From 425e99bfdecc1b57f7a553427e9a9ede96e144ec Mon Sep 17 00:00:00 2001 From: Methapon2001 <61303214+Methapon2001@users.noreply.github.com> Date: Wed, 2 Jul 2025 10:26:57 +0700 Subject: [PATCH 1/8] feat(perm): update api branch perm --- src/controllers/01-branch-controller.ts | 22 ++++++++++++-------- src/controllers/01-branch-user-controller.ts | 13 ++++++++++-- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/src/controllers/01-branch-controller.ts b/src/controllers/01-branch-controller.ts index a10352d..a09e24b 100644 --- a/src/controllers/01-branch-controller.ts +++ b/src/controllers/01-branch-controller.ts @@ -47,16 +47,20 @@ if (!process.env.MINIO_BUCKET) { throw Error("Require MinIO bucket."); } -const MANAGE_ROLES = ["system", "head_of_admin"]; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "executive", + "accountant", + "branch_admin", + "branch_manager", + "branch_accountant", +]; function globalAllow(user: RequestWithUser["user"]) { - return MANAGE_ROLES.some((v) => user.roles?.includes(v)); -} - -function globalAllowView(user: RequestWithUser["user"]) { - return MANAGE_ROLES.concat("head_of_accountant", "head_of_sale").some((v) => - user.roles?.includes(v), - ); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } type BranchCreate = { @@ -147,7 +151,7 @@ type BranchUpdate = { }[]; }; -const permissionCond = createPermCondition(globalAllowView); +const permissionCond = createPermCondition(globalAllow); const permissionCheck = createPermCheck(globalAllow); @Route("api/v1/branch") diff --git a/src/controllers/01-branch-user-controller.ts b/src/controllers/01-branch-user-controller.ts index 05177d2..d74742f 100644 --- a/src/controllers/01-branch-user-controller.ts +++ b/src/controllers/01-branch-user-controller.ts @@ -20,10 +20,19 @@ import { RequestWithUser } from "../interfaces/user"; import { branchRelationPermInclude, createPermCheck } from "../services/permission"; import { queryOrNot, whereDateQuery } from "../utils/relation"; -const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager"]; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "executive", + "accountant", + "branch_admin", + "branch_manager", + "branch_accountant", +]; function globalAllow(user: RequestWithUser["user"]) { - const listAllowed = ["system", "head_of_admin", "admin"]; + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; return user.roles?.some((v) => listAllowed.includes(v)) || false; } From 41f5de7fd02ccabc250ddf0ffd43964484e6ce12 Mon Sep 17 00:00:00 2001 From: Methapon2001 <61303214+Methapon2001@users.noreply.github.com> Date: Wed, 2 Jul 2025 10:27:06 +0700 Subject: [PATCH 2/8] feat(perm): update api user perm --- src/controllers/02-user-controller.ts | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/controllers/02-user-controller.ts b/src/controllers/02-user-controller.ts index b8b70ac..143eb71 100644 --- a/src/controllers/02-user-controller.ts +++ b/src/controllers/02-user-controller.ts @@ -61,10 +61,17 @@ if (!process.env.MINIO_BUCKET) { throw Error("Require MinIO bucket."); } -const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager"]; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "executive", + "branch_admin", + "branch_manager", +]; function globalAllow(user: RequestWithUser["user"]) { - const listAllowed = ["system", "head_of_admin"]; + const listAllowed = ["system", "head_of_admin", "admin", "executive"]; return user.roles?.some((v) => listAllowed.includes(v)) || false; } From fa95fe46a5c898f4107f676bce51f5ca272ff143 Mon Sep 17 00:00:00 2001 From: Methapon2001 <61303214+Methapon2001@users.noreply.github.com> Date: Wed, 2 Jul 2025 10:27:24 +0700 Subject: [PATCH 3/8] feat(perm): update api customer/employee perm --- .../03-customer-branch-citizen-controller.ts | 11 ++++++----- src/controllers/03-customer-branch-controller.ts | 11 ++++++----- src/controllers/03-customer-controller.ts | 11 ++++++----- src/controllers/03-employee-checkup-controller.ts | 10 ++++++---- src/controllers/03-employee-controller.ts | 10 ++++++---- src/controllers/03-employee-other-info-controller.ts | 10 ++++++---- src/controllers/03-employee-passport-controller.ts | 10 ++++++---- src/controllers/03-employee-visa-controller.ts | 10 ++++++---- src/controllers/03-employee-work-controller.ts | 10 ++++++---- 9 files changed, 54 insertions(+), 39 deletions(-) diff --git a/src/controllers/03-customer-branch-citizen-controller.ts b/src/controllers/03-customer-branch-citizen-controller.ts index 75110c3..f17b746 100644 --- a/src/controllers/03-customer-branch-citizen-controller.ts +++ b/src/controllers/03-customer-branch-citizen-controller.ts @@ -23,15 +23,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", - "sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } type CustomerBranchCitizenPayload = { diff --git a/src/controllers/03-customer-branch-controller.ts b/src/controllers/03-customer-branch-controller.ts index 5c94a2f..529700b 100644 --- a/src/controllers/03-customer-branch-controller.ts +++ b/src/controllers/03-customer-branch-controller.ts @@ -47,15 +47,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", - "sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } const permissionCondCompany = createPermCondition((_) => true); diff --git a/src/controllers/03-customer-controller.ts b/src/controllers/03-customer-controller.ts index 122726f..bfc327d 100644 --- a/src/controllers/03-customer-controller.ts +++ b/src/controllers/03-customer-controller.ts @@ -42,15 +42,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", - "sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } const permissionCondCompany = createPermCondition((_) => true); diff --git a/src/controllers/03-employee-checkup-controller.ts b/src/controllers/03-employee-checkup-controller.ts index a72ad2d..71ceafd 100644 --- a/src/controllers/03-employee-checkup-controller.ts +++ b/src/controllers/03-employee-checkup-controller.ts @@ -23,14 +23,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } type EmployeeCheckupPayload = { diff --git a/src/controllers/03-employee-controller.ts b/src/controllers/03-employee-controller.ts index a6d67c1..797a994 100644 --- a/src/controllers/03-employee-controller.ts +++ b/src/controllers/03-employee-controller.ts @@ -51,14 +51,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } const permissionCond = createPermCondition(globalAllow); diff --git a/src/controllers/03-employee-other-info-controller.ts b/src/controllers/03-employee-other-info-controller.ts index d6b73e7..bc85efc 100644 --- a/src/controllers/03-employee-other-info-controller.ts +++ b/src/controllers/03-employee-other-info-controller.ts @@ -23,14 +23,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } type EmployeeOtherInfoPayload = { diff --git a/src/controllers/03-employee-passport-controller.ts b/src/controllers/03-employee-passport-controller.ts index 6af121c..1d17e07 100644 --- a/src/controllers/03-employee-passport-controller.ts +++ b/src/controllers/03-employee-passport-controller.ts @@ -22,14 +22,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } type EmployeePassportPayload = { diff --git a/src/controllers/03-employee-visa-controller.ts b/src/controllers/03-employee-visa-controller.ts index b1fe09d..a5af041 100644 --- a/src/controllers/03-employee-visa-controller.ts +++ b/src/controllers/03-employee-visa-controller.ts @@ -22,14 +22,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } type EmployeeVisaPayload = { diff --git a/src/controllers/03-employee-work-controller.ts b/src/controllers/03-employee-work-controller.ts index 3704546..7671c2a 100644 --- a/src/controllers/03-employee-work-controller.ts +++ b/src/controllers/03-employee-work-controller.ts @@ -22,14 +22,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } type EmployeeWorkPayload = { From 6d44d2979b7f9ed5182a6182c275f36c6ce46745 Mon Sep 17 00:00:00 2001 From: Methapon2001 <61303214+Methapon2001@users.noreply.github.com> Date: Wed, 2 Jul 2025 10:48:24 +0700 Subject: [PATCH 4/8] feat(perm): update api flow template permission --- .../04-flow-template-controller.ts | 26 ++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/src/controllers/04-flow-template-controller.ts b/src/controllers/04-flow-template-controller.ts index 940fd1d..85ab0b3 100644 --- a/src/controllers/04-flow-template-controller.ts +++ b/src/controllers/04-flow-template-controller.ts @@ -44,14 +44,30 @@ type WorkflowPayload = { status?: Status; }; -const permissionCondCompany = createPermCondition((_) => true); -const permissionCheckCompany = createPermCheck((_) => true); +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "executive", + "accountant", + "branch_admin", + "branch_manager", + "branch_accountant", +]; + +function globalAllow(user: RequestWithUser["user"]) { + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; +} + +const permissionCondCompany = createPermCondition(globalAllow); +const permissionCheckCompany = createPermCheck(globalAllow); @Route("api/v1/workflow-template") @Tags("Workflow") -@Security("keycloak") export class FlowTemplateController extends Controller { @Get() + @Security("keycloak") async getFlowTemplate( @Request() req: RequestWithUser, @Query() page: number = 1, @@ -118,6 +134,7 @@ export class FlowTemplateController extends Controller { } @Get("{templateId}") + @Security("keycloak") async getFlowTemplateById(@Request() _req: RequestWithUser, @Path() templateId: string) { const record = await prisma.workflowTemplate.findFirst({ include: { @@ -150,6 +167,7 @@ export class FlowTemplateController extends Controller { } @Post() + @Security("keycloak", MANAGE_ROLES) async createFlowTemplate(@Request() req: RequestWithUser, @Body() body: WorkflowPayload) { const where = { OR: [ @@ -230,6 +248,7 @@ export class FlowTemplateController extends Controller { } @Put("{templateId}") + @Security("keycloak", MANAGE_ROLES) async updateFlowTemplate( @Request() req: RequestWithUser, @Path() templateId: string, @@ -315,6 +334,7 @@ export class FlowTemplateController extends Controller { } @Delete("{templateId}") + @Security("keycloak", MANAGE_ROLES) async deleteFlowTemplateById(@Request() req: RequestWithUser, @Path() templateId: string) { const record = await prisma.workflowTemplate.findUnique({ where: { id: templateId }, From b0e941085eeb2b9cbb39b53219513fb4afde67b1 Mon Sep 17 00:00:00 2001 From: Methapon2001 <61303214+Methapon2001@users.noreply.github.com> Date: Wed, 2 Jul 2025 11:11:55 +0700 Subject: [PATCH 5/8] feat(perm): update api institue permission --- src/controllers/04-institution-controller.ts | 29 ++++++++++++++------ 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/src/controllers/04-institution-controller.ts b/src/controllers/04-institution-controller.ts index 21611a7..7121f3c 100644 --- a/src/controllers/04-institution-controller.ts +++ b/src/controllers/04-institution-controller.ts @@ -95,6 +95,17 @@ type InstitutionUpdatePayload = { }[]; }; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "executive", + "accountant", + "branch_admin", + "branch_manager", + "branch_accountant", +]; + @Route("api/v1/institution") @Tags("Institution") export class InstitutionController extends Controller { @@ -185,7 +196,7 @@ export class InstitutionController extends Controller { } @Post() - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) @OperationId("createInstitution") async createInstitution( @Body() @@ -229,7 +240,7 @@ export class InstitutionController extends Controller { } @Put("{institutionId}") - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) @OperationId("updateInstitution") async updateInstitution( @Path() institutionId: string, @@ -278,7 +289,7 @@ export class InstitutionController extends Controller { } @Delete("{institutionId}") - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) @OperationId("deleteInstitution") async deleteInstitution(@Path() institutionId: string) { return await prisma.$transaction(async (tx) => { @@ -350,7 +361,7 @@ export class InstitutionFileController extends Controller { } @Put("image/{name}") - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) async putImage( @Request() req: RequestWithUser, @Path() institutionId: string, @@ -364,7 +375,7 @@ export class InstitutionFileController extends Controller { } @Delete("image/{name}") - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) async delImage( @Request() req: RequestWithUser, @Path() institutionId: string, @@ -394,7 +405,7 @@ export class InstitutionFileController extends Controller { } @Put("attachment/{name}") - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) async putAttachment( @Request() req: RequestWithUser, @Path() institutionId: string, @@ -405,7 +416,7 @@ export class InstitutionFileController extends Controller { } @Delete("attachment/{name}") - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) async delAttachment( @Request() req: RequestWithUser, @Path() institutionId: string, @@ -436,7 +447,7 @@ export class InstitutionFileController extends Controller { } @Put("bank-qr/{bankId}") - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) async putBankImage( @Request() req: RequestWithUser, @Path() institutionId: string, @@ -450,7 +461,7 @@ export class InstitutionFileController extends Controller { } @Delete("bank-qr/{bankId}") - @Security("keycloak") + @Security("keycloak", MANAGE_ROLES) async delBankImage( @Request() req: RequestWithUser, @Path() institutionId: string, From afb725fceb011289c425ccec37ae6643d5cb34cf Mon Sep 17 00:00:00 2001 From: Methapon2001 <61303214+Methapon2001@users.noreply.github.com> Date: Wed, 2 Jul 2025 13:21:10 +0700 Subject: [PATCH 6/8] feat(perm): update api product/service permission --- src/controllers/04-product-controller.ts | 10 +++--- .../04-product-group-controller.ts | 31 +++++++++++++++---- src/controllers/04-service-controller.ts | 10 +++--- 3 files changed, 37 insertions(+), 14 deletions(-) diff --git a/src/controllers/04-product-controller.ts b/src/controllers/04-product-controller.ts index 3f2ff4e..0a3bbdd 100644 --- a/src/controllers/04-product-controller.ts +++ b/src/controllers/04-product-controller.ts @@ -35,14 +35,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } const permissionCondCompany = createPermCondition((_) => true); diff --git a/src/controllers/04-product-group-controller.ts b/src/controllers/04-product-group-controller.ts index ecd4ac6..2cb47b3 100644 --- a/src/controllers/04-product-group-controller.ts +++ b/src/controllers/04-product-group-controller.ts @@ -35,7 +35,7 @@ type ProductGroupCreate = { remark: string; status?: Status; shared?: boolean; - registeredBranchId: string; + registeredBranchId?: string; }; type ProductGroupUpdate = { @@ -51,14 +51,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } const permissionCond = createPermCondition((_) => true); @@ -157,7 +159,23 @@ export class ProductGroup extends Controller { @Post() @Security("keycloak", MANAGE_ROLES) async createProductGroup(@Request() req: RequestWithUser, @Body() body: ProductGroupCreate) { - let company = await permissionCheck(req.user, body.registeredBranchId).then( + const userAffiliatedBranch = await prisma.branch.findFirst({ + include: branchRelationPermInclude(req.user), + where: body.registeredBranchId + ? { id: body.registeredBranchId } + : { + user: { some: { userId: req.user.sub } }, + }, + }); + if (!userAffiliatedBranch) { + throw new HttpError( + HttpStatus.BAD_REQUEST, + "You must be affilated with at least one branch or specify branch to be registered (System permission required).", + "reqMinAffilatedBranch", + ); + } + + let company = await permissionCheck(req.user, userAffiliatedBranch).then( (v) => (v.headOffice || v).code, ); @@ -181,6 +199,7 @@ export class ProductGroup extends Controller { }, data: { ...body, + registeredBranchId: userAffiliatedBranch.id, statusOrder: +(body.status === "INACTIVE"), code: `G${last.value.toString().padStart(2, "0")}`, createdByUserId: req.user.sub, diff --git a/src/controllers/04-service-controller.ts b/src/controllers/04-service-controller.ts index ed46c18..9b9253e 100644 --- a/src/controllers/04-service-controller.ts +++ b/src/controllers/04-service-controller.ts @@ -42,14 +42,16 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } const permissionCondCompany = createPermCondition((_) => true); From d08327afb6175e89a188bd7ed5a590754fde4d3a Mon Sep 17 00:00:00 2001 From: Methapon2001 <61303214+Methapon2001@users.noreply.github.com> Date: Wed, 2 Jul 2025 13:52:07 +0700 Subject: [PATCH 7/8] feat(perm): update api task permission --- src/controllers/07-task-controller.ts | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/controllers/07-task-controller.ts b/src/controllers/07-task-controller.ts index da3c13d..bac70dd 100644 --- a/src/controllers/07-task-controller.ts +++ b/src/controllers/07-task-controller.ts @@ -44,11 +44,21 @@ import { } from "../utils/minio"; import { queryOrNot, whereDateQuery } from "../utils/relation"; -const MANAGE_ROLES = ["system", "head_of_admin", "admin", "document_checker"]; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "executive", + "accountant", + "branch_admin", + "branch_manager", + "branch_accountant", + "data_entry", +]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } const permissionCondCompany = createPermCondition((_) => true); From 68025aad08ff9310b4ecb3d1d6b168d6af918bf7 Mon Sep 17 00:00:00 2001 From: Methapon2001 <61303214+Methapon2001@users.noreply.github.com> Date: Thu, 3 Jul 2025 14:33:00 +0700 Subject: [PATCH 8/8] feat(perm): update api account related permission --- src/controllers/04-invoice-controller.ts | 19 ++++++++++++++----- src/controllers/05-payment-controller.ts | 15 ++++++++++++--- src/controllers/05-quotation-controller.ts | 4 ++-- src/controllers/08-credit-note-controller.ts | 20 +++++++++----------- src/controllers/09-debit-note-controller.ts | 16 +++++++--------- 5 files changed, 44 insertions(+), 30 deletions(-) diff --git a/src/controllers/04-invoice-controller.ts b/src/controllers/04-invoice-controller.ts index fb3fdf0..ffac9d1 100644 --- a/src/controllers/04-invoice-controller.ts +++ b/src/controllers/04-invoice-controller.ts @@ -29,14 +29,23 @@ type InvoicePayload = { installmentNo: number[]; }; -const MANAGE_ROLES = ["system", "head_of_admin", "admin", "head_of_accountant", "accountant"]; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "executive", + "accountant", + "branch_admin", + "branch_manager", + "branch_accountant", +]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } -const permissionCondCompany = createPermCondition((_) => true); +const permissionCondCompany = createPermCondition(globalAllow); const permissionCheck = createPermCheck(globalAllow); @Route("/api/v1/invoice") @@ -229,7 +238,7 @@ export class InvoiceController extends Controller { title: "ใบแจ้งหนี้ใหม่ / New Invoice", detail: "รหัส / code : " + record.code, registeredBranchId: record.registeredBranchId, - groupReceiver: { create: { name: "accountant" } }, + groupReceiver: { create: { name: "branch_accountant" } }, }, }); diff --git a/src/controllers/05-payment-controller.ts b/src/controllers/05-payment-controller.ts index 711e357..2c40446 100644 --- a/src/controllers/05-payment-controller.ts +++ b/src/controllers/05-payment-controller.ts @@ -26,11 +26,20 @@ import flowAccount from "../services/flowaccount"; import HttpError from "../interfaces/http-error"; import HttpStatus from "../interfaces/http-status"; -const MANAGE_ROLES = ["system", "head_of_admin", "admin", "head_of_accountant", "accountant"]; +const MANAGE_ROLES = [ + "system", + "head_of_admin", + "admin", + "executive", + "accountant", + "branch_admin", + "branch_manager", + "branch_accountant", +]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } const permissionCondCompany = createPermCondition((_) => true); diff --git a/src/controllers/05-quotation-controller.ts b/src/controllers/05-quotation-controller.ts index 7d27e2e..80a0b95 100644 --- a/src/controllers/05-quotation-controller.ts +++ b/src/controllers/05-quotation-controller.ts @@ -150,14 +150,14 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", "accountant", + "branch_accountant", "head_of_sale", "sale", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; + const allowList = ["system", "head_of_admin", "accountant", "head_of_sale"]; return allowList.some((v) => user.roles?.includes(v)); } diff --git a/src/controllers/08-credit-note-controller.ts b/src/controllers/08-credit-note-controller.ts index 4a6f622..6da9954 100644 --- a/src/controllers/08-credit-note-controller.ts +++ b/src/controllers/08-credit-note-controller.ts @@ -42,22 +42,20 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", - "sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } -// NOTE: permission condition/check in requestWork -> requestData -> quotation -> registeredBranch const permissionCond = createPermCondition(globalAllow); -const permissionCondCompany = createPermCondition((_) => true); const permissionCheck = createPermCheck(globalAllow); -const permissionCheckCompany = createPermCheck((_) => true); type CreditNoteCreate = { requestWorkId: string[]; @@ -94,7 +92,7 @@ export class CreditNoteController extends Controller { request: { quotationId, quotation: { - registeredBranch: { OR: permissionCondCompany(req.user) }, + registeredBranch: { OR: permissionCond(req.user) }, }, }, }, @@ -200,7 +198,7 @@ export class CreditNoteController extends Controller { request: { quotationId, quotation: { - registeredBranch: { OR: permissionCondCompany(req.user) }, + registeredBranch: { OR: permissionCond(req.user) }, }, }, }, @@ -243,7 +241,7 @@ export class CreditNoteController extends Controller { some: { request: { quotation: { - registeredBranch: { OR: permissionCondCompany(req.user) }, + registeredBranch: { OR: permissionCond(req.user) }, }, }, }, diff --git a/src/controllers/09-debit-note-controller.ts b/src/controllers/09-debit-note-controller.ts index 9c247be..91457d2 100644 --- a/src/controllers/09-debit-note-controller.ts +++ b/src/controllers/09-debit-note-controller.ts @@ -44,22 +44,20 @@ const MANAGE_ROLES = [ "system", "head_of_admin", "admin", - "head_of_accountant", + "executive", "accountant", - "head_of_sale", - "sale", + "branch_admin", + "branch_manager", + "branch_accountant", ]; function globalAllow(user: RequestWithUser["user"]) { - const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"]; - return allowList.some((v) => user.roles?.includes(v)); + const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"]; + return user.roles?.some((v) => listAllowed.includes(v)) || false; } -// NOTE: permission condition/check in registeredBranch const permissionCond = createPermCondition(globalAllow); -const permissionCondCompany = createPermCondition((_) => true); const permissionCheck = createPermCheck(globalAllow); -const permissionCheckCompany = createPermCheck((_) => true); type DebitNoteCreate = { quotationId: string; @@ -605,7 +603,7 @@ export class DebitNoteController extends Controller { if (!record) throw notFoundError("Debit Note"); - await permissionCheckCompany(req.user, record.registeredBranch); + await permissionCheck(req.user, record.registeredBranch); const { productServiceList: _productServiceList, ...rest } = body; const ids = {