diff --git a/src/controllers/03-employee-checkup-controller.ts b/src/controllers/03-employee-checkup-controller.ts index d3799cc..e9b1a8d 100644 --- a/src/controllers/03-employee-checkup-controller.ts +++ b/src/controllers/03-employee-checkup-controller.ts @@ -3,6 +3,7 @@ import { Controller, Delete, Get, + Middlewares, Path, Post, Put, @@ -15,8 +16,29 @@ import { RequestWithUser } from "../interfaces/user"; import prisma from "../db"; import HttpStatus from "../interfaces/http-status"; import HttpError from "../interfaces/http-error"; +import { permissionCheck } from "../middlewares/employee"; -const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager", "head_of_sale", "sale"]; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "branch_manager", + "head_of_sale", + "sale", + "head_of_account", + "account", +]; +function globalAllow(user: RequestWithUser["user"]) { + const allowList = [ + "system", + "head_of_admin", + "admin", + "branch_manager", + "head_of_sale", + "head_of_account", + ]; + return allowList.some((v) => user.roles?.includes(v)); +} type EmployeeCheckupPayload = { checkupType?: string | null; @@ -34,6 +56,7 @@ type EmployeeCheckupPayload = { @Route("api/v1/employee/{employeeId}/checkup") @Tags("Employee Checkup") +@Middlewares(permissionCheck(globalAllow)) export class EmployeeCheckupController extends Controller { @Get() @Security("keycloak") diff --git a/src/controllers/03-employee-other-info-controller.ts b/src/controllers/03-employee-other-info-controller.ts index fe6c926..ed84c7b 100644 --- a/src/controllers/03-employee-other-info-controller.ts +++ b/src/controllers/03-employee-other-info-controller.ts @@ -10,14 +10,36 @@ import { Route, Security, Tags, + Middlewares, } from "tsoa"; import prisma from "../db"; import HttpError from "../interfaces/http-error"; import HttpStatus from "../interfaces/http-status"; import { RequestWithUser } from "../interfaces/user"; +import { permissionCheck } from "../middlewares/employee"; -const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager", "head_of_sale", "sale"]; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "branch_manager", + "head_of_sale", + "sale", + "head_of_account", + "account", +]; +function globalAllow(user: RequestWithUser["user"]) { + const allowList = [ + "system", + "head_of_admin", + "admin", + "branch_manager", + "head_of_sale", + "head_of_account", + ]; + return allowList.some((v) => user.roles?.includes(v)); +} type EmployeeOtherInfoPayload = { citizenId?: string | null; @@ -36,6 +58,7 @@ type EmployeeOtherInfoPayload = { @Route("api/v1/employee/{employeeId}/other-info") @Tags("Employee Other Info") +@Middlewares(permissionCheck(globalAllow)) export class EmployeeOtherInfo extends Controller { @Get() @Security("keycloak") diff --git a/src/controllers/03-employee-work-controller.ts b/src/controllers/03-employee-work-controller.ts index ef38448..ec4e984 100644 --- a/src/controllers/03-employee-work-controller.ts +++ b/src/controllers/03-employee-work-controller.ts @@ -3,6 +3,7 @@ import { Controller, Delete, Get, + Middlewares, Path, Post, Put, @@ -15,8 +16,29 @@ import { RequestWithUser } from "../interfaces/user"; import prisma from "../db"; import HttpStatus from "../interfaces/http-status"; import HttpError from "../interfaces/http-error"; +import { permissionCheck } from "../middlewares/employee"; -const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager", "head_of_sale", "sale"]; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "branch_manager", + "head_of_sale", + "sale", + "head_of_account", + "account", +]; +function globalAllow(user: RequestWithUser["user"]) { + const allowList = [ + "system", + "head_of_admin", + "admin", + "branch_manager", + "head_of_sale", + "head_of_account", + ]; + return allowList.some((v) => user.roles?.includes(v)); +} type EmployeeWorkPayload = { ownerName?: string | null; @@ -32,6 +54,7 @@ type EmployeeWorkPayload = { @Route("api/v1/employee/{employeeId}/work") @Tags("Employee Work") +@Middlewares(permissionCheck(globalAllow)) export class EmployeeWorkController extends Controller { @Get() @Security("keycloak") diff --git a/src/middlewares/employee.ts b/src/middlewares/employee.ts new file mode 100644 index 0000000..26b63de --- /dev/null +++ b/src/middlewares/employee.ts @@ -0,0 +1,70 @@ +import express from "express"; +import { RequestWithUser } from "../interfaces/user"; +import prisma from "../db"; +import HttpStatus from "../interfaces/http-status"; +import HttpError from "../interfaces/http-error"; +import { isSystem } from "../utils/keycloak"; + +export function permissionCheck(globalAllow: (user: RequestWithUser["user"]) => boolean) { + return async (req: RequestWithUser, _res: express.Response, next: express.NextFunction) => { + if ("employeeId" in req.params && typeof req.params.employeeId === "string") { + const employeeId = req.params.employeeId; + const employee = await prisma.employee.findFirst({ + where: { id: employeeId }, + include: { + customerBranch: { + include: { + customer: { + include: { + registeredBranch: { + include: { + user: { + where: { userId: req.user.sub }, + }, + headOffice: { + include: { + user: { + where: { userId: req.user.sub }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }); + + if (!employee) { + throw new HttpError(HttpStatus.BAD_REQUEST, "Employee cannot be found.", "employeeBadReq"); + } + + if (!isSystem(req.user)) { + const _branch = employee.customerBranch.customer.registeredBranch; + const affilationBranch = _branch && _branch.user.length !== 0; + const affilationHeadBranch = + _branch && _branch.headOffice && _branch.headOffice.user.length !== 0; + if (!globalAllow(req.user)) { + if (!affilationBranch) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } + } else { + if (!affilationBranch && !affilationHeadBranch) { + throw new HttpError( + HttpStatus.FORBIDDEN, + "You do not have permission to perform this action.", + "noPermission", + ); + } + } + } + } + next(); + }; +}