perbaikan batas akses pengelola rumah ibadab sesuai dengan yang dipilih
This commit is contained in:
+115
-21
@@ -1,5 +1,5 @@
|
||||
import { z } from "zod";
|
||||
import { createRouter, publicQuery } from "./middleware";
|
||||
import { createRouter, authedQuery } from "./middleware";
|
||||
import {
|
||||
findAllRecipients,
|
||||
findRecipientById,
|
||||
@@ -10,6 +10,8 @@ import {
|
||||
deleteRecipient,
|
||||
} from "./queries/recipients";
|
||||
import { createActivityLog } from "./queries/activityLogs";
|
||||
import { findPlaceIdsByManagerId } from "./queries/placesOfWorship";
|
||||
import { TRPCError } from "@trpc/server";
|
||||
|
||||
async function logActivitySafe(payload: Parameters<typeof createActivityLog>[0]) {
|
||||
try {
|
||||
@@ -20,7 +22,7 @@ async function logActivitySafe(payload: Parameters<typeof createActivityLog>[0])
|
||||
}
|
||||
|
||||
export const recipientRouter = createRouter({
|
||||
list: publicQuery
|
||||
list: authedQuery
|
||||
.input(
|
||||
z.object({
|
||||
search: z.string().optional(),
|
||||
@@ -28,23 +30,66 @@ export const recipientRouter = createRouter({
|
||||
placeOfWorshipId: z.number().optional(),
|
||||
}).optional()
|
||||
)
|
||||
.query(async ({ input }) => {
|
||||
return findAllRecipients(input?.search, input?.status, input?.placeOfWorshipId);
|
||||
.query(async ({ input, ctx }) => {
|
||||
if (ctx.user.role === "manager") {
|
||||
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
|
||||
if (placeIds.length === 0) return [];
|
||||
if (input?.placeOfWorshipId) {
|
||||
if (!placeIds.includes(input.placeOfWorshipId)) {
|
||||
throw new TRPCError({
|
||||
code: "FORBIDDEN",
|
||||
message: "Anda tidak berwenang mengakses data rumah ibadah ini.",
|
||||
});
|
||||
}
|
||||
return findAllRecipients(input?.search, input?.status, [input.placeOfWorshipId]);
|
||||
}
|
||||
return findAllRecipients(input?.search, input?.status, placeIds);
|
||||
}
|
||||
return findAllRecipients(
|
||||
input?.search,
|
||||
input?.status,
|
||||
input?.placeOfWorshipId ? [input.placeOfWorshipId] : undefined
|
||||
);
|
||||
}),
|
||||
|
||||
pending: publicQuery
|
||||
pending: authedQuery
|
||||
.input(z.object({ placeOfWorshipId: z.number().optional() }).optional())
|
||||
.query(async ({ input }) => {
|
||||
return findPendingRecipients(input?.placeOfWorshipId);
|
||||
.query(async ({ input, ctx }) => {
|
||||
if (ctx.user.role === "manager") {
|
||||
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
|
||||
if (placeIds.length === 0) return [];
|
||||
if (input?.placeOfWorshipId) {
|
||||
if (!placeIds.includes(input.placeOfWorshipId)) {
|
||||
throw new TRPCError({
|
||||
code: "FORBIDDEN",
|
||||
message: "Anda tidak berwenang mengakses data rumah ibadah ini.",
|
||||
});
|
||||
}
|
||||
return findPendingRecipients([input.placeOfWorshipId]);
|
||||
}
|
||||
return findPendingRecipients(placeIds);
|
||||
}
|
||||
return findPendingRecipients(input?.placeOfWorshipId ? [input.placeOfWorshipId] : undefined);
|
||||
}),
|
||||
|
||||
byId: publicQuery
|
||||
byId: authedQuery
|
||||
.input(z.object({ id: z.number() }))
|
||||
.query(async ({ input }) => {
|
||||
return findRecipientById(input.id);
|
||||
.query(async ({ input, ctx }) => {
|
||||
const recipient = await findRecipientById(input.id);
|
||||
if (!recipient) return null;
|
||||
if (ctx.user.role === "manager") {
|
||||
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
|
||||
if (!placeIds.includes(recipient.placeOfWorshipId)) {
|
||||
throw new TRPCError({
|
||||
code: "FORBIDDEN",
|
||||
message: "Anda tidak berwenang mengakses data penerima ini.",
|
||||
});
|
||||
}
|
||||
}
|
||||
return recipient;
|
||||
}),
|
||||
|
||||
create: publicQuery
|
||||
create: authedQuery
|
||||
.input(
|
||||
z.object({
|
||||
nik: z.string().length(16),
|
||||
@@ -65,7 +110,17 @@ export const recipientRouter = createRouter({
|
||||
sktmDocument: z.string().optional(),
|
||||
})
|
||||
)
|
||||
.mutation(async ({ input }) => {
|
||||
.mutation(async ({ input, ctx }) => {
|
||||
if (ctx.user.role === "manager") {
|
||||
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
|
||||
if (!placeIds.includes(input.placeOfWorshipId)) {
|
||||
throw new TRPCError({
|
||||
code: "FORBIDDEN",
|
||||
message: "Anda hanya berwenang mendaftarkan penerima untuk rumah ibadah yang Anda kelola.",
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
const created = await createRecipient({
|
||||
...input,
|
||||
latitude: input.latitude?.toString() ?? null,
|
||||
@@ -84,7 +139,7 @@ export const recipientRouter = createRouter({
|
||||
|
||||
if (created) {
|
||||
await logActivitySafe({
|
||||
userId: input.registeredBy ?? null,
|
||||
userId: ctx.user.id,
|
||||
action: "CREATE",
|
||||
entityType: "recipient",
|
||||
entityId: created.id,
|
||||
@@ -95,7 +150,7 @@ export const recipientRouter = createRouter({
|
||||
return created;
|
||||
}),
|
||||
|
||||
update: publicQuery
|
||||
update: authedQuery
|
||||
.input(
|
||||
z.object({
|
||||
id: z.number(),
|
||||
@@ -116,9 +171,26 @@ export const recipientRouter = createRouter({
|
||||
sktmDocument: z.string().optional(),
|
||||
})
|
||||
)
|
||||
.mutation(async ({ input }) => {
|
||||
.mutation(async ({ input, ctx }) => {
|
||||
const { id, ...data } = input;
|
||||
const beforeUpdate = await findRecipientById(id);
|
||||
if (!beforeUpdate) {
|
||||
throw new TRPCError({ code: "NOT_FOUND", message: "Penerima tidak ditemukan." });
|
||||
}
|
||||
|
||||
if (ctx.user.role === "manager") {
|
||||
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
|
||||
if (
|
||||
!placeIds.includes(beforeUpdate.placeOfWorshipId) ||
|
||||
(input.placeOfWorshipId && !placeIds.includes(input.placeOfWorshipId))
|
||||
) {
|
||||
throw new TRPCError({
|
||||
code: "FORBIDDEN",
|
||||
message: "Anda tidak berwenang mengubah data penerima ini.",
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
const updateData: Record<string, unknown> = { ...data };
|
||||
if (data.latitude !== undefined) updateData.latitude = data.latitude.toString();
|
||||
if (data.longitude !== undefined) updateData.longitude = data.longitude.toString();
|
||||
@@ -126,7 +198,7 @@ export const recipientRouter = createRouter({
|
||||
|
||||
if (updated) {
|
||||
await logActivitySafe({
|
||||
userId: beforeUpdate?.registeredBy ?? null,
|
||||
userId: ctx.user.id,
|
||||
action: "UPDATE",
|
||||
entityType: "recipient",
|
||||
entityId: updated.id,
|
||||
@@ -137,7 +209,7 @@ export const recipientRouter = createRouter({
|
||||
return updated;
|
||||
}),
|
||||
|
||||
verify: publicQuery
|
||||
verify: authedQuery
|
||||
.input(
|
||||
z.object({
|
||||
id: z.number(),
|
||||
@@ -146,7 +218,15 @@ export const recipientRouter = createRouter({
|
||||
rejectionReason: z.string().optional(),
|
||||
})
|
||||
)
|
||||
.mutation(async ({ input }) => {
|
||||
.mutation(async ({ input, ctx }) => {
|
||||
// Verify is only allowed for Admin and Officer
|
||||
if (ctx.user.role !== "admin" && ctx.user.role !== "officer") {
|
||||
throw new TRPCError({
|
||||
code: "FORBIDDEN",
|
||||
message: "Hanya petugas verifikasi atau administrator yang dapat memverifikasi kelayakan.",
|
||||
});
|
||||
}
|
||||
|
||||
const verified = await verifyRecipient(input.id, input.status, input.verifiedBy, input.rejectionReason);
|
||||
if (verified) {
|
||||
const statusText = input.status === "active" ? "Diterima" : "Ditolak";
|
||||
@@ -161,15 +241,29 @@ export const recipientRouter = createRouter({
|
||||
return verified;
|
||||
}),
|
||||
|
||||
delete: publicQuery
|
||||
delete: authedQuery
|
||||
.input(z.object({ id: z.number() }))
|
||||
.mutation(async ({ input }) => {
|
||||
.mutation(async ({ input, ctx }) => {
|
||||
const target = await findRecipientById(input.id);
|
||||
if (!target) {
|
||||
throw new TRPCError({ code: "NOT_FOUND", message: "Penerima tidak ditemukan." });
|
||||
}
|
||||
|
||||
if (ctx.user.role === "manager") {
|
||||
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
|
||||
if (!placeIds.includes(target.placeOfWorshipId)) {
|
||||
throw new TRPCError({
|
||||
code: "FORBIDDEN",
|
||||
message: "Anda tidak berwenang menghapus data penerima ini.",
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
await deleteRecipient(input.id);
|
||||
|
||||
if (target) {
|
||||
await logActivitySafe({
|
||||
userId: target.registeredBy ?? null,
|
||||
userId: ctx.user.id,
|
||||
action: "DELETE",
|
||||
entityType: "recipient",
|
||||
entityId: target.id,
|
||||
|
||||
Reference in New Issue
Block a user