From 195c889881e86735878c9cbe64c5ecdf08b098a6 Mon Sep 17 00:00:00 2001 From: Methapon Metanipat Date: Fri, 6 Sep 2024 08:31:27 +0700 Subject: [PATCH] feat: double check permission customer branch --- .../03-customer-branch-controller.ts | 48 ++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/src/controllers/03-customer-branch-controller.ts b/src/controllers/03-customer-branch-controller.ts index 6bc535c..a4cacd0 100644 --- a/src/controllers/03-customer-branch-controller.ts +++ b/src/controllers/03-customer-branch-controller.ts @@ -473,12 +473,58 @@ export class CustomerBranchController extends Controller { @Body() body: CustomerBranchUpdate, @Path() branchId: string, ) { - const branch = await prisma.customerBranch.findUnique({ where: { id: branchId } }); + const branch = await prisma.customerBranch.findUnique({ + where: { id: branchId }, + include: { + customer: { + include: { + registeredBranch: { + include: { + user: { + where: { userId: req.user.sub }, + }, + headOffice: { + include: { + user: { + where: { userId: req.user.sub }, + }, + }, + }, + }, + }, + }, + }, + }, + }); if (!branch) { throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound"); } + if (!isSystem(req.user)) { + const _branch = branch.customer.registeredBranch; + const affilationBranch = _branch && _branch.user.length !== 0; + const affilationHeadBranch = + _branch && _branch.headOffice && _branch.headOffice.user.length !== 0; + if (!globalAllow(req.user)) { + if (!affilationBranch) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } + } else { + if (!affilationBranch && !affilationHeadBranch) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } + } + } + if (!body.customerId) body.customerId = branch.customerId; if (body.provinceId || body.districtId || body.subDistrictId || body.customerId) {