chamomind/jws-backend
chamomind/jws-backend
6
0
Fork 0
Code Issues Projects 1 Releases Packages 1 Wiki Activity Actions

fix: wrong permission condition

Browse source
This commit is contained in:
Methapon Metanipat 2024-09-09 13:40:47 +07:00
parent ed2b3a5a41
commit 102f0216f8
1 changed files with 97 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

127
src/controllers/03-employee-controller.ts
View file

@ -304,10 +304,20 @@ export class EmployeeController extends Controller {
: { : {
registeredBranch: { registeredBranch: {
OR: [ OR: [
{ user: { some: { userId: req.user.sub } } },
{ {
branch: globalAllow(req.user) user: { some: { userId: req.user.sub } },
? { some: { user: { some: { userId: req.user.sub } } } } },
{
branch: { some: { user: { some: { userId: req.user.sub } } } },
},
{
headOffice: globalAllow(req.user)
? { branch: { some: { user: { some: { userId: req.user.sub } } } } }
: undefined,
},
{
headOffice: globalAllow(req.user)
? { user: { some: { userId: req.user.sub } } }
: undefined, : undefined,
}, },
], ],
@ -400,16 +410,13 @@ export class EmployeeController extends Controller {
include: { include: {
registeredBranch: { registeredBranch: {
include: { include: {
user: {
where: { userId: req.user.sub },
},
headOffice: { headOffice: {
include: { include: {
user: { branch: { where: { user: { some: { userId: req.user.sub } } } },
where: { userId: req.user.sub }, user: { where: { userId: req.user.sub } },
},
}, },
}, },
user: { where: { userId: req.user.sub } },
}, },
}, },
}, },
@ -442,20 +449,20 @@ export class EmployeeController extends Controller {
"relationCustomerBranchNotFound", "relationCustomerBranchNotFound",
); );
if (!isSystem(req.user)) { if (!isSystem(req.user)) {
const _branch = customerBranch.customer.registeredBranch; const _record = customerBranch.customer.registeredBranch;
const affilationBranch = _branch && _branch.user.length !== 0; if (!globalAllow(req.user) && _record?.user.length === 0) {
const affilationHeadBranch = throw new HttpError(
_branch && _branch.headOffice && _branch.headOffice.user.length !== 0; HttpStatus.FORBIDDEN,
if (!globalAllow(req.user)) { "You do not have permission to perform this action.",
if (!affilationBranch) { "noPermission",
throw new HttpError( );
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
} else { } else {
if (!affilationBranch && !affilationHeadBranch) { if (
(_record?.user.length === 0 && !_record.headOffice) ||
(_record?.headOffice &&
_record.headOffice.user.length === 0 &&
_record.headOffice.branch.length === 0)
) {
throw new HttpError( throw new HttpError(
HttpStatus.FORBIDDEN, HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.", "You do not have permission to perform this action.",
@ -599,8 +606,24 @@ export class EmployeeController extends Controller {
prisma.district.findFirst({ where: { id: body.districtId || undefined } }), prisma.district.findFirst({ where: { id: body.districtId || undefined } }),
prisma.subDistrict.findFirst({ where: { id: body.subDistrictId || undefined } }), prisma.subDistrict.findFirst({ where: { id: body.subDistrictId || undefined } }),
prisma.customerBranch.findFirst({ prisma.customerBranch.findFirst({
where: { id: body.customerBranchId || undefined }, where: { id: body.customerBranchId },
include: { customer: true }, include: {
customer: {
include: {
registeredBranch: {
include: {
headOffice: {
include: {
branch: { where: { user: { some: { userId: req.user.sub } } } },
user: { where: { userId: req.user.sub } },
},
},
user: { where: { userId: req.user.sub } },
},
},
},
},
},
}), }),
prisma.employee.findFirst({ prisma.employee.findFirst({
where: { id: employeeId }, where: { id: employeeId },
@ -611,16 +634,13 @@ export class EmployeeController extends Controller {
include: { include: {
registeredBranch: { registeredBranch: {
include: { include: {
user: {
where: { userId: req.user.sub },
},
headOffice: { headOffice: {
include: { include: {
user: { branch: { where: { user: { some: { userId: req.user.sub } } } },
where: { userId: req.user.sub }, user: { where: { userId: req.user.sub } },
},
}, },
}, },
user: { where: { userId: req.user.sub } },
}, },
}, },
}, },
@ -658,6 +678,53 @@ export class EmployeeController extends Controller {
throw new HttpError(HttpStatus.NOT_FOUND, "Employee cannot be found.", "employeeNotFound"); throw new HttpError(HttpStatus.NOT_FOUND, "Employee cannot be found.", "employeeNotFound");
} }
if (!isSystem(req.user)) {
const _record = employee.customerBranch.customer.registeredBranch;
if (!globalAllow(req.user) && _record?.user.length === 0) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
} else {
if (
(_record?.user.length === 0 && !_record.headOffice) ||
(_record?.headOffice &&
_record.headOffice.user.length === 0 &&
_record.headOffice.branch.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
}
if (!isSystem(req.user) && body.customerBranchId && customerBranch) {
const _record = customerBranch.customer.registeredBranch;
if (!globalAllow(req.user) && _record?.user.length === 0) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
} else {
if (
(_record?.user.length === 0 && !_record.headOffice) ||
(_record?.headOffice &&
_record.headOffice.user.length === 0 &&
_record.headOffice.branch.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
}
const { const {
provinceId, provinceId,
districtId, districtId,