fix: branch manager must not increase your own role

2024-08-30 10:04:59 +07:00 · 2024-08-30 10:04:59 +07:00 · cd153b062a
commit cd153b062a
parent 9d52eb99a5
1 changed files with 19 additions and 0 deletions
--- a/src/controllers/user-controller.ts
+++ b/src/controllers/user-controller.ts
@ -503,6 +503,25 @@ export class UserController extends Controller {
        "minimumBranchNotMet",
      );
    }
+    if (
+      body.userRole &&
+      !["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v))
+    ) {
+      if (body.userRole in ["system", "head_of_admin", "admin"]) {
+        throw new HttpError(
+          HttpStatus.FORBIDDEN,
+          "You do not have permission to perform this action.",
+          "noPermission",
+        );
+      }
+      if (!req.user.roles.includes("branch_admin") && body.userRole === "branch_admin") {
+        throw new HttpError(
+          HttpStatus.FORBIDDEN,
+          "You do not have permission to perform this action.",
+          "noPermission",
+        );
+      }
+    }
    if (
      !["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v)) &&
      branch?.some((v) => !v.user.find((v) => v.userId === req.user.sub))