feat: double check permission customer branch

src/controllers/03-customer-branch-controller.ts

@@ -473,12 +473,58 @@ export class CustomerBranchController extends Controller {
     @Body() body: CustomerBranchUpdate,
     @Path() branchId: string,
   ) {
-    const branch = await prisma.customerBranch.findUnique({ where: { id: branchId } });
+    const branch = await prisma.customerBranch.findUnique({
+      where: { id: branchId },
+      include: {
+        customer: {
+          include: {
+            registeredBranch: {
+              include: {
+                user: {
+                  where: { userId: req.user.sub },
+                },
+                headOffice: {
+                  include: {
+                    user: {
+                      where: { userId: req.user.sub },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    });
 
     if (!branch) {
       throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
     }
 
+    if (!isSystem(req.user)) {
+      const _branch = branch.customer.registeredBranch;
+      const affilationBranch = _branch && _branch.user.length !== 0;
+      const affilationHeadBranch =
+        _branch && _branch.headOffice && _branch.headOffice.user.length !== 0;
+      if (!globalAllow(req.user)) {
+        if (!affilationBranch) {
+          throw new HttpError(
+            HttpStatus.FORBIDDEN,
+            "You do not have permission to perform this action.",
+            "noPermission",
+          );
+        }
+      } else {
+        if (!affilationBranch && !affilationHeadBranch) {
+          throw new HttpError(
+            HttpStatus.FORBIDDEN,
+            "You do not have permission to perform this action.",
+            "noPermission",
+          );
+        }
+      }
+    }
+
     if (!body.customerId) body.customerId = branch.customerId;
 
     if (body.provinceId || body.districtId || body.subDistrictId || body.customerId) {