feat: protect endpoints with role

2024-07-03 15:42:49 +07:00 · 2024-07-03 15:42:49 +07:00 · 9a310420e5
commit 9a310420e5
parent 20c7414407
4 changed files with 60 additions and 4 deletions
--- a/src/controllers/employee-checkup-controller.ts
+++ b/src/controllers/employee-checkup-controller.ts
@ -16,6 +16,16 @@ import prisma from "../db";
 import HttpStatus from "../interfaces/http-status";
 import HttpError from "../interfaces/http-error";

+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "branch_admin",
+  "branch_manager",
+  "head_of_sale",
+  "sale",
+];
+
 type EmployeeCheckupPayload = {
  checkupType?: string | null;
  checkupResult?: string | null;
@ -32,9 +42,9 @@ type EmployeeCheckupPayload = {

@Route("api/v1/employee/{employeeId}/checkup")
@Tags("Employee Checkup")
-@Security("keycloak")
 export class EmployeeCheckupController extends Controller {
  @Get()
+  @Security("keycloak")
  async list(@Path() employeeId: string) {
    return prisma.employeeCheckup.findMany({
      include: {
@ -47,6 +57,7 @@ export class EmployeeCheckupController extends Controller {
  }

  @Get("{checkupId}")
+  @Security("keycloak")
  async getById(@Path() employeeId: string, @Path() checkupId: string) {
    const record = await prisma.employeeCheckup.findFirst({
      include: {
@ -66,6 +77,7 @@ export class EmployeeCheckupController extends Controller {
  }

  @Post()
+  @Security("keycloak", MANAGE_ROLES)
  async create(
    @Request() req: RequestWithUser,
    @Path() employeeId: string,
@ -109,6 +121,7 @@ export class EmployeeCheckupController extends Controller {
  }

  @Put("{checkupId}")
+  @Security("keycloak", MANAGE_ROLES)
  async editById(
    @Request() req: RequestWithUser,
    @Path() employeeId: string,
@ -165,6 +178,7 @@ export class EmployeeCheckupController extends Controller {
  }

  @Delete("{checkupId}")
+  @Security("keycloak", MANAGE_ROLES)
  async deleteById(@Path() employeeId: string, @Path() checkupId: string) {
    const record = await prisma.employeeCheckup.findFirst({ where: { id: checkupId, employeeId } });

--- a/src/controllers/employee-controller.ts
+++ b/src/controllers/employee-controller.ts
@ -24,6 +24,15 @@ if (!process.env.MINIO_BUCKET) {
 }

 const MINIO_BUCKET = process.env.MINIO_BUCKET;
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "branch_admin",
+  "branch_manager",
+  "head_of_sale",
+  "sale",
+];

 function imageLocation(id: string) {
  return `employee/${id}/profile-image`;
@ -200,9 +209,9 @@ type EmployeeUpdate = {

@Route("api/v1/employee")
@Tags("Employee")
-@Security("keycloak")
 export class EmployeeController extends Controller {
  @Get("stats")
+  @Security("keycloak")
  async getEmployeeStats(@Query() customerBranchId?: string) {
    return await prisma.employee.count({
      where: { customerBranchId },
@ -210,6 +219,7 @@ export class EmployeeController extends Controller {
  }

  @Get("stats/gender")
+  @Security("keycloak")
  async getEmployeeStatsGender(
    @Query() customerBranchId?: string,
    @Query() status?: Status,
@ -245,6 +255,7 @@ export class EmployeeController extends Controller {
  }

  @Get()
+  @Security("keycloak")
  async list(
    @Query() zipCode?: string,
    @Query() gender?: string,
@ -305,6 +316,7 @@ export class EmployeeController extends Controller {
  }

  @Get("{employeeId}")
+  @Security("keycloak")
  async getById(@Path() employeeId: string) {
    const record = await prisma.employee.findFirst({
      include: {
@ -325,6 +337,7 @@ export class EmployeeController extends Controller {
  }

  @Post()
+  @Security("keycloak", MANAGE_ROLES)
  async create(@Request() req: RequestWithUser, @Body() body: EmployeeCreate) {
    const [province, district, subDistrict, customerBranch] = await prisma.$transaction([
      prisma.province.findFirst({ where: { id: body.provinceId || undefined } }),
@ -483,6 +496,7 @@ export class EmployeeController extends Controller {
  }

  @Put("{employeeId}")
+  @Security("keycloak", MANAGE_ROLES)
  async editById(
    @Request() req: RequestWithUser,
    @Body() body: EmployeeUpdate,
@ -709,6 +723,7 @@ export class EmployeeController extends Controller {
  }

  @Delete("{employeeId}")
+  @Security("keycloak", MANAGE_ROLES)
  async delete(@Path() employeeId: string) {
    const record = await prisma.employee.findFirst({ where: { id: employeeId } });

--- a/src/controllers/employee-other-info-controller.ts
+++ b/src/controllers/employee-other-info-controller.ts
@ -17,6 +17,16 @@ import HttpError from "../interfaces/http-error";
 import HttpStatus from "../interfaces/http-status";
 import { RequestWithUser } from "../interfaces/user";

+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "branch_admin",
+  "branch_manager",
+  "head_of_sale",
+  "sale",
+];
+
 type EmployeeOtherInfoPayload = {
  citizenId?: string | null;
  fatherFirstName?: string | null;
@ -34,9 +44,9 @@ type EmployeeOtherInfoPayload = {

@Route("api/v1/employee/{employeeId}/other-info")
@Tags("Employee Other Info")
-@Security("keycloak")
 export class EmployeeOtherInfo extends Controller {
  @Get()
+  @Security("keycloak")
  async list(@Path() employeeId: string) {
    return prisma.employeeOtherInfo.findFirst({
      include: {
@ -49,6 +59,7 @@ export class EmployeeOtherInfo extends Controller {
  }

  @Post()
+  @Security("keycloak", MANAGE_ROLES)
  async create(
    @Request() req: RequestWithUser,
    @Path() employeeId: string,
@ -76,6 +87,7 @@ export class EmployeeOtherInfo extends Controller {
  }

  @Put("{otherInfoId}")
+  @Security("keycloak", MANAGE_ROLES)
  async editById(
    @Request() req: RequestWithUser,
    @Path() employeeId: string,
@ -105,6 +117,7 @@ export class EmployeeOtherInfo extends Controller {
  }

  @Delete("{otherInfoId}")
+  @Security("keycloak", MANAGE_ROLES)
  async deleteById(@Path() employeeId: string, @Path() otherInfoId: string) {
    const record = await prisma.employeeOtherInfo.findFirst({
      where: { id: otherInfoId, employeeId },
--- a/src/controllers/employee-work-controller.ts
+++ b/src/controllers/employee-work-controller.ts
@ -16,6 +16,16 @@ import prisma from "../db";
 import HttpStatus from "../interfaces/http-status";
 import HttpError from "../interfaces/http-error";

+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "branch_admin",
+  "branch_manager",
+  "head_of_sale",
+  "sale",
+];
+
 type EmployeeWorkPayload = {
  ownerName?: string | null;
  positionName?: string | null;
@ -30,9 +40,9 @@ type EmployeeWorkPayload = {

@Route("api/v1/employee/{employeeId}/work")
@Tags("Employee Work")
-@Security("keycloak")
 export class EmployeeWorkController extends Controller {
  @Get()
+  @Security("keycloak")
  async list(@Path() employeeId: string) {
    return prisma.employeeWork.findMany({
      include: {
@ -45,6 +55,7 @@ export class EmployeeWorkController extends Controller {
  }

  @Get("{workId}")
+  @Security("keycloak")
  async getById(@Path() employeeId: string, @Path() workId: string) {
    const record = await prisma.employeeWork.findFirst({
      include: {
@ -64,6 +75,7 @@ export class EmployeeWorkController extends Controller {
  }

  @Post()
+  @Security("keycloak", MANAGE_ROLES)
  async create(
    @Request() req: RequestWithUser,
    @Path() employeeId: string,
@ -91,6 +103,7 @@ export class EmployeeWorkController extends Controller {
  }

  @Put("{workId}")
+  @Security("keycloak", MANAGE_ROLES)
  async editById(
    @Request() req: RequestWithUser,
    @Path() employeeId: string,
@ -120,6 +133,7 @@ export class EmployeeWorkController extends Controller {
  }

  @Delete("{workId}")
+  @Security("keycloak", MANAGE_ROLES)
  async deleteById(@Path() employeeId: string, @Path() workId: string) {
    const record = await prisma.employeeWork.findFirst({
      include: {