From c97a8e5f6630b516f7bc274121b920842f5d4bbe Mon Sep 17 00:00:00 2001 From: Methapon2001 <61303214+Methapon2001@users.noreply.github.com> Date: Wed, 24 Jul 2024 14:26:23 +0700 Subject: [PATCH] feaet: protect by roles --- src/controllers/quotation-controller.ts | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/src/controllers/quotation-controller.ts b/src/controllers/quotation-controller.ts index 6e77fa9..c572660 100644 --- a/src/controllers/quotation-controller.ts +++ b/src/controllers/quotation-controller.ts @@ -157,6 +157,22 @@ type QuotationUpdate = { }[]; }; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "branch_admin", + "branch_manager", + "accountant", + "branch_accountant", +]; + +function globalAllow(roles?: string[]) { + return ["system", "head_of_admin", "admin", "branch_admin", "branch_manager", "accountant"].some( + (v) => roles?.includes(v), + ); +} + @Route("/api/v1/quotation") @Tags("Quotation") export class QuotationController extends Controller { @@ -219,7 +235,7 @@ export class QuotationController extends Controller { } @Post() - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) async createQuotation(@Request() req: RequestWithUser, @Body() body: QuotationCreate) { const existingEmployee = body.worker.filter((v) => typeof v === "string"); const serviceIdList = body.service.map((v) => v.id); @@ -479,7 +495,7 @@ export class QuotationController extends Controller { } @Put("{quotationId}") - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) async editQuotation( @Request() req: RequestWithUser, @Path() quotationId: string, @@ -776,7 +792,7 @@ export class QuotationController extends Controller { } @Delete("{quotationId}") - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) async deleteQuotationById(@Request() req: RequestWithUser, @Path() quotationId: string) { const record = await prisma.quotation.findUnique({ where: { id: quotationId },