feat(perm): update api institue permission

2025-07-02 11:11:55 +07:00 · 2025-07-02 11:11:55 +07:00 · b0e941085e
commit b0e941085e
parent 6d44d2979b
1 changed files with 20 additions and 9 deletions
--- a/src/controllers/04-institution-controller.ts
+++ b/src/controllers/04-institution-controller.ts
@ -95,6 +95,17 @@ type InstitutionUpdatePayload = {
  }[];
 };

+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
+
@Route("api/v1/institution")
@Tags("Institution")
 export class InstitutionController extends Controller {
@ -185,7 +196,7 @@ export class InstitutionController extends Controller {
  }

  @Post()
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
  @OperationId("createInstitution")
  async createInstitution(
    @Body()
@ -229,7 +240,7 @@ export class InstitutionController extends Controller {
  }

  @Put("{institutionId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
  @OperationId("updateInstitution")
  async updateInstitution(
    @Path() institutionId: string,
@ -278,7 +289,7 @@ export class InstitutionController extends Controller {
  }

  @Delete("{institutionId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
  @OperationId("deleteInstitution")
  async deleteInstitution(@Path() institutionId: string) {
    return await prisma.$transaction(async (tx) => {
@ -350,7 +361,7 @@ export class InstitutionFileController extends Controller {
  }

  @Put("image/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
  async putImage(
    @Request() req: RequestWithUser,
    @Path() institutionId: string,
@ -364,7 +375,7 @@ export class InstitutionFileController extends Controller {
  }

  @Delete("image/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
  async delImage(
    @Request() req: RequestWithUser,
    @Path() institutionId: string,
@ -394,7 +405,7 @@ export class InstitutionFileController extends Controller {
  }

  @Put("attachment/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
  async putAttachment(
    @Request() req: RequestWithUser,
    @Path() institutionId: string,
@ -405,7 +416,7 @@ export class InstitutionFileController extends Controller {
  }

  @Delete("attachment/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
  async delAttachment(
    @Request() req: RequestWithUser,
    @Path() institutionId: string,
@ -436,7 +447,7 @@ export class InstitutionFileController extends Controller {
  }

  @Put("bank-qr/{bankId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
  async putBankImage(
    @Request() req: RequestWithUser,
    @Path() institutionId: string,
@ -450,7 +461,7 @@ export class InstitutionFileController extends Controller {
  }

  @Delete("bank-qr/{bankId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
  async delBankImage(
    @Request() req: RequestWithUser,
    @Path() institutionId: string,