Merge branch 'feat/permission' into develop

src/controllers/01-branch-controller.ts

@@ -47,16 +47,20 @@ if (!process.env.MINIO_BUCKET) {
   throw Error("Require MinIO bucket.");
 }
 
-const MANAGE_ROLES = ["system", "head_of_admin"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  return MANAGE_ROLES.some((v) => user.roles?.includes(v));
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-}
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
-
-function globalAllowView(user: RequestWithUser["user"]) {
-  return MANAGE_ROLES.concat("head_of_accountant", "head_of_sale").some((v) =>
-    user.roles?.includes(v),
-  );
 }
 
 type BranchCreate = {
@@ -147,7 +151,7 @@ type BranchUpdate = {
   }[];
 };
 
-const permissionCond = createPermCondition(globalAllowView);
+const permissionCond = createPermCondition(globalAllow);
 const permissionCheck = createPermCheck(globalAllow);
 
 @Route("api/v1/branch")

src/controllers/01-branch-user-controller.ts

@@ -20,10 +20,19 @@ import { RequestWithUser } from "../interfaces/user";
 import { branchRelationPermInclude, createPermCheck } from "../services/permission";
 import { queryOrNot, whereDateQuery } from "../utils/relation";
 
-const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const listAllowed = ["system", "head_of_admin", "admin"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
   return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 

src/controllers/02-user-controller.ts

@@ -61,10 +61,17 @@ if (!process.env.MINIO_BUCKET) {
   throw Error("Require MinIO bucket.");
 }
 
-const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "branch_admin",
+  "branch_manager",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const listAllowed = ["system", "head_of_admin"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive"];
   return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 

src/controllers/03-customer-branch-citizen-controller.ts

@@ -23,15 +23,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
-  "sale",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type CustomerBranchCitizenPayload = {

src/controllers/03-customer-branch-controller.ts

@@ -47,15 +47,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
-  "sale",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);

src/controllers/03-customer-controller.ts

@@ -42,15 +42,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
-  "sale",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);

src/controllers/03-employee-checkup-controller.ts

@@ -23,14 +23,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type EmployeeCheckupPayload = {

src/controllers/03-employee-controller.ts

@@ -51,14 +51,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCond = createPermCondition(globalAllow);

src/controllers/03-employee-other-info-controller.ts

@@ -23,14 +23,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type EmployeeOtherInfoPayload = {

src/controllers/03-employee-passport-controller.ts

@@ -22,14 +22,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type EmployeePassportPayload = {

src/controllers/03-employee-visa-controller.ts

@@ -22,14 +22,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type EmployeeVisaPayload = {

src/controllers/03-employee-work-controller.ts

@@ -22,14 +22,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 type EmployeeWorkPayload = {

src/controllers/04-flow-template-controller.ts

@@ -44,14 +44,30 @@ type WorkflowPayload = {
   status?: Status;
 };
 
-const permissionCondCompany = createPermCondition((_) => true);
+const MANAGE_ROLES = [
-const permissionCheckCompany = createPermCheck((_) => true);
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
+
+function globalAllow(user: RequestWithUser["user"]) {
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
+}
+
+const permissionCondCompany = createPermCondition(globalAllow);
+const permissionCheckCompany = createPermCheck(globalAllow);
 
 @Route("api/v1/workflow-template")
 @Tags("Workflow")
-@Security("keycloak")
 export class FlowTemplateController extends Controller {
   @Get()
+  @Security("keycloak")
   async getFlowTemplate(
     @Request() req: RequestWithUser,
     @Query() page: number = 1,
@@ -118,6 +134,7 @@ export class FlowTemplateController extends Controller {
   }
 
   @Get("{templateId}")
+  @Security("keycloak")
   async getFlowTemplateById(@Request() _req: RequestWithUser, @Path() templateId: string) {
     const record = await prisma.workflowTemplate.findFirst({
       include: {
@@ -150,6 +167,7 @@ export class FlowTemplateController extends Controller {
   }
 
   @Post()
+  @Security("keycloak", MANAGE_ROLES)
   async createFlowTemplate(@Request() req: RequestWithUser, @Body() body: WorkflowPayload) {
     const where = {
       OR: [
@@ -230,6 +248,7 @@ export class FlowTemplateController extends Controller {
   }
 
   @Put("{templateId}")
+  @Security("keycloak", MANAGE_ROLES)
   async updateFlowTemplate(
     @Request() req: RequestWithUser,
     @Path() templateId: string,
@@ -315,6 +334,7 @@ export class FlowTemplateController extends Controller {
   }
 
   @Delete("{templateId}")
+  @Security("keycloak", MANAGE_ROLES)
   async deleteFlowTemplateById(@Request() req: RequestWithUser, @Path() templateId: string) {
     const record = await prisma.workflowTemplate.findUnique({
       where: { id: templateId },

src/controllers/04-institution-controller.ts

@@ -95,6 +95,17 @@ type InstitutionUpdatePayload = {
   }[];
 };
 
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
+
 @Route("api/v1/institution")
 @Tags("Institution")
 export class InstitutionController extends Controller {
@@ -185,7 +196,7 @@ export class InstitutionController extends Controller {
   }
 
   @Post()
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   @OperationId("createInstitution")
   async createInstitution(
     @Body()
@@ -229,7 +240,7 @@ export class InstitutionController extends Controller {
   }
 
   @Put("{institutionId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   @OperationId("updateInstitution")
   async updateInstitution(
     @Path() institutionId: string,
@@ -278,7 +289,7 @@ export class InstitutionController extends Controller {
   }
 
   @Delete("{institutionId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   @OperationId("deleteInstitution")
   async deleteInstitution(@Path() institutionId: string) {
     return await prisma.$transaction(async (tx) => {
@@ -350,7 +361,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Put("image/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async putImage(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,
@@ -364,7 +375,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Delete("image/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async delImage(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,
@@ -394,7 +405,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Put("attachment/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async putAttachment(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,
@@ -405,7 +416,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Delete("attachment/{name}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async delAttachment(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,
@@ -436,7 +447,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Put("bank-qr/{bankId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async putBankImage(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,
@@ -450,7 +461,7 @@ export class InstitutionFileController extends Controller {
   }
 
   @Delete("bank-qr/{bankId}")
-  @Security("keycloak")
+  @Security("keycloak", MANAGE_ROLES)
   async delBankImage(
     @Request() req: RequestWithUser,
     @Path() institutionId: string,

src/controllers/04-invoice-controller.ts

@@ -29,14 +29,23 @@ type InvoicePayload = {
   installmentNo: number[];
 };
 
-const MANAGE_ROLES = ["system", "head_of_admin", "admin", "head_of_accountant", "accountant"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
-const permissionCondCompany = createPermCondition((_) => true);
+const permissionCondCompany = createPermCondition(globalAllow);
 const permissionCheck = createPermCheck(globalAllow);
 
 @Route("/api/v1/invoice")
@@ -229,7 +238,7 @@ export class InvoiceController extends Controller {
           title: "ใบแจ้งหนี้ใหม่ / New Invoice",
           detail: "รหัส / code : " + record.code,
           registeredBranchId: record.registeredBranchId,
-          groupReceiver: { create: { name: "accountant" } },
+          groupReceiver: { create: { name: "branch_accountant" } },
         },
       });
 

src/controllers/04-product-controller.ts

@@ -35,14 +35,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);

src/controllers/04-product-group-controller.ts

@@ -35,7 +35,7 @@ type ProductGroupCreate = {
   remark: string;
   status?: Status;
   shared?: boolean;
-  registeredBranchId: string;
+  registeredBranchId?: string;
 };
 
 type ProductGroupUpdate = {
@@ -51,14 +51,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCond = createPermCondition((_) => true);
@@ -157,7 +159,23 @@ export class ProductGroup extends Controller {
   @Post()
   @Security("keycloak", MANAGE_ROLES)
   async createProductGroup(@Request() req: RequestWithUser, @Body() body: ProductGroupCreate) {
-    let company = await permissionCheck(req.user, body.registeredBranchId).then(
+    const userAffiliatedBranch = await prisma.branch.findFirst({
+      include: branchRelationPermInclude(req.user),
+      where: body.registeredBranchId
+        ? { id: body.registeredBranchId }
+        : {
+            user: { some: { userId: req.user.sub } },
+          },
+    });
+    if (!userAffiliatedBranch) {
+      throw new HttpError(
+        HttpStatus.BAD_REQUEST,
+        "You must be affilated with at least one branch or specify branch to be registered (System permission required).",
+        "reqMinAffilatedBranch",
+      );
+    }
+
+    let company = await permissionCheck(req.user, userAffiliatedBranch).then(
       (v) => (v.headOffice || v).code,
     );
 
@@ -181,6 +199,7 @@ export class ProductGroup extends Controller {
           },
           data: {
             ...body,
+            registeredBranchId: userAffiliatedBranch.id,
             statusOrder: +(body.status === "INACTIVE"),
             code: `G${last.value.toString().padStart(2, "0")}`,
             createdByUserId: req.user.sub,

src/controllers/04-service-controller.ts

@@ -42,14 +42,16 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);

src/controllers/05-payment-controller.ts

@@ -26,11 +26,20 @@ import flowAccount from "../services/flowaccount";
 import HttpError from "../interfaces/http-error";
 import HttpStatus from "../interfaces/http-status";
 
-const MANAGE_ROLES = ["system", "head_of_admin", "admin", "head_of_accountant", "accountant"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);

src/controllers/05-quotation-controller.ts

@@ -150,14 +150,14 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
   "accountant",
+  "branch_accountant",
   "head_of_sale",
   "sale",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const allowList = ["system", "head_of_admin", "accountant", "head_of_sale"];
   return allowList.some((v) => user.roles?.includes(v));
 }
 

src/controllers/07-task-controller.ts

@@ -44,11 +44,21 @@ import {
 } from "../utils/minio";
 import { queryOrNot, whereDateQuery } from "../utils/relation";
 
-const MANAGE_ROLES = ["system", "head_of_admin", "admin", "document_checker"];
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "executive",
+  "accountant",
+  "branch_admin",
+  "branch_manager",
+  "branch_accountant",
+  "data_entry",
+];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
 const permissionCondCompany = createPermCondition((_) => true);

src/controllers/08-credit-note-controller.ts

@@ -42,22 +42,20 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
-  "sale",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
-// NOTE: permission condition/check in requestWork -> requestData -> quotation -> registeredBranch
 const permissionCond = createPermCondition(globalAllow);
-const permissionCondCompany = createPermCondition((_) => true);
 const permissionCheck = createPermCheck(globalAllow);
-const permissionCheckCompany = createPermCheck((_) => true);
 
 type CreditNoteCreate = {
   requestWorkId: string[];
@@ -94,7 +92,7 @@ export class CreditNoteController extends Controller {
           request: {
             quotationId,
             quotation: {
-              registeredBranch: { OR: permissionCondCompany(req.user) },
+              registeredBranch: { OR: permissionCond(req.user) },
             },
           },
         },
@@ -200,7 +198,7 @@ export class CreditNoteController extends Controller {
           request: {
             quotationId,
             quotation: {
-              registeredBranch: { OR: permissionCondCompany(req.user) },
+              registeredBranch: { OR: permissionCond(req.user) },
             },
           },
         },
@@ -243,7 +241,7 @@ export class CreditNoteController extends Controller {
         some: {
           request: {
             quotation: {
-              registeredBranch: { OR: permissionCondCompany(req.user) },
+              registeredBranch: { OR: permissionCond(req.user) },
             },
           },
         },

src/controllers/09-debit-note-controller.ts

@@ -44,22 +44,20 @@ const MANAGE_ROLES = [
   "system",
   "head_of_admin",
   "admin",
-  "head_of_accountant",
+  "executive",
   "accountant",
-  "head_of_sale",
+  "branch_admin",
-  "sale",
+  "branch_manager",
+  "branch_accountant",
 ];
 
 function globalAllow(user: RequestWithUser["user"]) {
-  const allowList = ["system", "head_of_admin", "head_of_accountant", "head_of_sale"];
+  const listAllowed = ["system", "head_of_admin", "admin", "executive", "accountant"];
-  return allowList.some((v) => user.roles?.includes(v));
+  return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
-// NOTE: permission condition/check in registeredBranch
 const permissionCond = createPermCondition(globalAllow);
-const permissionCondCompany = createPermCondition((_) => true);
 const permissionCheck = createPermCheck(globalAllow);
-const permissionCheckCompany = createPermCheck((_) => true);
 
 type DebitNoteCreate = {
   quotationId: string;
@@ -605,7 +603,7 @@ export class DebitNoteController extends Controller {
 
     if (!record) throw notFoundError("Debit Note");
 
-    await permissionCheckCompany(req.user, record.registeredBranch);
+    await permissionCheck(req.user, record.registeredBranch);
 
     const { productServiceList: _productServiceList, ...rest } = body;
     const ids = {