diff --git a/src/controllers/03-customer-branch-controller.ts b/src/controllers/03-customer-branch-controller.ts index 6bc535c..a4cacd0 100644 --- a/src/controllers/03-customer-branch-controller.ts +++ b/src/controllers/03-customer-branch-controller.ts @@ -473,12 +473,58 @@ export class CustomerBranchController extends Controller { @Body() body: CustomerBranchUpdate, @Path() branchId: string, ) { - const branch = await prisma.customerBranch.findUnique({ where: { id: branchId } }); + const branch = await prisma.customerBranch.findUnique({ + where: { id: branchId }, + include: { + customer: { + include: { + registeredBranch: { + include: { + user: { + where: { userId: req.user.sub }, + }, + headOffice: { + include: { + user: { + where: { userId: req.user.sub }, + }, + }, + }, + }, + }, + }, + }, + }, + }); if (!branch) { throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound"); } + if (!isSystem(req.user)) { + const _branch = branch.customer.registeredBranch; + const affilationBranch = _branch && _branch.user.length !== 0; + const affilationHeadBranch = + _branch && _branch.headOffice && _branch.headOffice.user.length !== 0; + if (!globalAllow(req.user)) { + if (!affilationBranch) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } + } else { + if (!affilationBranch && !affilationHeadBranch) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } + } + } + if (!body.customerId) body.customerId = branch.customerId; if (body.provinceId || body.districtId || body.subDistrictId || body.customerId) {