diff --git a/src/controllers/03-customer-controller.ts b/src/controllers/03-customer-controller.ts index d3c0a8f..4ccf5e2 100644 --- a/src/controllers/03-customer-controller.ts +++ b/src/controllers/03-customer-controller.ts @@ -432,7 +432,15 @@ export class CustomerController extends Controller { where: { id: customerId }, include: { registeredBranch: { - include: { user: { where: { userId: req.user.sub } } }, + include: { + headOffice: { + include: { + branch: { where: { user: { some: { userId: req.user.sub } } } }, + user: { where: { userId: req.user.sub } }, + }, + }, + user: { where: { userId: req.user.sub } }, + }, }, }, }); @@ -441,15 +449,27 @@ export class CustomerController extends Controller { throw new HttpError(HttpStatus.NOT_FOUND, "Customer cannot be found.", "customerNotFound"); } - if ( - !globalAllow(req.user) && - (!record.registeredBranch || record.registeredBranch.user.length === 0) - ) { - throw new HttpError( - HttpStatus.FORBIDDEN, - "You do not have permission to perform this action.", - "noPermission", - ); + if (!isSystem(req.user)) { + if (!globalAllow(req.user) && record.registeredBranch?.user.length === 0) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } else { + if ( + (record.registeredBranch?.user.length === 0 && !record.registeredBranch?.headOffice) || + (record.registeredBranch?.headOffice && + record.registeredBranch?.headOffice.user.length === 0 && + record.registeredBranch?.headOffice.branch.length === 0) + ) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } + } } if (record.status !== Status.CREATED) {