From cd153b062ae1f34b8fdf911096ca544061f8fc72 Mon Sep 17 00:00:00 2001
From: Methapon Metanipat <methapon@frappet.com>
Date: Fri, 30 Aug 2024 10:04:59 +0700
Subject: [PATCH] fix: branch manager must not increase your own role

---
 src/controllers/user-controller.ts | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/controllers/user-controller.ts b/src/controllers/user-controller.ts
index 5cd044d..c663a02 100644
--- a/src/controllers/user-controller.ts
+++ b/src/controllers/user-controller.ts
@@ -503,6 +503,25 @@ export class UserController extends Controller {
         "minimumBranchNotMet",
       );
     }
+    if (
+      body.userRole &&
+      !["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v))
+    ) {
+      if (body.userRole in ["system", "head_of_admin", "admin"]) {
+        throw new HttpError(
+          HttpStatus.FORBIDDEN,
+          "You do not have permission to perform this action.",
+          "noPermission",
+        );
+      }
+      if (!req.user.roles.includes("branch_admin") && body.userRole === "branch_admin") {
+        throw new HttpError(
+          HttpStatus.FORBIDDEN,
+          "You do not have permission to perform this action.",
+          "noPermission",
+        );
+      }
+    }
     if (
       !["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v)) &&
       branch?.some((v) => !v.user.find((v) => v.userId === req.user.sub))