feat: product group permission check

This commit is contained in:
Methapon Metanipat 2024-09-10 13:33:59 +07:00
parent ce21193741
commit 771f1a1c58

View file

@ -19,13 +19,19 @@ import { RequestWithUser } from "../interfaces/user";
import HttpError from "../interfaces/http-error"; import HttpError from "../interfaces/http-error";
import HttpStatus from "../interfaces/http-status"; import HttpStatus from "../interfaces/http-status";
import { isSystem } from "../utils/keycloak"; import { isSystem } from "../utils/keycloak";
import {
branchRelationPermInclude,
createPermCheck,
createPermCondition,
} from "../services/permission";
import { filterStatus } from "../services/prisma";
type ProductGroupCreate = { type ProductGroupCreate = {
name: string; name: string;
detail: string; detail: string;
remark: string; remark: string;
status?: Status; status?: Status;
registeredBranchId?: string; registeredBranchId: string;
}; };
type ProductGroupUpdate = { type ProductGroupUpdate = {
@ -50,56 +56,24 @@ function globalAllow(user: RequestWithUser["user"]) {
return allowList.some((v) => user.roles?.includes(v)); return allowList.some((v) => user.roles?.includes(v));
} }
async function permissionCheck(user: RequestWithUser["user"], branchId: string) { const permissionCond = createPermCondition(globalAllow);
const record = await prisma.branch.findUnique({ const permissionCheck = createPermCheck(globalAllow);
include: {
headOffice: {
include: {
branch: { where: { user: { some: { userId: user.sub } } } },
user: { where: { userId: user.sub } },
},
},
user: { where: { userId: user.sub } },
},
where: { id: branchId },
});
if (!record) {
throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
}
if (!isSystem(user)) {
if (!globalAllow(user) && record.user.length === 0) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
} else {
if (
(record.user.length === 0 && !record.headOffice) ||
(record.headOffice &&
record.headOffice.user.length === 0 &&
record.headOffice.branch.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
}
return record;
}
@Route("api/v1/product-group") @Route("api/v1/product-group")
@Tags("Product Group") @Tags("Product Group")
export class ProductGroup extends Controller { export class ProductGroup extends Controller {
@Get("stats") @Get("stats")
@Security("keycloak") @Security("keycloak")
async getProductGroupStats() { async getProductGroupStats(@Request() req: RequestWithUser) {
return await prisma.productGroup.count(); return await prisma.productGroup.count({
where: {
AND: [
{
registeredBranch: isSystem(req.user) ? undefined : { OR: permissionCond(req.user) },
},
],
},
});
} }
@Get() @Get()
@ -111,45 +85,12 @@ export class ProductGroup extends Controller {
@Query() page: number = 1, @Query() page: number = 1,
@Query() pageSize: number = 30, @Query() pageSize: number = 30,
) { ) {
const filterStatus = (val?: Status) => {
if (!val) return {};
return val !== Status.CREATED && val !== Status.ACTIVE
? { status: val }
: { OR: [{ status: Status.CREATED }, { status: Status.ACTIVE }] };
};
const where = { const where = {
OR: [ OR: [{ name: { contains: query } }, { detail: { contains: query } }],
{ name: { contains: query }, ...filterStatus(status) },
{ detail: { contains: query }, ...filterStatus(status) },
],
AND: [ AND: [
{ {
registeredBranch: isSystem(req.user) ...filterStatus(status),
? undefined registeredBranch: isSystem(req.user) ? undefined : { OR: permissionCond(req.user) },
: {
OR: [
{
user: { some: { userId: req.user.sub } },
},
{
branch: globalAllow(req.user)
? { some: { user: { some: { userId: req.user.sub } } } }
: undefined,
},
{
headOffice: globalAllow(req.user)
? { branch: { some: { user: { some: { userId: req.user.sub } } } } }
: undefined,
},
{
headOffice: globalAllow(req.user)
? { user: { some: { userId: req.user.sub } } }
: undefined,
},
],
},
}, },
], ],
} satisfies Prisma.ProductGroupWhereInput; } satisfies Prisma.ProductGroupWhereInput;
@ -202,18 +143,18 @@ export class ProductGroup extends Controller {
@Post() @Post()
@Security("keycloak", MANAGE_ROLES) @Security("keycloak", MANAGE_ROLES)
async createProductGroup(@Request() req: RequestWithUser, @Body() body: ProductGroupCreate) { async createProductGroup(@Request() req: RequestWithUser, @Body() body: ProductGroupCreate) {
if (body.registeredBranchId) { let company = await permissionCheck(req.user, body.registeredBranchId).then(
await permissionCheck(req.user, body.registeredBranchId); (v) => (v.headOffice || v).code,
} );
const record = await prisma.$transaction( const record = await prisma.$transaction(
async (tx) => { async (tx) => {
const last = await tx.runningNo.upsert({ const last = await tx.runningNo.upsert({
where: { where: {
key: `PRODGRP`, key: `PRODGRP_${company}`,
}, },
create: { create: {
key: `PRODGRP`, key: `PRODGRP_${company}`,
value: 1, value: 1,
}, },
update: { value: { increment: 1 } }, update: { value: { increment: 1 } },
@ -252,15 +193,7 @@ export class ProductGroup extends Controller {
where: { id: groupId }, where: { id: groupId },
include: { include: {
registeredBranch: { registeredBranch: {
include: { include: branchRelationPermInclude(req.user),
headOffice: {
include: {
branch: { where: { user: { some: { userId: req.user.sub } } } },
user: { where: { userId: req.user.sub } },
},
},
user: { where: { userId: req.user.sub } },
},
}, },
}, },
}); });
@ -272,71 +205,17 @@ export class ProductGroup extends Controller {
); );
} }
if (!isSystem(req.user)) { if (record.registeredBranch) await permissionCheck(req.user, record.registeredBranch);
if (!globalAllow(req.user) && record.registeredBranch?.user.length === 0) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
} else {
if (
(record.registeredBranch?.user.length === 0 && !record.registeredBranch?.headOffice) ||
(record.registeredBranch?.headOffice &&
record.registeredBranch?.headOffice.user.length === 0 &&
record.registeredBranch?.headOffice.branch.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
}
const [branch] = await prisma.$transaction([ const [branch] = await prisma.$transaction([
prisma.branch.findFirst({ prisma.branch.findFirst({
where: { id: body.registeredBranchId }, where: { id: body.registeredBranchId },
include: { include: branchRelationPermInclude(req.user),
user: {
where: { userId: req.user.sub },
},
headOffice: {
include: {
user: {
where: { userId: req.user.sub },
},
},
},
},
}), }),
]); ]);
if (body.registeredBranchId !== undefined && !isSystem(req.user)) { if (body.registeredBranchId !== undefined) {
if (!globalAllow(req.user)) { await permissionCheck(req.user, branch);
if (body.registeredBranchId === null || (branch && branch.user.length === 0)) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
} else {
if (
body.registeredBranchId === null ||
(branch &&
branch.user.length === 0 &&
branch.headOffice &&
branch.headOffice.user.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
} }
if (!!body.registeredBranchId && !branch) { if (!!body.registeredBranchId && !branch) {
@ -366,15 +245,7 @@ export class ProductGroup extends Controller {
where: { id: groupId }, where: { id: groupId },
include: { include: {
registeredBranch: { registeredBranch: {
include: { include: branchRelationPermInclude(req.user),
headOffice: {
include: {
branch: { where: { user: { some: { userId: req.user.sub } } } },
user: { where: { userId: req.user.sub } },
},
},
user: { where: { userId: req.user.sub } },
},
}, },
}, },
}); });
@ -387,28 +258,7 @@ export class ProductGroup extends Controller {
); );
} }
if (!isSystem(req.user)) { if (record.registeredBranch) await permissionCheck(req.user, record.registeredBranch);
if (!globalAllow(req.user) && record.registeredBranch?.user.length === 0) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
} else {
if (
(record.registeredBranch?.user.length === 0 && !record.registeredBranch?.headOffice) ||
(record.registeredBranch?.headOffice &&
record.registeredBranch?.headOffice.user.length === 0 &&
record.registeredBranch?.headOffice.branch.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
}
if (record.status !== Status.CREATED) { if (record.status !== Status.CREATED) {
throw new HttpError(HttpStatus.FORBIDDEN, "Product group is in used.", "productGroupInUsed"); throw new HttpError(HttpStatus.FORBIDDEN, "Product group is in used.", "productGroupInUsed");