chamomind/jws-backend
chamomind/jws-backend
7
0
Fork 0
Code Issues Projects 1 Releases Packages 1 Wiki Activity Actions

feat: add permision check

Browse source
This commit is contained in:
Methapon Metanipat 2024-09-04 15:21:11 +07:00
parent 597c107420
commit 36975fd8de
1 changed files with 84 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

97
src/controllers/customer-controller.ts
View file

@ -24,7 +24,28 @@ if (!process.env.MINIO_BUCKET) {
} }
const MINIO_BUCKET = process.env.MINIO_BUCKET; const MINIO_BUCKET = process.env.MINIO_BUCKET;
const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager", "head_of_sale", "sale"]; const MANAGE_ROLES = [
"system",
"head_of_admin",
"admin",
"branch_manager",
"head_of_sale",
"sale",
"head_of_account",
"account",
];
function globalAllow(user: RequestWithUser["user"]) {
const allowList = [
"system",
"head_of_admin",
"admin",
"branch_manager",
"head_of_sale",
"head_of_account",
];
return allowList.some((v) => user.roles?.includes(v));
}
export type CustomerCreate = { export type CustomerCreate = {
registeredBranchId?: string; registeredBranchId?: string;
@ -167,8 +188,20 @@ export class CustomerController extends Controller {
@Post() @Post()
@Security("keycloak", MANAGE_ROLES) @Security("keycloak", MANAGE_ROLES)
async create(@Request() req: RequestWithUser, @Body() body: CustomerCreate) { async create(@Request() req: RequestWithUser, @Body() body: CustomerCreate) {
// NOTE: handle empty string
if (!body.registeredBranchId) {
body.registeredBranchId = undefined;
}
const [branch] = await prisma.$transaction([ const [branch] = await prisma.$transaction([
prisma.branch.findFirst({ where: { id: body.registeredBranchId } }), prisma.branch.findFirst({
where: { id: body.registeredBranchId },
include: {
user: {
where: { userId: req.user.sub },
},
},
}),
]); ]);
if (!!body.registeredBranchId && !branch) { if (!!body.registeredBranchId && !branch) {
@ -179,8 +212,14 @@ export class CustomerController extends Controller {
); );
} }
if (!body.registeredBranchId) { if (body.registeredBranchId !== undefined && !globalAllow(req.user)) {
body.registeredBranchId = undefined; if (body.registeredBranchId === null || (branch && branch.user.length === 0)) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
} }
const record = await prisma.$transaction( const record = await prisma.$transaction(
@ -230,6 +269,10 @@ export class CustomerController extends Controller {
@Request() req: RequestWithUser, @Request() req: RequestWithUser,
@Body() body: CustomerUpdate, @Body() body: CustomerUpdate,
) { ) {
if (body.registeredBranchId === "") {
body.registeredBranchId = undefined;
}
const customer = await prisma.customer.findUnique({ where: { id: customerId } }); const customer = await prisma.customer.findUnique({ where: { id: customerId } });
if (!customer) { if (!customer) {
@ -237,8 +280,14 @@ export class CustomerController extends Controller {
} }
const [branch] = await prisma.$transaction([ const [branch] = await prisma.$transaction([
prisma.customer.findUnique({ where: { id: customerId } }), prisma.branch.findFirst({
prisma.branch.findFirst({ where: { id: body.registeredBranchId } }), where: { id: body.registeredBranchId },
include: {
user: {
where: { userId: req.user.sub },
},
},
}),
]); ]);
if (!!body.registeredBranchId && !branch) { if (!!body.registeredBranchId && !branch) {
@ -249,8 +298,14 @@ export class CustomerController extends Controller {
); );
} }
if (!body.registeredBranchId) { if (body.registeredBranchId !== undefined && !globalAllow(req.user)) {
body.registeredBranchId = undefined; if (body.registeredBranchId === null || (branch && branch.user.length === 0)) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
} }
const record = await prisma.$transaction(async (tx) => { const record = await prisma.$transaction(async (tx) => {
@ -280,13 +335,31 @@ export class CustomerController extends Controller {
@Delete("{customerId}") @Delete("{customerId}")
@Security("keycloak", MANAGE_ROLES) @Security("keycloak", MANAGE_ROLES)
async deleteById(@Path() customerId: string) { async deleteById(@Path() customerId: string, @Request() req: RequestWithUser) {
const record = await prisma.customer.findFirst({ where: { id: customerId } }); const record = await prisma.customer.findFirst({
where: { id: customerId },
include: {
registeredBranch: {
include: { user: { where: { userId: req.user.sub } } },
},
},
});
if (!record) { if (!record) {
throw new HttpError(HttpStatus.NOT_FOUND, "Customer cannot be found.", "customerNotFound"); throw new HttpError(HttpStatus.NOT_FOUND, "Customer cannot be found.", "customerNotFound");
} }
if (
!globalAllow(req.user) &&
(!record.registeredBranch || record.registeredBranch.user.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
if (record.status !== Status.CREATED) { if (record.status !== Status.CREATED) {
throw new HttpError(HttpStatus.FORBIDDEN, "Customer is in used.", "customerInUsed"); throw new HttpError(HttpStatus.FORBIDDEN, "Customer is in used.", "customerInUsed");
} }
@ -313,9 +386,7 @@ export class CustomerController extends Controller {
@Security("keycloak", MANAGE_ROLES) @Security("keycloak", MANAGE_ROLES)
async setCustomerImageById(@Request() req: RequestWithUser, @Path() customerId: string) { async setCustomerImageById(@Request() req: RequestWithUser, @Path() customerId: string) {
const record = await prisma.customer.findFirst({ const record = await prisma.customer.findFirst({
where: { where: { id: customerId },
id: customerId,
},
}); });
if (!record) { if (!record) {