feat(perm): update api product/service permission

2025-07-02 13:21:10 +07:00 · 2025-07-02 13:21:10 +07:00 · afb725fceb
commit afb725fceb
parent b0e941085e
3 changed files with 37 additions and 14 deletions
--- a/src/controllers/04-product-controller.ts
+++ b/src/controllers/04-product-controller.ts
@ -35,14 +35,16 @@ const MANAGE_ROLES = [
  "system",
  "head_of_admin",
  "admin",
-  "head_of_accountant",
+  "executive",
  "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];

 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
-  return allowList.some((v) => user.roles?.includes(v));
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }

 const permissionCondCompany = createPermCondition((_) => true);
--- a/src/controllers/04-product-group-controller.ts
+++ b/src/controllers/04-product-group-controller.ts
@ -35,7 +35,7 @@ type ProductGroupCreate = {
  remark: string;
  status?: Status;
  shared?: boolean;
-  registeredBranchId: string;
+  registeredBranchId?: string;
 };

 type ProductGroupUpdate = {
@ -51,14 +51,16 @@ const MANAGE_ROLES = [
  "system",
  "head_of_admin",
  "admin",
-  "head_of_accountant",
+  "executive",
  "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];

 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
-  return allowList.some((v) => user.roles?.includes(v));
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }

 const permissionCond = createPermCondition((_) => true);
@ -157,7 +159,23 @@ export class ProductGroup extends Controller {
  @Post()
  @Security("keycloak", MANAGE_ROLES)
  async createProductGroup(@Request() req: RequestWithUser, @Body() body: ProductGroupCreate) {
-    let company = await permissionCheck(req.user, body.registeredBranchId).then(
+    const userAffiliatedBranch = await prisma.branch.findFirst({
+      include: branchRelationPermInclude(req.user),
+      where: body.registeredBranchId
+        ? { id: body.registeredBranchId }
+        : {
+            user: { some: { userId: req.user.sub } },
+          },
+    });
+    if (!userAffiliatedBranch) {
+      throw new HttpError(
+        HttpStatus.BAD_REQUEST,
+        "You must be affilated with at least one branch or specify branch to be registered (System permission required).",
+        "reqMinAffilatedBranch",
+      );
+    }
+
+    let company = await permissionCheck(req.user, userAffiliatedBranch).then(
      (v) => (v.headOffice || v).code,
    );

@ -181,6 +199,7 @@ export class ProductGroup extends Controller {
          },
          data: {
            ...body,
+            registeredBranchId: userAffiliatedBranch.id,
            statusOrder: +(body.status === "INACTIVE"),
            code: `G${last.value.toString().padStart(2, "0")}`,
            createdByUserId: req.user.sub,
--- a/src/controllers/04-service-controller.ts
+++ b/src/controllers/04-service-controller.ts
@ -42,14 +42,16 @@ const MANAGE_ROLES = [
  "system",
  "head_of_admin",
  "admin",
-  "head_of_accountant",
+  "executive",
  "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];

 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
-  return allowList.some((v) => user.roles?.includes(v));
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }

 const permissionCondCompany = createPermCondition((_) => true);