feat: add user and assign to branch at the same time

src/controllers/branch-user-controller.ts

@@ -53,9 +53,9 @@ async function userBranchCodeGen(branch: Branch, user: User[]) {
 
 @Route("api/v1/branch/{branchId}/user")
 @Tags("Branch User")
-@Security("keycloak")
 export class BranchUserController extends Controller {
   @Get()
+  @Security("keycloak")
   async getBranchUser(
     @Path() branchId: string,
     @Query() zipCode?: string,
@@ -97,6 +97,7 @@ export class BranchUserController extends Controller {
   }
 
   @Post()
+  @Security("keycloak", ["system", "head_of_admin", "admin", "branch_admin", "branch_manager"])
   async createBranchUser(
     @Request() req: RequestWithUser,
     @Path() branchId: string,
@@ -104,6 +105,11 @@ export class BranchUserController extends Controller {
   ) {
     const [branch, user] = await prisma.$transaction([
       prisma.branch.findUnique({
+        include: {
+          user: {
+            where: { userId: req.user.sub },
+          },
+        },
         where: { id: branchId },
       }),
       prisma.user.findMany({
@@ -112,6 +118,18 @@ export class BranchUserController extends Controller {
       }),
     ]);
 
+    if (
+      !["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v)) &&
+      branch?.createdByUserId !== req.user.sub &&
+      !branch?.user.find((v) => v.userId === req.user.sub)
+    ) {
+      throw new HttpError(
+        HttpStatus.FORBIDDEN,
+        "You do not have permission to perform this action.",
+        "noPermission",
+      );
+    }
+
     if (!branch) {
       throw new HttpError(HttpStatus.BAD_REQUEST, "Branch cannot be found.", "branchBadReq");
     }