chamomind/jws-backend
chamomind/jws-backend
7
0
Fork 0
Code Issues Projects 1 Releases Packages 1 Wiki Activity Actions

feat: permission check employee

Browse source
This commit is contained in:
Methapon Metanipat 2024-09-06 10:54:17 +07:00
parent 16d640f293
commit 806968e3dd
4 changed files with 142 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/controllers/03-employee-checkup-controller.ts
View file

@ -3,6 +3,7 @@ import {
Controller,
Delete,
Get,
Middlewares,
Path,
Post,
Put,
@ -15,8 +16,29 @@ import { RequestWithUser } from "../interfaces/user";
import prisma from "../db";
import HttpStatus from "../interfaces/http-status";
import HttpError from "../interfaces/http-error";
import { permissionCheck } from "../middlewares/employee";
const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager", "head_of_sale", "sale"];
const MANAGE_ROLES = [
"system",
"head_of_admin",
"admin",
"branch_manager",
"head_of_sale",
"sale",
"head_of_account",
"account",
];
function globalAllow(user: RequestWithUser["user"]) {
const allowList = [
"system",
"head_of_admin",
"admin",
"branch_manager",
"head_of_sale",
"head_of_account",
];
return allowList.some((v) => user.roles?.includes(v));
}
type EmployeeCheckupPayload = {
checkupType?: string | null;
@ -34,6 +56,7 @@ type EmployeeCheckupPayload = {
@Route("api/v1/employee/{employeeId}/checkup")
@Tags("Employee Checkup")
@Middlewares(permissionCheck(globalAllow))
export class EmployeeCheckupController extends Controller {
@Get()
@Security("keycloak")

25
src/controllers/03-employee-other-info-controller.ts
View file

@ -10,14 +10,36 @@ import {
Route,
Security,
Tags,
Middlewares,
} from "tsoa";
import prisma from "../db";
import HttpError from "../interfaces/http-error";
import HttpStatus from "../interfaces/http-status";
import { RequestWithUser } from "../interfaces/user";
import { permissionCheck } from "../middlewares/employee";
const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager", "head_of_sale", "sale"];
const MANAGE_ROLES = [
"system",
"head_of_admin",
"admin",
"branch_manager",
"head_of_sale",
"sale",
"head_of_account",
"account",
];
function globalAllow(user: RequestWithUser["user"]) {
const allowList = [
"system",
"head_of_admin",
"admin",
"branch_manager",
"head_of_sale",
"head_of_account",
];
return allowList.some((v) => user.roles?.includes(v));
}
type EmployeeOtherInfoPayload = {
citizenId?: string | null;
@ -36,6 +58,7 @@ type EmployeeOtherInfoPayload = {
@Route("api/v1/employee/{employeeId}/other-info")
@Tags("Employee Other Info")
@Middlewares(permissionCheck(globalAllow))
export class EmployeeOtherInfo extends Controller {
@Get()
@Security("keycloak")

25
src/controllers/03-employee-work-controller.ts
View file

@ -3,6 +3,7 @@ import {
Controller,
Delete,
Get,
Middlewares,
Path,
Post,
Put,
@ -15,8 +16,29 @@ import { RequestWithUser } from "../interfaces/user";
import prisma from "../db";
import HttpStatus from "../interfaces/http-status";
import HttpError from "../interfaces/http-error";
import { permissionCheck } from "../middlewares/employee";
const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager", "head_of_sale", "sale"];
const MANAGE_ROLES = [
"system",
"head_of_admin",
"admin",
"branch_manager",
"head_of_sale",
"sale",
"head_of_account",
"account",
];
function globalAllow(user: RequestWithUser["user"]) {
const allowList = [
"system",
"head_of_admin",
"admin",
"branch_manager",
"head_of_sale",
"head_of_account",
];
return allowList.some((v) => user.roles?.includes(v));
}
type EmployeeWorkPayload = {
ownerName?: string | null;
@ -32,6 +54,7 @@ type EmployeeWorkPayload = {
@Route("api/v1/employee/{employeeId}/work")
@Tags("Employee Work")
@Middlewares(permissionCheck(globalAllow))
export class EmployeeWorkController extends Controller {
@Get()
@Security("keycloak")

70
src/middlewares/employee.ts Normal file
View file

@ -0,0 +1,70 @@
import express from "express";
import { RequestWithUser } from "../interfaces/user";
import prisma from "../db";
import HttpStatus from "../interfaces/http-status";
import HttpError from "../interfaces/http-error";
import { isSystem } from "../utils/keycloak";
export function permissionCheck(globalAllow: (user: RequestWithUser["user"]) => boolean) {
return async (req: RequestWithUser, _res: express.Response, next: express.NextFunction) => {
if ("employeeId" in req.params && typeof req.params.employeeId === "string") {
const employeeId = req.params.employeeId;
const employee = await prisma.employee.findFirst({
where: { id: employeeId },
include: {
customerBranch: {
include: {
customer: {
include: {
registeredBranch: {
include: {
user: {
where: { userId: req.user.sub },
},
headOffice: {
include: {
user: {
where: { userId: req.user.sub },
},
},
},
},
},
},
},
},
},
},
});
if (!employee) {
throw new HttpError(HttpStatus.BAD_REQUEST, "Employee cannot be found.", "employeeBadReq");
}
if (!isSystem(req.user)) {
const _branch = employee.customerBranch.customer.registeredBranch;
const affilationBranch = _branch && _branch.user.length !== 0;
const affilationHeadBranch =
_branch && _branch.headOffice && _branch.headOffice.user.length !== 0;
if (!globalAllow(req.user)) {
if (!affilationBranch) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
} else {
if (!affilationBranch && !affilationHeadBranch) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
}
}
next();
};
}