Merge branch 'develop'

prisma/migrations/20250704070342_add_relation_seller_in_quotation/migration.sql

@@ -0,0 +1,5 @@
+-- AlterTable
+ALTER TABLE "Quotation" ADD COLUMN     "sellerId" TEXT;
+
+-- AddForeignKey
+ALTER TABLE "Quotation" ADD CONSTRAINT "Quotation_sellerId_fkey" FOREIGN KEY ("sellerId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;

prisma/schema.prisma

@@ -511,6 +511,7 @@ model User {
 
   contactName String?
   contactTel  String?
+  quotation   Quotation[]
 }
 
 model UserResponsibleArea {
@@ -1386,6 +1387,9 @@ model Quotation {
 
   invoice    Invoice[]
   creditNote CreditNote[]
+
+  seller   User?   @relation(fields: [sellerId], references: [id], onDelete: Cascade)
+  sellerId String?
 }
 
 model QuotationPaySplit {

src/controllers/01-branch-controller.ts

@@ -47,16 +47,20 @@ if (!process.env.MINIO_BUCKET) {
   throw Error("Require MinIO bucket.");
 }
 
-const MANAGE_ROLES = ["system", "head_of_admin"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  return MANAGE_ROLES.some((v) => user.roles?.includes(v));
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-}
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
-
-function globalAllowView(user: RequestWithUser["user"]) {
-  return MANAGE_ROLES.concat("head_of_accountant", "head_of_sale").some((v) =>
-    user.roles?.includes(v),
-  );
 }
 
 type BranchCreate = {
@@ -147,7 +151,7 @@ type BranchUpdate = {
   }[];
 };
 
-const permissionCond = createPermCondition(globalAllowView);
+const permissionCond = createPermCondition(globalAllow);
 const permissionCheck = createPermCheck(globalAllow);
 
 @Route("api/v1/branch")

src/controllers/01-branch-user-controller.ts

@@ -20,10 +20,19 @@ import { RequestWithUser } from "../interfaces/user";
 import { branchRelationPermInclude, createPermCheck } from "../services/permission";
 import { queryOrNot, whereDateQuery } from "../utils/relation";
 
-const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const listAllowed = ["system", "head_of_admin", "admin"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
   return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 

src/controllers/02-user-controller.ts

@@ -61,10 +61,17 @@ if (!process.env.MINIO_BUCKET) {
   throw Error("Require MinIO bucket.");
 }
 
-const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "branch_admin",
+  "branch_manager",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const listAllowed = ["system", "head_of_admin"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive"];
   return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 

src/controllers/03-customer-branch-citizen-controller.ts

@@ -23,15 +23,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
-  "sale",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type CustomerBranchCitizenPayload = {

src/controllers/03-customer-branch-controller.ts

@@ -47,15 +47,18 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
   "head_of_sale",
   "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);

src/controllers/03-customer-controller.ts

@@ -42,15 +42,18 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
   "head_of_sale",
   "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);

src/controllers/03-employee-checkup-controller.ts

@@ -23,14 +23,18 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
   "head_of_sale",
+  "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type EmployeeCheckupPayload = {

src/controllers/03-employee-controller.ts

@@ -51,14 +51,18 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
   "head_of_sale",
+  "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCond = createPermCondition(globalAllow);
@@ -108,7 +112,7 @@ type EmployeeUpdate = {
 
   nrcNo?: string | null;
 
-  dateOfBirth?: Date;
+  dateOfBirth?: Date | null;
   gender?: string;
   nationality?: string;
   otherNationality?: string | null;
@@ -144,9 +148,18 @@ type EmployeeUpdate = {
 export class EmployeeController extends Controller {
   @Get("stats")
   @Security("keycloak")
-  async getEmployeeStats(@Query() customerBranchId?: string) {
+  async getEmployeeStats(@Request() req: RequestWithUser, @Query() customerBranchId?: string) {
     return await prisma.employee.count({
-      where: { customerBranchId },
+      where: {
+        customerBranchId,
+        customerBranch: {
+          customer: isSystem(req.user)
+            ? undefined
+            : {
+                registeredBranch: { OR: permissionCond(req.user) },
+              },
+        },
+      },
     });
   }
 

src/controllers/03-employee-other-info-controller.ts

@@ -23,14 +23,18 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
   "head_of_sale",
+  "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type EmployeeOtherInfoPayload = {

src/controllers/03-employee-passport-controller.ts

@@ -22,14 +22,18 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
   "head_of_sale",
+  "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type EmployeePassportPayload = {

src/controllers/03-employee-visa-controller.ts

@@ -22,14 +22,18 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
   "head_of_sale",
+  "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type EmployeeVisaPayload = {

src/controllers/03-employee-work-controller.ts

@@ -22,14 +22,18 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
   "head_of_sale",
+  "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type EmployeeWorkPayload = {

src/controllers/04-flow-template-controller.ts

@@ -44,14 +44,30 @@ type WorkflowPayload = {
   status?: Status;
 };
 
-const permissionCondCompany = createPermCondition((_) => true);
+const MANAGE_ROLES = [
-const permissionCheckCompany = createPermCheck((_) => true);
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
+
+function globalAllow(user: RequestWithUser["user"]) {
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
+}
+
+const permissionCondCompany = createPermCondition(globalAllow);
+const permissionCheckCompany = createPermCheck(globalAllow);
 
 @Route("api/v1/workflow-template")
 @Tags("Workflow")
-@Security("keycloak")
 export class FlowTemplateController extends Controller {
   @Get()
+  @Security("keycloak")
   async getFlowTemplate(
     @Request() req: RequestWithUser,
     @Query() page: number = 1,
@@ -118,6 +134,7 @@ export class FlowTemplateController extends Controller {
   }
 
   @Get("{templateId}")
+  @Security("keycloak")
   async getFlowTemplateById(@Request() _req: RequestWithUser, @Path() templateId: string) {
     const record = await prisma.workflowTemplate.findFirst({
       include: {
@@ -150,6 +167,7 @@ export class FlowTemplateController extends Controller {
   }
 
   @Post()
+  @Security("keycloak", MANAGE_ROLES)
   async createFlowTemplate(@Request() req: RequestWithUser, @Body() body: WorkflowPayload) {
     const where = {
       OR: [
@@ -230,6 +248,7 @@ export class FlowTemplateController extends Controller {
   }
 
   @Put("{templateId}")
+  @Security("keycloak", MANAGE_ROLES)
   async updateFlowTemplate(
     @Request() req: RequestWithUser,
     @Path() templateId: string,
@@ -315,6 +334,7 @@ export class FlowTemplateController extends Controller {
   }
 
   @Delete("{templateId}")
+  @Security("keycloak", MANAGE_ROLES)
   async deleteFlowTemplateById(@Request() req: RequestWithUser, @Path() templateId: string) {
     const record = await prisma.workflowTemplate.findUnique({
       where: { id: templateId },

src/controllers/04-institution-controller.ts

@@ -95,6 +95,17 @@ type InstitutionUpdatePayload = {
   }[];
 };
 
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
+
 @Route("api/v1/institution")
 @Tags("Institution")
 export class InstitutionController extends Controller {
@@ -185,7 +196,7 @@ export class InstitutionController extends Controller {
   }
 
   @Post()
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   @OperationId("createInstitution")
   async createInstitution(
     @Body()
@@ -229,7 +240,7 @@ export class InstitutionController extends Controller {
   }
 
   @Put("{institutionId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   @OperationId("updateInstitution")
   async updateInstitution(
     @Path() institutionId: string,
@@ -278,7 +289,7 @@ export class InstitutionController extends Controller {
   }
 
   @Delete("{institutionId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   @OperationId("deleteInstitution")
   async deleteInstitution(@Path() institutionId: string) {
     return await prisma.$transaction(async (tx) => {
@@ -350,7 +361,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Put("image/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async putImage(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,
@@ -364,7 +375,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Delete("image/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async delImage(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,
@@ -394,7 +405,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Put("attachment/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async putAttachment(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,
@@ -405,7 +416,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Delete("attachment/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async delAttachment(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,
@@ -436,7 +447,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Put("bank-qr/{bankId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async putBankImage(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,
@@ -450,7 +461,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Delete("bank-qr/{bankId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async delBankImage(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,

src/controllers/04-invoice-controller.ts

@@ -29,14 +29,23 @@ type InvoicePayload = {
   installmentNo: number[];
 };
 
-const MANAGE_ROLES = ["system", "head_of_admin", "admin", "head_of_accountant", "accountant"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
-const permissionCondCompany = createPermCondition((_) => true);
+const permissionCondCompany = createPermCondition(globalAllow);
 const permissionCheck = createPermCheck(globalAllow);
 
 @Route("/api/v1/invoice")
@@ -184,7 +193,7 @@ export class InvoiceController extends Controller {
 
   @Post()
   @OperationId("createInvoice")
-  @Security("keycloak", MANAGE_ROLES)
+  @Security("keycloak", MANAGE_ROLES.concat(["head_of_sale", "sale"]))
   async createInvoice(@Request() req: RequestWithUser, @Body() body: InvoicePayload) {
     const [quotation] = await prisma.$transaction([
       prisma.quotation.findUnique({
@@ -229,7 +238,7 @@ export class InvoiceController extends Controller {
           title: "ใบแจ้งหนี้ใหม่ / New Invoice",
           detail: "รหัส / code : " + record.code,
           registeredBranchId: record.registeredBranchId,
-          groupReceiver: { create: { name: "accountant" } },
+          groupReceiver: { create: { name: "branch_accountant" } },
         },
       });
 

src/controllers/04-product-controller.ts

@@ -35,14 +35,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);

src/controllers/04-product-group-controller.ts

@@ -35,7 +35,7 @@ type ProductGroupCreate = {
   remark: string;
   status?: Status;
   shared?: boolean;
-  registeredBranchId: string;
+  registeredBranchId?: string;
 };
 
 type ProductGroupUpdate = {
@@ -51,14 +51,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCond = createPermCondition((_) => true);
@@ -157,7 +159,23 @@ export class ProductGroup extends Controller {
   @Post()
   @Security("keycloak", MANAGE_ROLES)
   async createProductGroup(@Request() req: RequestWithUser, @Body() body: ProductGroupCreate) {
-    let company = await permissionCheck(req.user, body.registeredBranchId).then(
+    const userAffiliatedBranch = await prisma.branch.findFirst({
+      include: branchRelationPermInclude(req.user),
+      where: body.registeredBranchId
+        ? { id: body.registeredBranchId }
+        : {
+            user: { some: { userId: req.user.sub } },
+          },
+    });
+    if (!userAffiliatedBranch) {
+      throw new HttpError(
+        HttpStatus.BAD_REQUEST,
+        "You must be affilated with at least one branch or specify branch to be registered (System permission required).",
+        "reqMinAffilatedBranch",
+      );
+    }
+
+    let company = await permissionCheck(req.user, userAffiliatedBranch).then(
       (v) => (v.headOffice || v).code,
     );
 
@@ -181,6 +199,7 @@ export class ProductGroup extends Controller {
           },
           data: {
             ...body,
+            registeredBranchId: userAffiliatedBranch.id,
             statusOrder: +(body.status === "INACTIVE"),
             code: `G${last.value.toString().padStart(2, "0")}`,
             createdByUserId: req.user.sub,

src/controllers/04-service-controller.ts

@@ -42,14 +42,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);

src/controllers/05-payment-controller.ts

@@ -26,11 +26,20 @@ import flowAccount from "../services/flowaccount";
 import HttpError from "../interfaces/http-error";
 import HttpStatus from "../interfaces/http-status";
 
-const MANAGE_ROLES = ["system", "head_of_admin", "admin", "head_of_accountant", "accountant"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);
@@ -101,7 +110,7 @@ export class QuotationPayment extends Controller {
   }
 
   @Put("{paymentId}")
-  @Security("keycloak", MANAGE_ROLES)
+  @Security("keycloak", MANAGE_ROLES.concat(["head_of_sale", "sale"]))
   async updatePayment(
     @Path() paymentId: string,
     @Body() body: { amount?: number; date?: Date; paymentStatus?: PaymentStatus },

src/controllers/05-quotation-controller.ts

@@ -84,6 +84,8 @@ type QuotationCreate = {
     installmentNo?: number;
     workerIndex?: number[];
   }[];
+
+  sellerId?: string;
 };
 
 type QuotationUpdate = {
@@ -142,6 +144,8 @@ type QuotationUpdate = {
     installmentNo?: number;
     workerIndex?: number[];
   }[];
+
+  sellerId?: string;
 };
 
 const VAT_DEFAULT = config.vat;
@@ -150,15 +154,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
-  "sale",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCheckCompany = createPermCheck((_) => true);
@@ -210,6 +215,7 @@ export class QuotationController extends Controller {
     @Query() query = "",
     @Query() startDate?: Date,
     @Query() endDate?: Date,
+    @Query() sellerId?: string,
   ) {
     const where = {
       OR: queryOrNot<Prisma.QuotationWhereInput[]>(query, [
@@ -258,6 +264,7 @@ export class QuotationController extends Controller {
           }
         : undefined,
       ...whereDateQuery(startDate, endDate),
+      sellerId: sellerId,
     } satisfies Prisma.QuotationWhereInput;
 
     const [result, total] = await prisma.$transaction([
@@ -415,7 +422,7 @@ export class QuotationController extends Controller {
   }
 
   @Post()
-  @Security("keycloak", MANAGE_ROLES)
+  @Security("keycloak", MANAGE_ROLES.concat(["head_of_sale", "sale"]))
   async createQuotation(@Request() req: RequestWithUser, @Body() body: QuotationCreate) {
     const ids = {
       employee: body.worker.filter((v) => typeof v === "string"),
@@ -666,7 +673,7 @@ export class QuotationController extends Controller {
   }
 
   @Put("{quotationId}")
-  @Security("keycloak", MANAGE_ROLES)
+  @Security("keycloak", MANAGE_ROLES.concat(["head_of_sale", "sale"]))
   async editQuotation(
     @Request() req: RequestWithUser,
     @Path() quotationId: string,

src/controllers/06-request-list-controller.ts

@@ -977,7 +977,7 @@ export class RequestListController extends Controller {
       });
 
       if (record.responsibleUserId === null) {
-        await prisma.requestWorkStepStatus.update({
+        await tx.requestWorkStepStatus.update({
           where: {
             step_requestWorkId: {
               step: step,

src/controllers/07-task-controller.ts

@@ -44,11 +44,21 @@ import {
 } from "../utils/minio";
 import { queryOrNot, whereDateQuery } from "../utils/relation";
 
-const MANAGE_ROLES = ["system", "head_of_admin", "admin", "document_checker"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+  "data_entry",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);

src/controllers/08-credit-note-controller.ts

@@ -42,22 +42,20 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
-  "sale",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
-// NOTE: permission condition/check in requestWork -> requestData -> quotation -> registeredBranch
 const permissionCond = createPermCondition(globalAllow);
-const permissionCondCompany = createPermCondition((_) => true);
 const permissionCheck = createPermCheck(globalAllow);
-const permissionCheckCompany = createPermCheck((_) => true);
 
 type CreditNoteCreate = {
   requestWorkId: string[];
@@ -94,7 +92,7 @@ export class CreditNoteController extends Controller {
           request: {
             quotationId,
             quotation: {
-              registeredBranch: { OR: permissionCondCompany(req.user) },
+              registeredBranch: { OR: permissionCond(req.user) },
             },
           },
         },
@@ -200,7 +198,7 @@ export class CreditNoteController extends Controller {
           request: {
             quotationId,
             quotation: {
-              registeredBranch: { OR: permissionCondCompany(req.user) },
+              registeredBranch: { OR: permissionCond(req.user) },
             },
           },
         },
@@ -243,7 +241,7 @@ export class CreditNoteController extends Controller {
         some: {
           request: {
             quotation: {
-              registeredBranch: { OR: permissionCondCompany(req.user) },
+              registeredBranch: { OR: permissionCond(req.user) },
             },
           },
         },
@@ -402,7 +400,7 @@ export class CreditNoteController extends Controller {
   }
 
   @Put("{creditNoteId}")
-  @Security("keycloak", MANAGE_ROLES)
+  @Security("keycloak")
   async updateCreditNote(
     @Request() req: RequestWithUser,
     @Path() creditNoteId: string,

src/controllers/09-debit-note-controller.ts

@@ -44,22 +44,20 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
-  "sale",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
-// NOTE: permission condition/check in registeredBranch
 const permissionCond = createPermCondition(globalAllow);
-const permissionCondCompany = createPermCondition((_) => true);
 const permissionCheck = createPermCheck(globalAllow);
-const permissionCheckCompany = createPermCheck((_) => true);
 
 type DebitNoteCreate = {
   quotationId: string;
@@ -581,7 +579,7 @@ export class DebitNoteController extends Controller {
   }
 
   @Put("{debitNoteId}")
-  @Security("keycloak", MANAGE_ROLES)
+  @Security("keycloak")
   async updateDebitNote(
     @Request() req: RequestWithUser,
     @Path() debitNoteId: string,
@@ -605,7 +603,7 @@ export class DebitNoteController extends Controller {
 
     if (!record) throw notFoundError("Debit Note");
 
-    await permissionCheckCompany(req.user, record.registeredBranch);
+    await permissionCheck(req.user, record.registeredBranch);
 
     const { productServiceList: _productServiceList, ...rest } = body;
     const ids = {