feat: product group permission check
This commit is contained in:
parent
ce21193741
commit
771f1a1c58
1 changed files with 34 additions and 184 deletions
|
|
@ -19,13 +19,19 @@ import { RequestWithUser } from "../interfaces/user";
|
||||||
import HttpError from "../interfaces/http-error";
|
import HttpError from "../interfaces/http-error";
|
||||||
import HttpStatus from "../interfaces/http-status";
|
import HttpStatus from "../interfaces/http-status";
|
||||||
import { isSystem } from "../utils/keycloak";
|
import { isSystem } from "../utils/keycloak";
|
||||||
|
import {
|
||||||
|
branchRelationPermInclude,
|
||||||
|
createPermCheck,
|
||||||
|
createPermCondition,
|
||||||
|
} from "../services/permission";
|
||||||
|
import { filterStatus } from "../services/prisma";
|
||||||
|
|
||||||
type ProductGroupCreate = {
|
type ProductGroupCreate = {
|
||||||
name: string;
|
name: string;
|
||||||
detail: string;
|
detail: string;
|
||||||
remark: string;
|
remark: string;
|
||||||
status?: Status;
|
status?: Status;
|
||||||
registeredBranchId?: string;
|
registeredBranchId: string;
|
||||||
};
|
};
|
||||||
|
|
||||||
type ProductGroupUpdate = {
|
type ProductGroupUpdate = {
|
||||||
|
|
@ -50,56 +56,24 @@ function globalAllow(user: RequestWithUser["user"]) {
|
||||||
return allowList.some((v) => user.roles?.includes(v));
|
return allowList.some((v) => user.roles?.includes(v));
|
||||||
}
|
}
|
||||||
|
|
||||||
async function permissionCheck(user: RequestWithUser["user"], branchId: string) {
|
const permissionCond = createPermCondition(globalAllow);
|
||||||
const record = await prisma.branch.findUnique({
|
const permissionCheck = createPermCheck(globalAllow);
|
||||||
include: {
|
|
||||||
headOffice: {
|
|
||||||
include: {
|
|
||||||
branch: { where: { user: { some: { userId: user.sub } } } },
|
|
||||||
user: { where: { userId: user.sub } },
|
|
||||||
},
|
|
||||||
},
|
|
||||||
user: { where: { userId: user.sub } },
|
|
||||||
},
|
|
||||||
where: { id: branchId },
|
|
||||||
});
|
|
||||||
|
|
||||||
if (!record) {
|
|
||||||
throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!isSystem(user)) {
|
|
||||||
if (!globalAllow(user) && record.user.length === 0) {
|
|
||||||
throw new HttpError(
|
|
||||||
HttpStatus.FORBIDDEN,
|
|
||||||
"You do not have permission to perform this action.",
|
|
||||||
"noPermission",
|
|
||||||
);
|
|
||||||
} else {
|
|
||||||
if (
|
|
||||||
(record.user.length === 0 && !record.headOffice) ||
|
|
||||||
(record.headOffice &&
|
|
||||||
record.headOffice.user.length === 0 &&
|
|
||||||
record.headOffice.branch.length === 0)
|
|
||||||
) {
|
|
||||||
throw new HttpError(
|
|
||||||
HttpStatus.FORBIDDEN,
|
|
||||||
"You do not have permission to perform this action.",
|
|
||||||
"noPermission",
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return record;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Route("api/v1/product-group")
|
@Route("api/v1/product-group")
|
||||||
@Tags("Product Group")
|
@Tags("Product Group")
|
||||||
export class ProductGroup extends Controller {
|
export class ProductGroup extends Controller {
|
||||||
@Get("stats")
|
@Get("stats")
|
||||||
@Security("keycloak")
|
@Security("keycloak")
|
||||||
async getProductGroupStats() {
|
async getProductGroupStats(@Request() req: RequestWithUser) {
|
||||||
return await prisma.productGroup.count();
|
return await prisma.productGroup.count({
|
||||||
|
where: {
|
||||||
|
AND: [
|
||||||
|
{
|
||||||
|
registeredBranch: isSystem(req.user) ? undefined : { OR: permissionCond(req.user) },
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
@Get()
|
@Get()
|
||||||
|
|
@ -111,45 +85,12 @@ export class ProductGroup extends Controller {
|
||||||
@Query() page: number = 1,
|
@Query() page: number = 1,
|
||||||
@Query() pageSize: number = 30,
|
@Query() pageSize: number = 30,
|
||||||
) {
|
) {
|
||||||
const filterStatus = (val?: Status) => {
|
|
||||||
if (!val) return {};
|
|
||||||
|
|
||||||
return val !== Status.CREATED && val !== Status.ACTIVE
|
|
||||||
? { status: val }
|
|
||||||
: { OR: [{ status: Status.CREATED }, { status: Status.ACTIVE }] };
|
|
||||||
};
|
|
||||||
|
|
||||||
const where = {
|
const where = {
|
||||||
OR: [
|
OR: [{ name: { contains: query } }, { detail: { contains: query } }],
|
||||||
{ name: { contains: query }, ...filterStatus(status) },
|
|
||||||
{ detail: { contains: query }, ...filterStatus(status) },
|
|
||||||
],
|
|
||||||
AND: [
|
AND: [
|
||||||
{
|
{
|
||||||
registeredBranch: isSystem(req.user)
|
...filterStatus(status),
|
||||||
? undefined
|
registeredBranch: isSystem(req.user) ? undefined : { OR: permissionCond(req.user) },
|
||||||
: {
|
|
||||||
OR: [
|
|
||||||
{
|
|
||||||
user: { some: { userId: req.user.sub } },
|
|
||||||
},
|
|
||||||
{
|
|
||||||
branch: globalAllow(req.user)
|
|
||||||
? { some: { user: { some: { userId: req.user.sub } } } }
|
|
||||||
: undefined,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
headOffice: globalAllow(req.user)
|
|
||||||
? { branch: { some: { user: { some: { userId: req.user.sub } } } } }
|
|
||||||
: undefined,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
headOffice: globalAllow(req.user)
|
|
||||||
? { user: { some: { userId: req.user.sub } } }
|
|
||||||
: undefined,
|
|
||||||
},
|
|
||||||
],
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
} satisfies Prisma.ProductGroupWhereInput;
|
} satisfies Prisma.ProductGroupWhereInput;
|
||||||
|
|
@ -202,18 +143,18 @@ export class ProductGroup extends Controller {
|
||||||
@Post()
|
@Post()
|
||||||
@Security("keycloak", MANAGE_ROLES)
|
@Security("keycloak", MANAGE_ROLES)
|
||||||
async createProductGroup(@Request() req: RequestWithUser, @Body() body: ProductGroupCreate) {
|
async createProductGroup(@Request() req: RequestWithUser, @Body() body: ProductGroupCreate) {
|
||||||
if (body.registeredBranchId) {
|
let company = await permissionCheck(req.user, body.registeredBranchId).then(
|
||||||
await permissionCheck(req.user, body.registeredBranchId);
|
(v) => (v.headOffice || v).code,
|
||||||
}
|
);
|
||||||
|
|
||||||
const record = await prisma.$transaction(
|
const record = await prisma.$transaction(
|
||||||
async (tx) => {
|
async (tx) => {
|
||||||
const last = await tx.runningNo.upsert({
|
const last = await tx.runningNo.upsert({
|
||||||
where: {
|
where: {
|
||||||
key: `PRODGRP`,
|
key: `PRODGRP_${company}`,
|
||||||
},
|
},
|
||||||
create: {
|
create: {
|
||||||
key: `PRODGRP`,
|
key: `PRODGRP_${company}`,
|
||||||
value: 1,
|
value: 1,
|
||||||
},
|
},
|
||||||
update: { value: { increment: 1 } },
|
update: { value: { increment: 1 } },
|
||||||
|
|
@ -252,15 +193,7 @@ export class ProductGroup extends Controller {
|
||||||
where: { id: groupId },
|
where: { id: groupId },
|
||||||
include: {
|
include: {
|
||||||
registeredBranch: {
|
registeredBranch: {
|
||||||
include: {
|
include: branchRelationPermInclude(req.user),
|
||||||
headOffice: {
|
|
||||||
include: {
|
|
||||||
branch: { where: { user: { some: { userId: req.user.sub } } } },
|
|
||||||
user: { where: { userId: req.user.sub } },
|
|
||||||
},
|
|
||||||
},
|
|
||||||
user: { where: { userId: req.user.sub } },
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
@ -272,71 +205,17 @@ export class ProductGroup extends Controller {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isSystem(req.user)) {
|
if (record.registeredBranch) await permissionCheck(req.user, record.registeredBranch);
|
||||||
if (!globalAllow(req.user) && record.registeredBranch?.user.length === 0) {
|
|
||||||
throw new HttpError(
|
|
||||||
HttpStatus.FORBIDDEN,
|
|
||||||
"You do not have permission to perform this action.",
|
|
||||||
"noPermission",
|
|
||||||
);
|
|
||||||
} else {
|
|
||||||
if (
|
|
||||||
(record.registeredBranch?.user.length === 0 && !record.registeredBranch?.headOffice) ||
|
|
||||||
(record.registeredBranch?.headOffice &&
|
|
||||||
record.registeredBranch?.headOffice.user.length === 0 &&
|
|
||||||
record.registeredBranch?.headOffice.branch.length === 0)
|
|
||||||
) {
|
|
||||||
throw new HttpError(
|
|
||||||
HttpStatus.FORBIDDEN,
|
|
||||||
"You do not have permission to perform this action.",
|
|
||||||
"noPermission",
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
const [branch] = await prisma.$transaction([
|
const [branch] = await prisma.$transaction([
|
||||||
prisma.branch.findFirst({
|
prisma.branch.findFirst({
|
||||||
where: { id: body.registeredBranchId },
|
where: { id: body.registeredBranchId },
|
||||||
include: {
|
include: branchRelationPermInclude(req.user),
|
||||||
user: {
|
|
||||||
where: { userId: req.user.sub },
|
|
||||||
},
|
|
||||||
headOffice: {
|
|
||||||
include: {
|
|
||||||
user: {
|
|
||||||
where: { userId: req.user.sub },
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}),
|
}),
|
||||||
]);
|
]);
|
||||||
|
|
||||||
if (body.registeredBranchId !== undefined && !isSystem(req.user)) {
|
if (body.registeredBranchId !== undefined) {
|
||||||
if (!globalAllow(req.user)) {
|
await permissionCheck(req.user, branch);
|
||||||
if (body.registeredBranchId === null || (branch && branch.user.length === 0)) {
|
|
||||||
throw new HttpError(
|
|
||||||
HttpStatus.FORBIDDEN,
|
|
||||||
"You do not have permission to perform this action.",
|
|
||||||
"noPermission",
|
|
||||||
);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if (
|
|
||||||
body.registeredBranchId === null ||
|
|
||||||
(branch &&
|
|
||||||
branch.user.length === 0 &&
|
|
||||||
branch.headOffice &&
|
|
||||||
branch.headOffice.user.length === 0)
|
|
||||||
) {
|
|
||||||
throw new HttpError(
|
|
||||||
HttpStatus.FORBIDDEN,
|
|
||||||
"You do not have permission to perform this action.",
|
|
||||||
"noPermission",
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!!body.registeredBranchId && !branch) {
|
if (!!body.registeredBranchId && !branch) {
|
||||||
|
|
@ -366,15 +245,7 @@ export class ProductGroup extends Controller {
|
||||||
where: { id: groupId },
|
where: { id: groupId },
|
||||||
include: {
|
include: {
|
||||||
registeredBranch: {
|
registeredBranch: {
|
||||||
include: {
|
include: branchRelationPermInclude(req.user),
|
||||||
headOffice: {
|
|
||||||
include: {
|
|
||||||
branch: { where: { user: { some: { userId: req.user.sub } } } },
|
|
||||||
user: { where: { userId: req.user.sub } },
|
|
||||||
},
|
|
||||||
},
|
|
||||||
user: { where: { userId: req.user.sub } },
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
@ -387,28 +258,7 @@ export class ProductGroup extends Controller {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isSystem(req.user)) {
|
if (record.registeredBranch) await permissionCheck(req.user, record.registeredBranch);
|
||||||
if (!globalAllow(req.user) && record.registeredBranch?.user.length === 0) {
|
|
||||||
throw new HttpError(
|
|
||||||
HttpStatus.FORBIDDEN,
|
|
||||||
"You do not have permission to perform this action.",
|
|
||||||
"noPermission",
|
|
||||||
);
|
|
||||||
} else {
|
|
||||||
if (
|
|
||||||
(record.registeredBranch?.user.length === 0 && !record.registeredBranch?.headOffice) ||
|
|
||||||
(record.registeredBranch?.headOffice &&
|
|
||||||
record.registeredBranch?.headOffice.user.length === 0 &&
|
|
||||||
record.registeredBranch?.headOffice.branch.length === 0)
|
|
||||||
) {
|
|
||||||
throw new HttpError(
|
|
||||||
HttpStatus.FORBIDDEN,
|
|
||||||
"You do not have permission to perform this action.",
|
|
||||||
"noPermission",
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (record.status !== Status.CREATED) {
|
if (record.status !== Status.CREATED) {
|
||||||
throw new HttpError(HttpStatus.FORBIDDEN, "Product group is in used.", "productGroupInUsed");
|
throw new HttpError(HttpStatus.FORBIDDEN, "Product group is in used.", "productGroupInUsed");
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue