fix: permission failed

2024-09-04 16:47:14 +07:00 · 2024-09-04 16:47:14 +07:00 · 94cb990b9c
commit 94cb990b9c
parent 859b733245
1 changed files with 22 additions and 19 deletions
--- a/src/controllers/user-controller.ts
+++ b/src/controllers/user-controller.ts
@ -470,7 +470,7 @@ export class UserController extends Controller {
        where: { id: userId },
      }),
      prisma.branch.findMany({
-        include: { user: { where: { id: req.user.sub } } },
+        include: { user: { where: { userId: req.user.sub } } },
        where: {
          id: {
            in: Array.isArray(body.branchId) ? body.branchId : body.branchId ? [body.branchId] : [],
@ -515,10 +515,11 @@ export class UserController extends Controller {
    const THROW_PERM_MSG = "You do not have permission to perform this action.";
    const THROW_PERM_CODE = "noPermission";
-    if (setRoleIndex < userRoleIndex) {
+    if (setRoleIndex !== -1 && setRoleIndex < userRoleIndex) {
      throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);
    }
-    if (!globalAllow(req.user)) {
+
    if (!globalAllow(req.user) && body.branchId) {
      if (branch.some((v) => !v.user.find((v) => v.userId === req.user.sub))) {
        throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);
      }
@ -542,24 +543,26 @@ export class UserController extends Controller {
      const role = list.find((v) => v.name === body.userRole);
-      const resultAddRole = role && (await addUserRoles(userId, [role]));
+      if (role) {
        const resultAddRole = await addUserRoles(userId, [role]);
-      if (!resultAddRole) {
+        if (!resultAddRole) {
-        throw new Error("Failed. Cannot set user's role.");
+          throw new Error("Failed. Cannot set user's role.");
-      } else {
+        } else {
-        if (Array.isArray(currentRole))
+          if (Array.isArray(currentRole))
-          await removeUserRoles(
+            await removeUserRoles(
-            userId,
+              userId,
-            currentRole.filter(
+              currentRole.filter(
-              (a) =>
+                (a) =>
-                !["uma_authorization", "offline_access", "default-roles"].some((b) =>
+                  !["uma_authorization", "offline_access", "default-roles"].some((b) =>
-                  a.name.includes(b),
+                    a.name.includes(b),
-                ),
+                  ),
-            ),
+              ),
-          );
+            );
        }
        userRole = role.name;
      }
      userRole = role.name;
    }
    if (body.username) {