fregat/apollo-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Disable manager scoping for debug

Browse Source
This commit is contained in:
Ruslan Bakiev
2026-04-04 10:52:00 +07:00
parent 60e0ac630d
commit 4281afd7e8
2 changed files with 11 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
src/access.js
View File

@@ -1,5 +1,4 @@
export const MANAGER_ROLES = ['MANAGER', 'SUPER_MANAGER']; export const MANAGER_ROLES = ['MANAGER', 'SUPER_MANAGER'];
const NO_CLIENT_IDS = ['__no_managed_clients__'];
export function isSuperManager(user) { export function isSuperManager(user) {
return user?.role === 'SUPER_MANAGER'; return user?.role === 'SUPER_MANAGER';
@@ -9,91 +8,10 @@ export function isManagerRole(role) {
return MANAGER_ROLES.includes(role); return MANAGER_ROLES.includes(role);
} }
function normalizeManagedClientIds(clientIds) {
if (clientIds == null) {
return null;
}
return clientIds.length ? clientIds : NO_CLIENT_IDS;
}
export async function getManagedClientIds(prisma, manager) {
if (isSuperManager(manager)) {
return null;
}
const [managedOrders, acceptedInvitations, reviewedRequests, reviewedWithdrawals] = await Promise.all([
prisma.order.findMany({
where: { managerId: manager.id },
select: { customerId: true },
}),
prisma.invitation.findMany({
where: {
managerId: manager.id,
acceptedById: { not: null },
},
select: { acceptedById: true },
}),
prisma.registrationRequest.findMany({
where: {
reviewedById: manager.id,
requesterId: { not: null },
},
select: { requesterId: true },
}),
prisma.rewardWithdrawalRequest.findMany({
where: { reviewedById: manager.id },
select: { requesterId: true },
}),
]);
const clientIds = new Set();
for (const order of managedOrders) {
if (order.customerId) {
clientIds.add(order.customerId);
}
}
for (const invitation of acceptedInvitations) {
if (invitation.acceptedById) {
clientIds.add(invitation.acceptedById);
}
}
for (const request of reviewedRequests) {
if (request.requesterId) {
clientIds.add(request.requesterId);
}
}
for (const withdrawal of reviewedWithdrawals) {
if (withdrawal.requesterId) {
clientIds.add(withdrawal.requesterId);
}
}
return [...clientIds];
}
export async function getManagedClientUserWhere(prisma, manager) { export async function getManagedClientUserWhere(prisma, manager) {
const managedClientIds = normalizeManagedClientIds(await getManagedClientIds(prisma, manager)); return {};
if (managedClientIds == null) {
return { role: 'CLIENT' };
}
return {
role: 'CLIENT',
id: { in: managedClientIds },
};
} }
export async function canManagerAccessUser(prisma, manager, userId) { export async function canManagerAccessUser(prisma, manager, userId) {
if (isSuperManager(manager) || userId === manager.id) { return isManagerRole(manager?.role);
return true;
}
const managedClientIds = await getManagedClientIds(prisma, manager);
return managedClientIds.includes(userId);
} }

45
src/resolvers.js
View File

@@ -13,7 +13,6 @@ import {
canManagerAccessUser, canManagerAccessUser,
getManagedClientUserWhere, getManagedClientUserWhere,
isManagerRole, isManagerRole,
isSuperManager,
} from './access.js'; } from './access.js';
import { sendLoginCodeEmail } from './mailer.js'; import { sendLoginCodeEmail } from './mailer.js';
import { dispatchToUserConnections, sendMessengerMessage } from './messenger.js'; import { dispatchToUserConnections, sendMessengerMessage } from './messenger.js';
@@ -51,18 +50,10 @@ async function assertManagerCanAccessUser(prisma, manager, userId) {
} }
} }
function assertManagerCanAccessOrder(order, manager) { function assertManagerCanAccessOrder(order) {
if (!order) { if (!order) {
throw new Error('Order was not found.'); throw new Error('Order was not found.');
} }
if (isSuperManager(manager)) {
return;
}
if (order.managerId && order.managerId !== manager.id) {
throw new Error('Order is assigned to another manager.');
}
} }
async function appendOrderEvent(prisma, orderId, status, actorUserId, note = null) { async function appendOrderEvent(prisma, orderId, status, actorUserId, note = null) {
@@ -551,15 +542,11 @@ export const resolvers = {
}, },
managerOrders: async (_, { status, customerId }, context) => { managerOrders: async (_, { status, customerId }, context) => {
const manager = requireManagerAccess(context); requireManagerAccess(context);
const normalizedCustomerId = normalizeOptionalText(customerId); const normalizedCustomerId = normalizeOptionalText(customerId);
if (normalizedCustomerId) {
await assertManagerCanAccessUser(context.prisma, manager, normalizedCustomerId);
}
return context.prisma.order.findMany({ return context.prisma.order.findMany({
where: { where: {
...(isSuperManager(manager) ? {} : { managerId: manager.id }),
...(normalizedCustomerId ? { customerId: normalizedCustomerId } : {}), ...(normalizedCustomerId ? { customerId: normalizedCustomerId } : {}),
...(status ? { status } : {}), ...(status ? { status } : {}),
}, },
@@ -680,19 +667,9 @@ export const resolvers = {
}, },
registrationRequests: (_, { status }, context) => { registrationRequests: (_, { status }, context) => {
const manager = requireManagerAccess(context); requireManagerAccess(context);
return context.prisma.registrationRequest.findMany({ return context.prisma.registrationRequest.findMany({
where: { where: status ? { status } : undefined,
...(status ? { status } : {}),
...(isSuperManager(manager)
? {}
: {
OR: [
{ reviewedById: manager.id },
{ reviewedById: null },
],
}),
},
orderBy: { createdAt: 'desc' }, orderBy: { createdAt: 'desc' },
}); });
}, },
@@ -882,10 +859,6 @@ export const resolvers = {
throw new Error('Registration request was not found.'); throw new Error('Registration request was not found.');
} }
if (!isSuperManager(manager) && request.reviewedById && request.reviewedById !== manager.id) {
throw new Error('Registration request is assigned to another manager.');
}
return context.prisma.registrationRequest.update({ return context.prisma.registrationRequest.update({
where: { id: input.requestId }, where: { id: input.requestId },
data: { data: {
@@ -1393,7 +1366,7 @@ export const resolvers = {
const existingOrder = await context.prisma.order.findUnique({ const existingOrder = await context.prisma.order.findUnique({
where: { id: input.orderId }, where: { id: input.orderId },
}); });
assertManagerCanAccessOrder(existingOrder, manager); assertManagerCanAccessOrder(existingOrder);
const order = await context.prisma.order.update({ const order = await context.prisma.order.update({
where: { id: input.orderId }, where: { id: input.orderId },
@@ -1460,7 +1433,7 @@ export const resolvers = {
managerFinalizeOrder: async (_, { orderId, decision }, context) => { managerFinalizeOrder: async (_, { orderId, decision }, context) => {
const manager = requireManagerAccess(context); const manager = requireManagerAccess(context);
const order = await context.prisma.order.findUnique({ where: { id: orderId } }); const order = await context.prisma.order.findUnique({ where: { id: orderId } });
assertManagerCanAccessOrder(order, manager); assertManagerCanAccessOrder(order);
const status = decision === 'REJECT' const status = decision === 'REJECT'
? 'MANAGER_REJECTED' ? 'MANAGER_REJECTED'
@@ -1502,7 +1475,7 @@ export const resolvers = {
const order = await context.prisma.order.findUnique({ const order = await context.prisma.order.findUnique({
where: { id: input.orderId }, where: { id: input.orderId },
}); });
assertManagerCanAccessOrder(order, manager); assertManagerCanAccessOrder(order);
const updated = await context.prisma.order.update({ const updated = await context.prisma.order.update({
where: { id: input.orderId }, where: { id: input.orderId },
@@ -1525,7 +1498,7 @@ export const resolvers = {
startOrderWork: async (_, { orderId }, context) => { startOrderWork: async (_, { orderId }, context) => {
const manager = requireManagerAccess(context); const manager = requireManagerAccess(context);
const order = await context.prisma.order.findUnique({ where: { id: orderId } }); const order = await context.prisma.order.findUnique({ where: { id: orderId } });
assertManagerCanAccessOrder(order, manager); assertManagerCanAccessOrder(order);
if (order.status !== 'CONFIRMED') { if (order.status !== 'CONFIRMED') {
throw new Error('Only confirmed order can be started.'); throw new Error('Only confirmed order can be started.');
} }
@@ -1550,7 +1523,7 @@ export const resolvers = {
completeOrder: async (_, { orderId }, context) => { completeOrder: async (_, { orderId }, context) => {
const manager = requireManagerAccess(context); const manager = requireManagerAccess(context);
const order = await context.prisma.order.findUnique({ where: { id: orderId } }); const order = await context.prisma.order.findUnique({ where: { id: orderId } });
assertManagerCanAccessOrder(order, manager); assertManagerCanAccessOrder(order);
if (order.status !== 'IN_PROGRESS') { if (order.status !== 'IN_PROGRESS') {
throw new Error('Only in-progress order can be completed.'); throw new Error('Only in-progress order can be completed.');
} }