perbaikan batas akses pengelola rumah ibadab sesuai dengan yang dipilih

This commit is contained in:
2026-06-03 10:28:15 +07:00
parent 435b714d86
commit 8393e05f96
9 changed files with 336 additions and 49 deletions
+115 -21
View File
@@ -1,5 +1,5 @@
import { z } from "zod";
import { createRouter, publicQuery } from "./middleware";
import { createRouter, authedQuery } from "./middleware";
import {
findAllRecipients,
findRecipientById,
@@ -10,6 +10,8 @@ import {
deleteRecipient,
} from "./queries/recipients";
import { createActivityLog } from "./queries/activityLogs";
import { findPlaceIdsByManagerId } from "./queries/placesOfWorship";
import { TRPCError } from "@trpc/server";
async function logActivitySafe(payload: Parameters<typeof createActivityLog>[0]) {
try {
@@ -20,7 +22,7 @@ async function logActivitySafe(payload: Parameters<typeof createActivityLog>[0])
}
export const recipientRouter = createRouter({
list: publicQuery
list: authedQuery
.input(
z.object({
search: z.string().optional(),
@@ -28,23 +30,66 @@ export const recipientRouter = createRouter({
placeOfWorshipId: z.number().optional(),
}).optional()
)
.query(async ({ input }) => {
return findAllRecipients(input?.search, input?.status, input?.placeOfWorshipId);
.query(async ({ input, ctx }) => {
if (ctx.user.role === "manager") {
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
if (placeIds.length === 0) return [];
if (input?.placeOfWorshipId) {
if (!placeIds.includes(input.placeOfWorshipId)) {
throw new TRPCError({
code: "FORBIDDEN",
message: "Anda tidak berwenang mengakses data rumah ibadah ini.",
});
}
return findAllRecipients(input?.search, input?.status, [input.placeOfWorshipId]);
}
return findAllRecipients(input?.search, input?.status, placeIds);
}
return findAllRecipients(
input?.search,
input?.status,
input?.placeOfWorshipId ? [input.placeOfWorshipId] : undefined
);
}),
pending: publicQuery
pending: authedQuery
.input(z.object({ placeOfWorshipId: z.number().optional() }).optional())
.query(async ({ input }) => {
return findPendingRecipients(input?.placeOfWorshipId);
.query(async ({ input, ctx }) => {
if (ctx.user.role === "manager") {
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
if (placeIds.length === 0) return [];
if (input?.placeOfWorshipId) {
if (!placeIds.includes(input.placeOfWorshipId)) {
throw new TRPCError({
code: "FORBIDDEN",
message: "Anda tidak berwenang mengakses data rumah ibadah ini.",
});
}
return findPendingRecipients([input.placeOfWorshipId]);
}
return findPendingRecipients(placeIds);
}
return findPendingRecipients(input?.placeOfWorshipId ? [input.placeOfWorshipId] : undefined);
}),
byId: publicQuery
byId: authedQuery
.input(z.object({ id: z.number() }))
.query(async ({ input }) => {
return findRecipientById(input.id);
.query(async ({ input, ctx }) => {
const recipient = await findRecipientById(input.id);
if (!recipient) return null;
if (ctx.user.role === "manager") {
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
if (!placeIds.includes(recipient.placeOfWorshipId)) {
throw new TRPCError({
code: "FORBIDDEN",
message: "Anda tidak berwenang mengakses data penerima ini.",
});
}
}
return recipient;
}),
create: publicQuery
create: authedQuery
.input(
z.object({
nik: z.string().length(16),
@@ -65,7 +110,17 @@ export const recipientRouter = createRouter({
sktmDocument: z.string().optional(),
})
)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
if (ctx.user.role === "manager") {
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
if (!placeIds.includes(input.placeOfWorshipId)) {
throw new TRPCError({
code: "FORBIDDEN",
message: "Anda hanya berwenang mendaftarkan penerima untuk rumah ibadah yang Anda kelola.",
});
}
}
const created = await createRecipient({
...input,
latitude: input.latitude?.toString() ?? null,
@@ -84,7 +139,7 @@ export const recipientRouter = createRouter({
if (created) {
await logActivitySafe({
userId: input.registeredBy ?? null,
userId: ctx.user.id,
action: "CREATE",
entityType: "recipient",
entityId: created.id,
@@ -95,7 +150,7 @@ export const recipientRouter = createRouter({
return created;
}),
update: publicQuery
update: authedQuery
.input(
z.object({
id: z.number(),
@@ -116,9 +171,26 @@ export const recipientRouter = createRouter({
sktmDocument: z.string().optional(),
})
)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
const { id, ...data } = input;
const beforeUpdate = await findRecipientById(id);
if (!beforeUpdate) {
throw new TRPCError({ code: "NOT_FOUND", message: "Penerima tidak ditemukan." });
}
if (ctx.user.role === "manager") {
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
if (
!placeIds.includes(beforeUpdate.placeOfWorshipId) ||
(input.placeOfWorshipId && !placeIds.includes(input.placeOfWorshipId))
) {
throw new TRPCError({
code: "FORBIDDEN",
message: "Anda tidak berwenang mengubah data penerima ini.",
});
}
}
const updateData: Record<string, unknown> = { ...data };
if (data.latitude !== undefined) updateData.latitude = data.latitude.toString();
if (data.longitude !== undefined) updateData.longitude = data.longitude.toString();
@@ -126,7 +198,7 @@ export const recipientRouter = createRouter({
if (updated) {
await logActivitySafe({
userId: beforeUpdate?.registeredBy ?? null,
userId: ctx.user.id,
action: "UPDATE",
entityType: "recipient",
entityId: updated.id,
@@ -137,7 +209,7 @@ export const recipientRouter = createRouter({
return updated;
}),
verify: publicQuery
verify: authedQuery
.input(
z.object({
id: z.number(),
@@ -146,7 +218,15 @@ export const recipientRouter = createRouter({
rejectionReason: z.string().optional(),
})
)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
// Verify is only allowed for Admin and Officer
if (ctx.user.role !== "admin" && ctx.user.role !== "officer") {
throw new TRPCError({
code: "FORBIDDEN",
message: "Hanya petugas verifikasi atau administrator yang dapat memverifikasi kelayakan.",
});
}
const verified = await verifyRecipient(input.id, input.status, input.verifiedBy, input.rejectionReason);
if (verified) {
const statusText = input.status === "active" ? "Diterima" : "Ditolak";
@@ -161,15 +241,29 @@ export const recipientRouter = createRouter({
return verified;
}),
delete: publicQuery
delete: authedQuery
.input(z.object({ id: z.number() }))
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
const target = await findRecipientById(input.id);
if (!target) {
throw new TRPCError({ code: "NOT_FOUND", message: "Penerima tidak ditemukan." });
}
if (ctx.user.role === "manager") {
const placeIds = await findPlaceIdsByManagerId(ctx.user.id);
if (!placeIds.includes(target.placeOfWorshipId)) {
throw new TRPCError({
code: "FORBIDDEN",
message: "Anda tidak berwenang menghapus data penerima ini.",
});
}
}
await deleteRecipient(input.id);
if (target) {
await logActivitySafe({
userId: target.registeredBy ?? null,
userId: ctx.user.id,
action: "DELETE",
entityType: "recipient",
entityId: target.id,