From 94cb990b9c51122d21a5a53e99896ee1aa587e1d Mon Sep 17 00:00:00 2001
From: Methapon Metanipat <methapon@frappet.com>
Date: Wed, 4 Sep 2024 16:47:14 +0700
Subject: [PATCH] fix: permission failed

---
 src/controllers/user-controller.ts | 41 ++++++++++++++++--------------
 1 file changed, 22 insertions(+), 19 deletions(-)

diff --git a/src/controllers/user-controller.ts b/src/controllers/user-controller.ts
index 6c0963a..4aff2d2 100644
--- a/src/controllers/user-controller.ts
+++ b/src/controllers/user-controller.ts
@@ -470,7 +470,7 @@ export class UserController extends Controller {
         where: { id: userId },
       }),
       prisma.branch.findMany({
-        include: { user: { where: { id: req.user.sub } } },
+        include: { user: { where: { userId: req.user.sub } } },
         where: {
           id: {
             in: Array.isArray(body.branchId) ? body.branchId : body.branchId ? [body.branchId] : [],
@@ -515,10 +515,11 @@ export class UserController extends Controller {
     const THROW_PERM_MSG = "You do not have permission to perform this action.";
     const THROW_PERM_CODE = "noPermission";
 
-    if (setRoleIndex < userRoleIndex) {
+    if (setRoleIndex !== -1 && setRoleIndex < userRoleIndex) {
       throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);
     }
-    if (!globalAllow(req.user)) {
+
+    if (!globalAllow(req.user) && body.branchId) {
       if (branch.some((v) => !v.user.find((v) => v.userId === req.user.sub))) {
         throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);
       }
@@ -542,24 +543,26 @@ export class UserController extends Controller {
 
       const role = list.find((v) => v.name === body.userRole);
 
-      const resultAddRole = role && (await addUserRoles(userId, [role]));
+      if (role) {
+        const resultAddRole = await addUserRoles(userId, [role]);
 
-      if (!resultAddRole) {
-        throw new Error("Failed. Cannot set user's role.");
-      } else {
-        if (Array.isArray(currentRole))
-          await removeUserRoles(
-            userId,
-            currentRole.filter(
-              (a) =>
-                !["uma_authorization", "offline_access", "default-roles"].some((b) =>
-                  a.name.includes(b),
-                ),
-            ),
-          );
+        if (!resultAddRole) {
+          throw new Error("Failed. Cannot set user's role.");
+        } else {
+          if (Array.isArray(currentRole))
+            await removeUserRoles(
+              userId,
+              currentRole.filter(
+                (a) =>
+                  !["uma_authorization", "offline_access", "default-roles"].some((b) =>
+                    a.name.includes(b),
+                  ),
+              ),
+            );
+        }
+
+        userRole = role.name;
       }
-
-      userRole = role.name;
     }
 
     if (body.username) {