From 615ba4e21447ee6e805465009695a65fff9cc668 Mon Sep 17 00:00:00 2001
From: Methapon Metanipat <methapon@frappet.com>
Date: Tue, 10 Sep 2024 15:17:48 +0700
Subject: [PATCH] refactor: use helper function

---
 src/controllers/02-user-controller.ts | 98 ++++++++++-----------------
 1 file changed, 37 insertions(+), 61 deletions(-)

diff --git a/src/controllers/02-user-controller.ts b/src/controllers/02-user-controller.ts
index 6e6ecfd..53907f7 100644
--- a/src/controllers/02-user-controller.ts
+++ b/src/controllers/02-user-controller.ts
@@ -146,63 +146,6 @@ type UserUpdate = {
 const permissionCond = createPermCondition(globalAllow);
 const permissionCheck = createPermCheck(globalAllow);
 
-async function permissionCheckGetUser(user: RequestWithUser["user"], userId: string) {
-  const record = await prisma.user.findFirst({
-    include: {
-      province: true,
-      district: true,
-      subDistrict: true,
-      createdBy: true,
-      updatedBy: true,
-      branch: {
-        include: {
-          branch: {
-            include: {
-              headOffice: {
-                include: {
-                  branch: { where: { user: { some: { userId: user.sub } } } },
-                  user: { where: { userId: user.sub } },
-                },
-              },
-              user: { where: { userId: user.sub } },
-            },
-          },
-        },
-      },
-    },
-    where: { id: userId },
-  });
-
-  if (!record) {
-    throw new HttpError(HttpStatus.NOT_FOUND, "User cannot be found.", "userNotFound");
-  }
-
-  if (!isSystem(user)) {
-    record.branch.forEach(({ branch }) => {
-      if (!globalAllow(user) && branch.user.length === 0) {
-        throw new HttpError(
-          HttpStatus.FORBIDDEN,
-          "You do not have permission to perform this action.",
-          "noPermission",
-        );
-      } else {
-        if (
-          (branch.user.length === 0 && !branch.headOffice) ||
-          (branch.headOffice &&
-            branch.headOffice.user.length === 0 &&
-            branch.headOffice.branch.length === 0)
-        ) {
-          throw new HttpError(
-            HttpStatus.FORBIDDEN,
-            "You do not have permission to perform this action.",
-            "noPermission",
-          );
-        }
-      }
-    });
-  }
-}
-
 async function userBranchCodeGen(user: User, branch: Branch) {
   return await prisma.$transaction(
     async (tx) => {
@@ -743,6 +686,39 @@ export class UserController extends Controller {
   }
 }
 
+async function getUserCheckPerm(user: RequestWithUser["user"], userId: string) {
+  const record = await prisma.user.findFirst({
+    include: {
+      province: true,
+      district: true,
+      subDistrict: true,
+      createdBy: true,
+      updatedBy: true,
+      branch: {
+        include: {
+          branch: {
+            include: {
+              headOffice: {
+                include: {
+                  branch: { where: { user: { some: { userId: user.sub } } } },
+                  user: { where: { userId: user.sub } },
+                },
+              },
+              user: { where: { userId: user.sub } },
+            },
+          },
+        },
+      },
+    },
+    where: { id: userId },
+  });
+
+  if (!record) {
+    throw new HttpError(HttpStatus.NOT_FOUND, "User cannot be found.", "userNotFound");
+  }
+
+  await Promise.all(record.branch.map(async ({ branch }) => await permissionCheck(user, branch)));
+}
 @Route("api/v1/user/{userId}/profile-image")
 @Tags("User")
 export class UserProfileController extends Controller {
@@ -774,7 +750,7 @@ export class UserProfileController extends Controller {
   @Put("{name}")
   @Security("keycloak")
   async putImage(@Request() req: RequestWithUser, @Path() userId: string, @Path() name: string) {
-    await permissionCheckGetUser(req.user, userId);
+    await getUserCheckPerm(req.user, userId);
     return req.res?.redirect(
       await minio.presignedPutObject(
         MINIO_BUCKET,
@@ -787,7 +763,7 @@ export class UserProfileController extends Controller {
   @Delete("{name}")
   @Security("keycloak")
   async deleteImage(@Request() req: RequestWithUser, @Path() userId: string, @Path() name: string) {
-    await permissionCheckGetUser(req.user, userId);
+    await getUserCheckPerm(req.user, userId);
     await minio.removeObject(MINIO_BUCKET, fileLocation.user.profile(userId, name), {
       forceDelete: true,
     });
@@ -828,7 +804,7 @@ export class UserAttachmentController extends Controller {
     @Path() userId: string,
     @Body() payload: { file: string[] },
   ) {
-    await permissionCheckGetUser(req.user, userId);
+    await getUserCheckPerm(req.user, userId);
 
     return await Promise.all(
       payload.file.map(async (v) => ({
@@ -849,7 +825,7 @@ export class UserAttachmentController extends Controller {
     @Path() userId: string,
     @Body() payload: { file: string[] },
   ) {
-    await permissionCheckGetUser(req.user, userId);
+    await getUserCheckPerm(req.user, userId);
     await Promise.all(
       payload.file.map(async (v) => {
         await minio.removeObject(MINIO_BUCKET, fileLocation.user.attachment(userId, v), {