feaet: protect by roles

src/controllers/quotation-controller.ts

@@ -157,6 +157,22 @@ type QuotationUpdate = {
   }[];
 };
 
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "branch_admin",
+  "branch_manager",
+  "accountant",
+  "branch_accountant",
+];
+
+function globalAllow(roles?: string[]) {
+  return ["system", "head_of_admin", "admin", "branch_admin", "branch_manager", "accountant"].some(
+    (v) => roles?.includes(v),
+  );
+}
+
 @Route("/api/v1/quotation")
 @Tags("Quotation")
 export class QuotationController extends Controller {
@@ -219,7 +235,7 @@ export class QuotationController extends Controller {
   }
 
   @Post()
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async createQuotation(@Request() req: RequestWithUser, @Body() body: QuotationCreate) {
     const existingEmployee = body.worker.filter((v) => typeof v === "string");
     const serviceIdList = body.service.map((v) => v.id);
@@ -479,7 +495,7 @@ export class QuotationController extends Controller {
   }
 
   @Put("{quotationId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async editQuotation(
     @Request() req: RequestWithUser,
     @Path() quotationId: string,
@@ -776,7 +792,7 @@ export class QuotationController extends Controller {
   }
 
   @Delete("{quotationId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async deleteQuotationById(@Request() req: RequestWithUser, @Path() quotationId: string) {
     const record = await prisma.quotation.findUnique({
       where: { id: quotationId },