From 102f0216f8377bb7dbb3f1a77d8a259656af7566 Mon Sep 17 00:00:00 2001 From: Methapon Metanipat Date: Mon, 9 Sep 2024 13:40:47 +0700 Subject: [PATCH] fix: wrong permission condition --- src/controllers/03-employee-controller.ts | 127 +++++++++++++++++----- 1 file changed, 97 insertions(+), 30 deletions(-) diff --git a/src/controllers/03-employee-controller.ts b/src/controllers/03-employee-controller.ts index 0e3743f..4bd08bb 100644 --- a/src/controllers/03-employee-controller.ts +++ b/src/controllers/03-employee-controller.ts @@ -304,10 +304,20 @@ export class EmployeeController extends Controller { : { registeredBranch: { OR: [ - { user: { some: { userId: req.user.sub } } }, { - branch: globalAllow(req.user) - ? { some: { user: { some: { userId: req.user.sub } } } } + user: { some: { userId: req.user.sub } }, + }, + { + branch: { some: { user: { some: { userId: req.user.sub } } } }, + }, + { + headOffice: globalAllow(req.user) + ? { branch: { some: { user: { some: { userId: req.user.sub } } } } } + : undefined, + }, + { + headOffice: globalAllow(req.user) + ? { user: { some: { userId: req.user.sub } } } : undefined, }, ], @@ -400,16 +410,13 @@ export class EmployeeController extends Controller { include: { registeredBranch: { include: { - user: { - where: { userId: req.user.sub }, - }, headOffice: { include: { - user: { - where: { userId: req.user.sub }, - }, + branch: { where: { user: { some: { userId: req.user.sub } } } }, + user: { where: { userId: req.user.sub } }, }, }, + user: { where: { userId: req.user.sub } }, }, }, }, @@ -442,20 +449,20 @@ export class EmployeeController extends Controller { "relationCustomerBranchNotFound", ); if (!isSystem(req.user)) { - const _branch = customerBranch.customer.registeredBranch; - const affilationBranch = _branch && _branch.user.length !== 0; - const affilationHeadBranch = - _branch && _branch.headOffice && _branch.headOffice.user.length !== 0; - if (!globalAllow(req.user)) { - if (!affilationBranch) { - throw new HttpError( - HttpStatus.FORBIDDEN, - "You do not have permission to perform this action.", - "noPermission", - ); - } + const _record = customerBranch.customer.registeredBranch; + if (!globalAllow(req.user) && _record?.user.length === 0) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); } else { - if (!affilationBranch && !affilationHeadBranch) { + if ( + (_record?.user.length === 0 && !_record.headOffice) || + (_record?.headOffice && + _record.headOffice.user.length === 0 && + _record.headOffice.branch.length === 0) + ) { throw new HttpError( HttpStatus.FORBIDDEN, "You do not have permission to perform this action.", @@ -599,8 +606,24 @@ export class EmployeeController extends Controller { prisma.district.findFirst({ where: { id: body.districtId || undefined } }), prisma.subDistrict.findFirst({ where: { id: body.subDistrictId || undefined } }), prisma.customerBranch.findFirst({ - where: { id: body.customerBranchId || undefined }, - include: { customer: true }, + where: { id: body.customerBranchId }, + include: { + customer: { + include: { + registeredBranch: { + include: { + headOffice: { + include: { + branch: { where: { user: { some: { userId: req.user.sub } } } }, + user: { where: { userId: req.user.sub } }, + }, + }, + user: { where: { userId: req.user.sub } }, + }, + }, + }, + }, + }, }), prisma.employee.findFirst({ where: { id: employeeId }, @@ -611,16 +634,13 @@ export class EmployeeController extends Controller { include: { registeredBranch: { include: { - user: { - where: { userId: req.user.sub }, - }, headOffice: { include: { - user: { - where: { userId: req.user.sub }, - }, + branch: { where: { user: { some: { userId: req.user.sub } } } }, + user: { where: { userId: req.user.sub } }, }, }, + user: { where: { userId: req.user.sub } }, }, }, }, @@ -658,6 +678,53 @@ export class EmployeeController extends Controller { throw new HttpError(HttpStatus.NOT_FOUND, "Employee cannot be found.", "employeeNotFound"); } + if (!isSystem(req.user)) { + const _record = employee.customerBranch.customer.registeredBranch; + if (!globalAllow(req.user) && _record?.user.length === 0) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } else { + if ( + (_record?.user.length === 0 && !_record.headOffice) || + (_record?.headOffice && + _record.headOffice.user.length === 0 && + _record.headOffice.branch.length === 0) + ) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } + } + } + if (!isSystem(req.user) && body.customerBranchId && customerBranch) { + const _record = customerBranch.customer.registeredBranch; + if (!globalAllow(req.user) && _record?.user.length === 0) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } else { + if ( + (_record?.user.length === 0 && !_record.headOffice) || + (_record?.headOffice && + _record.headOffice.user.length === 0 && + _record.headOffice.branch.length === 0) + ) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } + } + } + const { provinceId, districtId,