chamomind/jws-backend
chamomind/jws-backend
7
0
Fork 0
Code Issues Projects 1 Releases Packages 1 Wiki Activity Actions

fix: wrong permission check

Browse source
This commit is contained in:
Methapon Metanipat 2024-08-30 09:57:22 +07:00
parent 78ce80b1a2
commit 9d52eb99a5
1 changed files with 17 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/controllers/user-controller.ts
View file

@ -333,6 +333,23 @@ export class UserController extends Controller {
if (user) {
throw new HttpError(HttpStatus.BAD_REQUEST, "User exists.", "userExists");
}
if (!["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v))) {
if (body.userRole in ["system", "head_of_admin", "admin"]) {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
if (!req.user.roles.includes("branch_admin") && body.userRole === "branch_admin") {
throw new HttpError(
HttpStatus.FORBIDDEN,
"You do not have permission to perform this action.",
"noPermission",
);
}
}
if (
!["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v)) &&
branch?.some((v) => !v.user.find((v) => v.userId === req.user.sub))