fix: customer edit not consider related branch perm

src/controllers/03-customer-controller.ts

@@ -432,7 +432,15 @@ export class CustomerController extends Controller {
       where: { id: customerId },
       include: {
         registeredBranch: {
-          include: { user: { where: { userId: req.user.sub } } },
+          include: {
+            headOffice: {
+              include: {
+                branch: { where: { user: { some: { userId: req.user.sub } } } },
+                user: { where: { userId: req.user.sub } },
+              },
+            },
+            user: { where: { userId: req.user.sub } },
+          },
         },
       },
     });
@@ -441,15 +449,27 @@ export class CustomerController extends Controller {
       throw new HttpError(HttpStatus.NOT_FOUND, "Customer cannot be found.", "customerNotFound");
     }
 
-    if (
-      !globalAllow(req.user) &&
-      (!record.registeredBranch || record.registeredBranch.user.length === 0)
-    ) {
-      throw new HttpError(
-        HttpStatus.FORBIDDEN,
-        "You do not have permission to perform this action.",
-        "noPermission",
-      );
+    if (!isSystem(req.user)) {
+      if (!globalAllow(req.user) && record.registeredBranch?.user.length === 0) {
+        throw new HttpError(
+          HttpStatus.FORBIDDEN,
+          "You do not have permission to perform this action.",
+          "noPermission",
+        );
+      } else {
+        if (
+          (record.registeredBranch?.user.length === 0 && !record.registeredBranch?.headOffice) ||
+          (record.registeredBranch?.headOffice &&
+            record.registeredBranch?.headOffice.user.length === 0 &&
+            record.registeredBranch?.headOffice.branch.length === 0)
+        ) {
+          throw new HttpError(
+            HttpStatus.FORBIDDEN,
+            "You do not have permission to perform this action.",
+            "noPermission",
+          );
+        }
+      }
     }
 
     if (record.status !== Status.CREATED) {