From e911695f3adaafc7a8cef58ee91e055a92e2ccc3 Mon Sep 17 00:00:00 2001
From: Methapon Metanipat <methapon@frappet.com>
Date: Fri, 30 Aug 2024 10:20:51 +0700
Subject: [PATCH] change: make user can view only user within branch

---
 src/controllers/user-controller.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/controllers/user-controller.ts b/src/controllers/user-controller.ts
index c663a02..492bb2c 100644
--- a/src/controllers/user-controller.ts
+++ b/src/controllers/user-controller.ts
@@ -196,6 +196,7 @@ export class UserController extends Controller {
   @Get()
   @Security("keycloak")
   async getUser(
+    @Request() req: RequestWithUser,
     @Query() userType?: UserType,
     @Query() zipCode?: string,
     @Query() includeBranch: boolean = false,
@@ -223,6 +224,11 @@ export class UserController extends Controller {
       ],
       AND: {
         userRole: { not: "system" },
+        branch: !["system", "head_of_admin", "admin", "branch_admin"].some((v) =>
+          req.user.roles?.includes(v),
+        )
+          ? { some: { userId: req.user.sub } }
+          : undefined,
       },
     } satisfies Prisma.UserWhereInput;