From 9d52eb99a50ac1268e2d8920b7d9fb3b24cfeecd Mon Sep 17 00:00:00 2001
From: Methapon Metanipat <methapon@frappet.com>
Date: Fri, 30 Aug 2024 09:57:22 +0700
Subject: [PATCH] fix: wrong permission check

---
 src/controllers/user-controller.ts | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/controllers/user-controller.ts b/src/controllers/user-controller.ts
index caedd93..5cd044d 100644
--- a/src/controllers/user-controller.ts
+++ b/src/controllers/user-controller.ts
@@ -333,6 +333,23 @@ export class UserController extends Controller {
     if (user) {
       throw new HttpError(HttpStatus.BAD_REQUEST, "User exists.", "userExists");
     }
+
+    if (!["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v))) {
+      if (body.userRole in ["system", "head_of_admin", "admin"]) {
+        throw new HttpError(
+          HttpStatus.FORBIDDEN,
+          "You do not have permission to perform this action.",
+          "noPermission",
+        );
+      }
+      if (!req.user.roles.includes("branch_admin") && body.userRole === "branch_admin") {
+        throw new HttpError(
+          HttpStatus.FORBIDDEN,
+          "You do not have permission to perform this action.",
+          "noPermission",
+        );
+      }
+    }
     if (
       !["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v)) &&
       branch?.some((v) => !v.user.find((v) => v.userId === req.user.sub))