diff --git a/src/access.js b/src/access.js index 2c82d90..39590c2 100644 --- a/src/access.js +++ b/src/access.js @@ -1,5 +1,4 @@ export const MANAGER_ROLES = ['MANAGER', 'SUPER_MANAGER']; -const NO_CLIENT_IDS = ['__no_managed_clients__']; export function isSuperManager(user) { return user?.role === 'SUPER_MANAGER'; @@ -9,91 +8,10 @@ export function isManagerRole(role) { return MANAGER_ROLES.includes(role); } -function normalizeManagedClientIds(clientIds) { - if (clientIds == null) { - return null; - } - - return clientIds.length ? clientIds : NO_CLIENT_IDS; -} - -export async function getManagedClientIds(prisma, manager) { - if (isSuperManager(manager)) { - return null; - } - - const [managedOrders, acceptedInvitations, reviewedRequests, reviewedWithdrawals] = await Promise.all([ - prisma.order.findMany({ - where: { managerId: manager.id }, - select: { customerId: true }, - }), - prisma.invitation.findMany({ - where: { - managerId: manager.id, - acceptedById: { not: null }, - }, - select: { acceptedById: true }, - }), - prisma.registrationRequest.findMany({ - where: { - reviewedById: manager.id, - requesterId: { not: null }, - }, - select: { requesterId: true }, - }), - prisma.rewardWithdrawalRequest.findMany({ - where: { reviewedById: manager.id }, - select: { requesterId: true }, - }), - ]); - - const clientIds = new Set(); - - for (const order of managedOrders) { - if (order.customerId) { - clientIds.add(order.customerId); - } - } - - for (const invitation of acceptedInvitations) { - if (invitation.acceptedById) { - clientIds.add(invitation.acceptedById); - } - } - - for (const request of reviewedRequests) { - if (request.requesterId) { - clientIds.add(request.requesterId); - } - } - - for (const withdrawal of reviewedWithdrawals) { - if (withdrawal.requesterId) { - clientIds.add(withdrawal.requesterId); - } - } - - return [...clientIds]; -} - export async function getManagedClientUserWhere(prisma, manager) { - const managedClientIds = normalizeManagedClientIds(await getManagedClientIds(prisma, manager)); - - if (managedClientIds == null) { - return { role: 'CLIENT' }; - } - - return { - role: 'CLIENT', - id: { in: managedClientIds }, - }; + return {}; } export async function canManagerAccessUser(prisma, manager, userId) { - if (isSuperManager(manager) || userId === manager.id) { - return true; - } - - const managedClientIds = await getManagedClientIds(prisma, manager); - return managedClientIds.includes(userId); + return isManagerRole(manager?.role); } diff --git a/src/resolvers.js b/src/resolvers.js index 52bd5af..0e26fdf 100644 --- a/src/resolvers.js +++ b/src/resolvers.js @@ -13,7 +13,6 @@ import { canManagerAccessUser, getManagedClientUserWhere, isManagerRole, - isSuperManager, } from './access.js'; import { sendLoginCodeEmail } from './mailer.js'; import { dispatchToUserConnections, sendMessengerMessage } from './messenger.js'; @@ -51,18 +50,10 @@ async function assertManagerCanAccessUser(prisma, manager, userId) { } } -function assertManagerCanAccessOrder(order, manager) { +function assertManagerCanAccessOrder(order) { if (!order) { throw new Error('Order was not found.'); } - - if (isSuperManager(manager)) { - return; - } - - if (order.managerId && order.managerId !== manager.id) { - throw new Error('Order is assigned to another manager.'); - } } async function appendOrderEvent(prisma, orderId, status, actorUserId, note = null) { @@ -551,15 +542,11 @@ export const resolvers = { }, managerOrders: async (_, { status, customerId }, context) => { - const manager = requireManagerAccess(context); + requireManagerAccess(context); const normalizedCustomerId = normalizeOptionalText(customerId); - if (normalizedCustomerId) { - await assertManagerCanAccessUser(context.prisma, manager, normalizedCustomerId); - } return context.prisma.order.findMany({ where: { - ...(isSuperManager(manager) ? {} : { managerId: manager.id }), ...(normalizedCustomerId ? { customerId: normalizedCustomerId } : {}), ...(status ? { status } : {}), }, @@ -680,19 +667,9 @@ export const resolvers = { }, registrationRequests: (_, { status }, context) => { - const manager = requireManagerAccess(context); + requireManagerAccess(context); return context.prisma.registrationRequest.findMany({ - where: { - ...(status ? { status } : {}), - ...(isSuperManager(manager) - ? {} - : { - OR: [ - { reviewedById: manager.id }, - { reviewedById: null }, - ], - }), - }, + where: status ? { status } : undefined, orderBy: { createdAt: 'desc' }, }); }, @@ -882,10 +859,6 @@ export const resolvers = { throw new Error('Registration request was not found.'); } - if (!isSuperManager(manager) && request.reviewedById && request.reviewedById !== manager.id) { - throw new Error('Registration request is assigned to another manager.'); - } - return context.prisma.registrationRequest.update({ where: { id: input.requestId }, data: { @@ -1393,7 +1366,7 @@ export const resolvers = { const existingOrder = await context.prisma.order.findUnique({ where: { id: input.orderId }, }); - assertManagerCanAccessOrder(existingOrder, manager); + assertManagerCanAccessOrder(existingOrder); const order = await context.prisma.order.update({ where: { id: input.orderId }, @@ -1460,7 +1433,7 @@ export const resolvers = { managerFinalizeOrder: async (_, { orderId, decision }, context) => { const manager = requireManagerAccess(context); const order = await context.prisma.order.findUnique({ where: { id: orderId } }); - assertManagerCanAccessOrder(order, manager); + assertManagerCanAccessOrder(order); const status = decision === 'REJECT' ? 'MANAGER_REJECTED' @@ -1502,7 +1475,7 @@ export const resolvers = { const order = await context.prisma.order.findUnique({ where: { id: input.orderId }, }); - assertManagerCanAccessOrder(order, manager); + assertManagerCanAccessOrder(order); const updated = await context.prisma.order.update({ where: { id: input.orderId }, @@ -1525,7 +1498,7 @@ export const resolvers = { startOrderWork: async (_, { orderId }, context) => { const manager = requireManagerAccess(context); const order = await context.prisma.order.findUnique({ where: { id: orderId } }); - assertManagerCanAccessOrder(order, manager); + assertManagerCanAccessOrder(order); if (order.status !== 'CONFIRMED') { throw new Error('Only confirmed order can be started.'); } @@ -1550,7 +1523,7 @@ export const resolvers = { completeOrder: async (_, { orderId }, context) => { const manager = requireManagerAccess(context); const order = await context.prisma.order.findUnique({ where: { id: orderId } }); - assertManagerCanAccessOrder(order, manager); + assertManagerCanAccessOrder(order); if (order.status !== 'IN_PROGRESS') { throw new Error('Only in-progress order can be completed.'); }