From 9a310420e51f22f33d40bdf1d5d7898fa9ec5f13 Mon Sep 17 00:00:00 2001 From: Methapon2001 <61303214+Methapon2001@users.noreply.github.com> Date: Wed, 3 Jul 2024 15:42:49 +0700 Subject: [PATCH] feat: protect endpoints with role --- src/controllers/employee-checkup-controller.ts | 16 +++++++++++++++- src/controllers/employee-controller.ts | 17 ++++++++++++++++- .../employee-other-info-controller.ts | 15 ++++++++++++++- src/controllers/employee-work-controller.ts | 16 +++++++++++++++- 4 files changed, 60 insertions(+), 4 deletions(-) diff --git a/src/controllers/employee-checkup-controller.ts b/src/controllers/employee-checkup-controller.ts index c04bb13..309e858 100644 --- a/src/controllers/employee-checkup-controller.ts +++ b/src/controllers/employee-checkup-controller.ts @@ -16,6 +16,16 @@ import prisma from "../db"; import HttpStatus from "../interfaces/http-status"; import HttpError from "../interfaces/http-error"; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "branch_admin", + "branch_manager", + "head_of_sale", + "sale", +]; + type EmployeeCheckupPayload = { checkupType?: string | null; checkupResult?: string | null; @@ -32,9 +42,9 @@ type EmployeeCheckupPayload = { @Route("api/v1/employee/{employeeId}/checkup") @Tags("Employee Checkup") -@Security("keycloak") export class EmployeeCheckupController extends Controller { @Get() + @Security("keycloak") async list(@Path() employeeId: string) { return prisma.employeeCheckup.findMany({ include: { @@ -47,6 +57,7 @@ export class EmployeeCheckupController extends Controller { } @Get("{checkupId}") + @Security("keycloak") async getById(@Path() employeeId: string, @Path() checkupId: string) { const record = await prisma.employeeCheckup.findFirst({ include: { @@ -66,6 +77,7 @@ export class EmployeeCheckupController extends Controller { } @Post() + @Security("keycloak", MANAGE_ROLES) async create( @Request() req: RequestWithUser, @Path() employeeId: string, @@ -109,6 +121,7 @@ export class EmployeeCheckupController extends Controller { } @Put("{checkupId}") + @Security("keycloak", MANAGE_ROLES) async editById( @Request() req: RequestWithUser, @Path() employeeId: string, @@ -165,6 +178,7 @@ export class EmployeeCheckupController extends Controller { } @Delete("{checkupId}") + @Security("keycloak", MANAGE_ROLES) async deleteById(@Path() employeeId: string, @Path() checkupId: string) { const record = await prisma.employeeCheckup.findFirst({ where: { id: checkupId, employeeId } }); diff --git a/src/controllers/employee-controller.ts b/src/controllers/employee-controller.ts index e3186c0..1d29af2 100644 --- a/src/controllers/employee-controller.ts +++ b/src/controllers/employee-controller.ts @@ -24,6 +24,15 @@ if (!process.env.MINIO_BUCKET) { } const MINIO_BUCKET = process.env.MINIO_BUCKET; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "branch_admin", + "branch_manager", + "head_of_sale", + "sale", +]; function imageLocation(id: string) { return `employee/${id}/profile-image`; @@ -200,9 +209,9 @@ type EmployeeUpdate = { @Route("api/v1/employee") @Tags("Employee") -@Security("keycloak") export class EmployeeController extends Controller { @Get("stats") + @Security("keycloak") async getEmployeeStats(@Query() customerBranchId?: string) { return await prisma.employee.count({ where: { customerBranchId }, @@ -210,6 +219,7 @@ export class EmployeeController extends Controller { } @Get("stats/gender") + @Security("keycloak") async getEmployeeStatsGender( @Query() customerBranchId?: string, @Query() status?: Status, @@ -245,6 +255,7 @@ export class EmployeeController extends Controller { } @Get() + @Security("keycloak") async list( @Query() zipCode?: string, @Query() gender?: string, @@ -305,6 +316,7 @@ export class EmployeeController extends Controller { } @Get("{employeeId}") + @Security("keycloak") async getById(@Path() employeeId: string) { const record = await prisma.employee.findFirst({ include: { @@ -325,6 +337,7 @@ export class EmployeeController extends Controller { } @Post() + @Security("keycloak", MANAGE_ROLES) async create(@Request() req: RequestWithUser, @Body() body: EmployeeCreate) { const [province, district, subDistrict, customerBranch] = await prisma.$transaction([ prisma.province.findFirst({ where: { id: body.provinceId || undefined } }), @@ -483,6 +496,7 @@ export class EmployeeController extends Controller { } @Put("{employeeId}") + @Security("keycloak", MANAGE_ROLES) async editById( @Request() req: RequestWithUser, @Body() body: EmployeeUpdate, @@ -709,6 +723,7 @@ export class EmployeeController extends Controller { } @Delete("{employeeId}") + @Security("keycloak", MANAGE_ROLES) async delete(@Path() employeeId: string) { const record = await prisma.employee.findFirst({ where: { id: employeeId } }); diff --git a/src/controllers/employee-other-info-controller.ts b/src/controllers/employee-other-info-controller.ts index adc530d..7867eb7 100644 --- a/src/controllers/employee-other-info-controller.ts +++ b/src/controllers/employee-other-info-controller.ts @@ -17,6 +17,16 @@ import HttpError from "../interfaces/http-error"; import HttpStatus from "../interfaces/http-status"; import { RequestWithUser } from "../interfaces/user"; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "branch_admin", + "branch_manager", + "head_of_sale", + "sale", +]; + type EmployeeOtherInfoPayload = { citizenId?: string | null; fatherFirstName?: string | null; @@ -34,9 +44,9 @@ type EmployeeOtherInfoPayload = { @Route("api/v1/employee/{employeeId}/other-info") @Tags("Employee Other Info") -@Security("keycloak") export class EmployeeOtherInfo extends Controller { @Get() + @Security("keycloak") async list(@Path() employeeId: string) { return prisma.employeeOtherInfo.findFirst({ include: { @@ -49,6 +59,7 @@ export class EmployeeOtherInfo extends Controller { } @Post() + @Security("keycloak", MANAGE_ROLES) async create( @Request() req: RequestWithUser, @Path() employeeId: string, @@ -76,6 +87,7 @@ export class EmployeeOtherInfo extends Controller { } @Put("{otherInfoId}") + @Security("keycloak", MANAGE_ROLES) async editById( @Request() req: RequestWithUser, @Path() employeeId: string, @@ -105,6 +117,7 @@ export class EmployeeOtherInfo extends Controller { } @Delete("{otherInfoId}") + @Security("keycloak", MANAGE_ROLES) async deleteById(@Path() employeeId: string, @Path() otherInfoId: string) { const record = await prisma.employeeOtherInfo.findFirst({ where: { id: otherInfoId, employeeId }, diff --git a/src/controllers/employee-work-controller.ts b/src/controllers/employee-work-controller.ts index 95d9625..cab015b 100644 --- a/src/controllers/employee-work-controller.ts +++ b/src/controllers/employee-work-controller.ts @@ -16,6 +16,16 @@ import prisma from "../db"; import HttpStatus from "../interfaces/http-status"; import HttpError from "../interfaces/http-error"; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "branch_admin", + "branch_manager", + "head_of_sale", + "sale", +]; + type EmployeeWorkPayload = { ownerName?: string | null; positionName?: string | null; @@ -30,9 +40,9 @@ type EmployeeWorkPayload = { @Route("api/v1/employee/{employeeId}/work") @Tags("Employee Work") -@Security("keycloak") export class EmployeeWorkController extends Controller { @Get() + @Security("keycloak") async list(@Path() employeeId: string) { return prisma.employeeWork.findMany({ include: { @@ -45,6 +55,7 @@ export class EmployeeWorkController extends Controller { } @Get("{workId}") + @Security("keycloak") async getById(@Path() employeeId: string, @Path() workId: string) { const record = await prisma.employeeWork.findFirst({ include: { @@ -64,6 +75,7 @@ export class EmployeeWorkController extends Controller { } @Post() + @Security("keycloak", MANAGE_ROLES) async create( @Request() req: RequestWithUser, @Path() employeeId: string, @@ -91,6 +103,7 @@ export class EmployeeWorkController extends Controller { } @Put("{workId}") + @Security("keycloak", MANAGE_ROLES) async editById( @Request() req: RequestWithUser, @Path() employeeId: string, @@ -120,6 +133,7 @@ export class EmployeeWorkController extends Controller { } @Delete("{workId}") + @Security("keycloak", MANAGE_ROLES) async deleteById(@Path() employeeId: string, @Path() workId: string) { const record = await prisma.employeeWork.findFirst({ include: {