chamomind/jws-backend
chamomind/jws-backend
6
0
Fork 0
Code Issues Projects 1 Releases Packages 1 Wiki Activity Actions

refactor: fix permission for sure

Browse source
This commit is contained in:
Methapon Metanipat 2024-09-06 16:48:52 +07:00
parent d558aa3cf2
commit 97458d315c
1 changed files with 105 additions and 233 deletions
Download patch file Download diff file Expand all files Collapse all files

338
src/controllers/01-branch-controller.ts
View file

@ -101,6 +101,49 @@ type BranchUpdate = {
}[]; }[];
}; };
async function permissionCheck(user: RequestWithUser["user"], branchId: string) {
const record = await prisma.branch.findUnique({
include: {
headOffice: {
include: {
branch: { where: { user: { some: { userId: user.sub } } } },
user: { where: { userId: user.sub } },
},
},
user: { where: { userId: user.sub } },
},
where: { id: branchId },
});
if (!record) {
throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
}
if (!isSystem(user)) {
if (!globalAllow(user) && record.user.length === 0) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
} else {
if (
(record.user.length === 0 && !record.headOffice) ||
(record.headOffice &&
record.headOffice.user.length === 0 &&
record.headOffice.branch.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
}
return record;
}
@Route("api/v1/branch") @Route("api/v1/branch")
@Tags("Branch") @Tags("Branch")
export class BranchController extends Controller { export class BranchController extends Controller {
@ -119,6 +162,16 @@ export class BranchController extends Controller {
? { some: { user: { some: { userId: req.user.sub } } } } ? { some: { user: { some: { userId: req.user.sub } } } }
: undefined, : undefined,
}, },
{
headOffice: globalAllow(req.user)
? { branch: { some: { user: { some: { userId: req.user.sub } } } } }
: undefined,
},
{
headOffice: globalAllow(req.user)
? { user: { some: { userId: req.user.sub } } }
: undefined,
},
], ],
}; };
@ -226,6 +279,16 @@ export class BranchController extends Controller {
? { some: { user: { some: { userId: req.user.sub } } } } ? { some: { user: { some: { userId: req.user.sub } } } }
: undefined, : undefined,
}, },
{
headOffice: globalAllow(req.user)
? { branch: { some: { user: { some: { userId: req.user.sub } } } } }
: undefined,
},
{
headOffice: globalAllow(req.user)
? { user: { some: { userId: req.user.sub } } }
: undefined,
},
], ],
}, },
OR: [ OR: [
@ -485,27 +548,7 @@ export class BranchController extends Controller {
const { provinceId, districtId, subDistrictId, headOfficeId, bank, contact, ...rest } = body; const { provinceId, districtId, subDistrictId, headOfficeId, bank, contact, ...rest } = body;
const branch = await prisma.branch.findUnique({ await permissionCheck(req.user, branchId);
include: {
user: { where: { userId: req.user.sub } },
},
where: { id: branchId },
});
if (!branch) {
throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
}
if (
!MANAGE_ROLES.some((v) => req.user.roles?.includes(v)) &&
!branch?.user.find((v) => v.userId === req.user.sub)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
return await prisma.$transaction(async (tx) => { return await prisma.$transaction(async (tx) => {
const listDeleted = bank const listDeleted = bank
@ -578,28 +621,43 @@ export class BranchController extends Controller {
@Delete("{branchId}") @Delete("{branchId}")
@Security("keycloak", MANAGE_ROLES) @Security("keycloak", MANAGE_ROLES)
async deleteBranch(@Request() req: RequestWithUser, @Path() branchId: string) { async deleteBranch(@Request() req: RequestWithUser, @Path() branchId: string) {
const record = await prisma.branch.findFirst({ const record = await prisma.branch.findUnique({
include: { include: {
province: true, headOffice: {
district: true, include: {
subDistrict: true, branch: { where: { user: { some: { userId: req.user.sub } } } },
createdBy: true, user: { where: { userId: req.user.sub } },
updatedBy: true, },
},
user: { where: { userId: req.user.sub } }, user: { where: { userId: req.user.sub } },
}, },
where: { id: branchId }, where: { id: branchId },
}); });
if (!MANAGE_ROLES.some((v) => req.user.roles?.includes(v))) { if (!record) {
if ( throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
record?.createdByUserId !== req.user.sub && }
!record?.user.find((v) => v.userId === req.user.sub)
) { if (!isSystem(req.user)) {
if (!globalAllow(req.user) && record.user.length === 0) {
throw new HttpError( throw new HttpError(
HttpStatus.FORBIDDEN, HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.", "You do not have permission to perform this action.",
"noPermission", "noPermission",
); );
} else {
if (
(record.user.length === 0 && !record.headOffice) ||
(record.headOffice &&
record.headOffice.user.length === 0 &&
record.headOffice.branch.length === 0)
) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
} }
} }
@ -656,45 +714,22 @@ export class BranchController extends Controller {
@Get("{branchId}/line-image") @Get("{branchId}/line-image")
async getLineImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) { async getLineImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) {
const url = await presignedGetObjectIfExist( const url = await minio.presignedGetObject(
MINIO_BUCKET, MINIO_BUCKET,
fileLocation.branch.line(branchId), fileLocation.branch.line(branchId),
60 * 60, 60 * 60,
); );
if (!url) {
throw new HttpError(HttpStatus.NOT_FOUND, "Image cannot be found", "imageNotFound");
}
return req.res?.redirect(url); return req.res?.redirect(url);
} }
@Put("{branchId}/line-image") @Put("{branchId}/line-image")
@Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager")) @Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager"))
async setLineImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) { async setLineImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) {
const record = await prisma.branch.findUnique({ await permissionCheck(req.user, branchId);
include: {
user: { where: { userId: req.user.sub } },
},
where: { id: branchId },
});
if (!record) {
throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
}
if (!globalAllow(req.user) && !record?.user.find((v) => v.userId === req.user.sub)) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
return req.res?.redirect( return req.res?.redirect(
await minio.presignedPutObject( await minio.presignedPutObject(
MINIO_BUCKET, MINIO_BUCKET,
fileLocation.branch.line(record.id), fileLocation.branch.line(branchId),
12 * 60 * 60, 12 * 60 * 60,
), ),
); );
@ -703,71 +738,29 @@ export class BranchController extends Controller {
@Delete("{branchId}/line-image") @Delete("{branchId}/line-image")
@Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager")) @Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager"))
async deleteLineImage(@Request() req: RequestWithUser, @Path() branchId: string) { async deleteLineImage(@Request() req: RequestWithUser, @Path() branchId: string) {
const record = await prisma.branch.findUnique({ await permissionCheck(req.user, branchId);
include: {
user: { where: { userId: req.user.sub } },
},
where: {
id: branchId,
},
});
if (!record) {
throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
}
if (!globalAllow(req.user) && !record?.user.find((v) => v.userId === req.user.sub)) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
await deleteFile(fileLocation.branch.line(branchId)); await deleteFile(fileLocation.branch.line(branchId));
} }
@Get("{branchId}/branch-image") @Get("{branchId}/branch-image")
async getBranchImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) { async getBranchImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) {
const url = await presignedGetObjectIfExist( const url = await minio.presignedGetObject(
MINIO_BUCKET, MINIO_BUCKET,
fileLocation.branch.image(branchId), fileLocation.branch.image(branchId),
60 * 60, 60 * 60,
); );
if (!url) {
throw new HttpError(HttpStatus.NOT_FOUND, "Image cannot be found", "imageNotFound");
}
return req.res?.redirect(url); return req.res?.redirect(url);
} }
@Put("{branchId}/branch-image") @Put("{branchId}/branch-image")
@Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager")) @Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager"))
async setBranchImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) { async setBranchImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) {
const record = await prisma.branch.findUnique({ await permissionCheck(req.user, branchId);
include: {
user: { where: { userId: req.user.sub } },
},
where: { id: branchId },
});
if (!record) {
throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
}
if (!globalAllow(req.user) && !record?.user.find((v) => v.userId === req.user.sub)) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
return req.res?.redirect( return req.res?.redirect(
await minio.presignedPutObject( await minio.presignedPutObject(
MINIO_BUCKET, MINIO_BUCKET,
fileLocation.branch.image(record.id), fileLocation.branch.image(branchId),
12 * 60 * 60, 12 * 60 * 60,
), ),
); );
@ -776,100 +769,34 @@ export class BranchController extends Controller {
@Delete("{branchId}/branch-image") @Delete("{branchId}/branch-image")
@Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager")) @Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager"))
async deleteBranchImage(@Request() req: RequestWithUser, @Path() branchId: string) { async deleteBranchImage(@Request() req: RequestWithUser, @Path() branchId: string) {
const record = await prisma.branch.findUnique({ await permissionCheck(req.user, branchId);
include: {
user: { where: { userId: req.user.sub } },
},
where: {
id: branchId,
},
});
if (!record) {
throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
}
if (!globalAllow(req.user) && !record?.user.find((v) => v.userId === req.user.sub)) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
await deleteFile(fileLocation.branch.image(branchId)); await deleteFile(fileLocation.branch.image(branchId));
} }
@Get("{branchId}/map-image") @Get("{branchId}/map-image")
async getMapImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) { async getMapImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) {
const url = await presignedGetObjectIfExist( const url = await minio.presignedGetObject(
MINIO_BUCKET, MINIO_BUCKET,
fileLocation.branch.image(branchId), fileLocation.branch.image(branchId),
60 * 60, 60 * 60,
); );
if (!url) {
throw new HttpError(HttpStatus.NOT_FOUND, "Image cannot be found", "imageNotFound");
}
return req.res?.redirect(url); return req.res?.redirect(url);
} }
@Put("{branchId}/map-image") @Put("{branchId}/map-image")
@Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager")) @Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager"))
async setMapImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) { async setMapImageByBranchId(@Request() req: RequestWithUser, @Path() branchId: string) {
const record = await prisma.branch.findUnique({ await permissionCheck(req.user, branchId);
include: {
user: { where: { userId: req.user.sub } },
},
where: { id: branchId },
});
if (!record) {
throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
}
if (!globalAllow(req.user) && !record?.user.find((v) => v.userId === req.user.sub)) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
return req.res?.redirect( return req.res?.redirect(
await minio.presignedPutObject( await minio.presignedPutObject(MINIO_BUCKET, fileLocation.branch.map(branchId), 12 * 60 * 60),
MINIO_BUCKET,
fileLocation.branch.map(record.id),
12 * 60 * 60,
),
); );
} }
@Delete("{branchId}/map-image") @Delete("{branchId}/map-image")
@Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager")) @Security("keycloak", MANAGE_ROLES.concat("admin", "branch_manager"))
async deleteMapImage(@Request() req: RequestWithUser, @Path() branchId: string) { async deleteMapImage(@Request() req: RequestWithUser, @Path() branchId: string) {
const record = await prisma.branch.findUnique({ await permissionCheck(req.user, branchId);
include: {
user: { where: { userId: req.user.sub } },
},
where: {
id: branchId,
},
});
if (!record) {
throw new HttpError(HttpStatus.NOT_FOUND, "Branch cannot be found.", "branchNotFound");
}
if (!globalAllow(req.user) && !record?.user.find((v) => v.userId === req.user.sub)) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
await deleteFile(fileLocation.branch.map(branchId)); await deleteFile(fileLocation.branch.map(branchId));
} }
@ -879,16 +806,11 @@ export class BranchController extends Controller {
@Path() branchId: string, @Path() branchId: string,
@Path() bankId: string, @Path() bankId: string,
) { ) {
const url = await presignedGetObjectIfExist( const url = await minio.presignedGetObject(
MINIO_BUCKET, MINIO_BUCKET,
fileLocation.branch.bank(branchId, bankId), fileLocation.branch.bank(branchId, bankId),
60 * 60, 60 * 60,
); );
if (!url) {
throw new HttpError(HttpStatus.NOT_FOUND, "Image cannot be found", "imageNotFound");
}
return req.res?.redirect(url); return req.res?.redirect(url);
} }
@ -899,32 +821,7 @@ export class BranchController extends Controller {
@Path() branchId: string, @Path() branchId: string,
@Path() bankId: string, @Path() bankId: string,
) { ) {
const record = await prisma.branch.findUnique({ await permissionCheck(req.user, branchId);
include: {
user: { where: { userId: req.user.sub } },
},
where: {
id: branchId,
bank: { some: { id: bankId } },
},
});
if (!record) {
throw new HttpError(
HttpStatus.NOT_FOUND,
"Branch Bank cannot be found.",
"branchBankNotFound",
);
}
if (!globalAllow(req.user) && !record?.user.find((v) => v.userId === req.user.sub)) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
return req.res?.redirect( return req.res?.redirect(
await minio.presignedPutObject( await minio.presignedPutObject(
MINIO_BUCKET, MINIO_BUCKET,
@ -941,32 +838,7 @@ export class BranchController extends Controller {
@Path() branchId: string, @Path() branchId: string,
@Path() bankId: string, @Path() bankId: string,
) { ) {
const record = await prisma.branch.findUnique({ await permissionCheck(req.user, branchId);
include: {
user: { where: { userId: req.user.sub } },
},
where: {
id: branchId,
bank: { some: { id: bankId } },
},
});
if (!record) {
throw new HttpError(
HttpStatus.NOT_FOUND,
"Branch Bank cannot be found.",
"branchBankNotFound",
);
}
if (!globalAllow(req.user) && !record?.user.find((v) => v.userId === req.user.sub)) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
await deleteFile(fileLocation.branch.bank(branchId, bankId)); await deleteFile(fileLocation.branch.bank(branchId, bankId));
} }
} }