||
user: { where: { userId: req.user.sub } },
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -658,6 +678,53 @@ export class EmployeeController extends Controller {
|
|||
throw new HttpError(HttpStatus.NOT_FOUND, "Employee cannot be found.", "employeeNotFound");
|
||||
}
|
||||
|
||||
if (!isSystem(req.user)) {
|
||||
const _record = employee.customerBranch.customer.registeredBranch;
|
||||
if (!globalAllow(req.user) && _record?.user.length === 0) {
|
||||
throw new HttpError(
|
||||
HttpStatus.FORBIDDEN,
|
||||
"You do not have permission to perform this action.",
|
||||
"noPermission",
|
||||
);
|
||||
} else {
|
||||
if (
|
||||
(_record?.user.length === 0 && !_record.headOffice) ||
|
||||
(_record?.headOffice &&
|
||||
_record.headOffice.user.length === 0 &&
|
||||
_record.headOffice.branch.length === 0)
|
||||
) {
|
||||
throw new HttpError(
|
||||
HttpStatus.FORBIDDEN,
|
||||
"You do not have permission to perform this action.",
|
||||
"noPermission",
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!isSystem(req.user) && body.customerBranchId && customerBranch) {
|
||||
const _record = customerBranch.customer.registeredBranch;
|
||||
if (!globalAllow(req.user) && _record?.user.length === 0) {
|
||||
throw new HttpError(
|
||||
HttpStatus.FORBIDDEN,
|
||||
"You do not have permission to perform this action.",
|
||||
"noPermission",
|
||||
);
|
||||
} else {
|
||||
if (
|
||||
(_record?.user.length === 0 && !_record.headOffice) ||
|
||||
(_record?.headOffice &&
|
||||
_record.headOffice.user.length === 0 &&
|
||||
_record.headOffice.branch.length === 0)
|
||||
) {
|
||||
throw new HttpError(
|
||||
HttpStatus.FORBIDDEN,
|
||||
"You do not have permission to perform this action.",
|
||||
"noPermission",
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
const {
|
||||
provinceId,
|
||||
districtId,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue