admin/zapishis-client
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(api/orders): refine permission checks for order access based on client and master roles

Browse Source
This commit is contained in:
vchikalkin 2025-07-03 17:23:36 +03:00
parent c8bf3d9358
commit 339fff1879
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
packages/graphql/api/orders.ts
View File

@ -1,3 +1,4 @@
/* eslint-disable sonarjs/cognitive-complexity */
/* eslint-disable canonical/id-match */
import { getClientWithToken } from '../apollo/client';
import * as GQL from '../types';
@ -141,13 +142,21 @@ export class OrdersService extends BaseService {
if (!order) throw new Error(ERRORS.MISSING_ORDER);
const isMaster = isCustomerMaster(customer);
const isOrderClient = order.client?.documentId === customer.documentId;
const isOrderMaster = order.slot?.master?.documentId === customer.documentId;
const hasPermission =
(isMaster && order.slot?.master?.documentId === customer.documentId) ||
(!isMaster && order.client?.documentId === customer.documentId);
if (!isOrderClient && !isOrderMaster) throw new Error(ERRORS.NO_PERMISSION);
if (!hasPermission) throw new Error(ERRORS.NO_PERMISSION);
if (isOrderClient && Object.keys(variables.data).length > 1)
throw new Error(ERRORS.NO_PERMISSION);
if (
isOrderClient &&
variables.data.state &&
variables.data.state !== GQL.Enum_Order_State.Cancelling
) {
throw new Error(ERRORS.NO_PERMISSION);
}
const { mutate } = await getClientWithToken();