Disable manager scoping for debug

src/access.js

@@ -1,5 +1,4 @@
 export const MANAGER_ROLES = ['MANAGER', 'SUPER_MANAGER'];
-const NO_CLIENT_IDS = ['__no_managed_clients__'];
 
 export function isSuperManager(user) {
   return user?.role === 'SUPER_MANAGER';
@@ -9,91 +8,10 @@ export function isManagerRole(role) {
   return MANAGER_ROLES.includes(role);
 }
 
-function normalizeManagedClientIds(clientIds) {
-  if (clientIds == null) {
-    return null;
-  }
-
-  return clientIds.length ? clientIds : NO_CLIENT_IDS;
-}
-
-export async function getManagedClientIds(prisma, manager) {
-  if (isSuperManager(manager)) {
-    return null;
-  }
-
-  const [managedOrders, acceptedInvitations, reviewedRequests, reviewedWithdrawals] = await Promise.all([
-    prisma.order.findMany({
-      where: { managerId: manager.id },
-      select: { customerId: true },
-    }),
-    prisma.invitation.findMany({
-      where: {
-        managerId: manager.id,
-        acceptedById: { not: null },
-      },
-      select: { acceptedById: true },
-    }),
-    prisma.registrationRequest.findMany({
-      where: {
-        reviewedById: manager.id,
-        requesterId: { not: null },
-      },
-      select: { requesterId: true },
-    }),
-    prisma.rewardWithdrawalRequest.findMany({
-      where: { reviewedById: manager.id },
-      select: { requesterId: true },
-    }),
-  ]);
-
-  const clientIds = new Set();
-
-  for (const order of managedOrders) {
-    if (order.customerId) {
-      clientIds.add(order.customerId);
-    }
-  }
-
-  for (const invitation of acceptedInvitations) {
-    if (invitation.acceptedById) {
-      clientIds.add(invitation.acceptedById);
-    }
-  }
-
-  for (const request of reviewedRequests) {
-    if (request.requesterId) {
-      clientIds.add(request.requesterId);
-    }
-  }
-
-  for (const withdrawal of reviewedWithdrawals) {
-    if (withdrawal.requesterId) {
-      clientIds.add(withdrawal.requesterId);
-    }
-  }
-
-  return [...clientIds];
-}
-
 export async function getManagedClientUserWhere(prisma, manager) {
-  const managedClientIds = normalizeManagedClientIds(await getManagedClientIds(prisma, manager));
+  return {};
-
-  if (managedClientIds == null) {
-    return { role: 'CLIENT' };
-  }
-
-  return {
-    role: 'CLIENT',
-    id: { in: managedClientIds },
-  };
 }
 
 export async function canManagerAccessUser(prisma, manager, userId) {
-  if (isSuperManager(manager) || userId === manager.id) {
+  return isManagerRole(manager?.role);
-    return true;
-  }
-
-  const managedClientIds = await getManagedClientIds(prisma, manager);
-  return managedClientIds.includes(userId);
 }

src/resolvers.js

@@ -13,7 +13,6 @@ import {
   canManagerAccessUser,
   getManagedClientUserWhere,
   isManagerRole,
-  isSuperManager,
 } from './access.js';
 import { sendLoginCodeEmail } from './mailer.js';
 import { dispatchToUserConnections, sendMessengerMessage } from './messenger.js';
@@ -51,18 +50,10 @@ async function assertManagerCanAccessUser(prisma, manager, userId) {
   }
 }
 
-function assertManagerCanAccessOrder(order, manager) {
+function assertManagerCanAccessOrder(order) {
   if (!order) {
     throw new Error('Order was not found.');
   }
-
-  if (isSuperManager(manager)) {
-    return;
-  }
-
-  if (order.managerId && order.managerId !== manager.id) {
-    throw new Error('Order is assigned to another manager.');
-  }
 }
 
 async function appendOrderEvent(prisma, orderId, status, actorUserId, note = null) {
@@ -551,15 +542,11 @@ export const resolvers = {
     },
 
     managerOrders: async (_, { status, customerId }, context) => {
-      const manager = requireManagerAccess(context);
+      requireManagerAccess(context);
       const normalizedCustomerId = normalizeOptionalText(customerId);
-      if (normalizedCustomerId) {
-        await assertManagerCanAccessUser(context.prisma, manager, normalizedCustomerId);
-      }
 
       return context.prisma.order.findMany({
         where: {
-          ...(isSuperManager(manager) ? {} : { managerId: manager.id }),
           ...(normalizedCustomerId ? { customerId: normalizedCustomerId } : {}),
           ...(status ? { status } : {}),
         },
@@ -680,19 +667,9 @@ export const resolvers = {
     },
 
     registrationRequests: (_, { status }, context) => {
-      const manager = requireManagerAccess(context);
+      requireManagerAccess(context);
       return context.prisma.registrationRequest.findMany({
-        where: {
+        where: status ? { status } : undefined,
-          ...(status ? { status } : {}),
-          ...(isSuperManager(manager)
-            ? {}
-            : {
-                OR: [
-                  { reviewedById: manager.id },
-                  { reviewedById: null },
-                ],
-              }),
-        },
         orderBy: { createdAt: 'desc' },
       });
     },
@@ -882,10 +859,6 @@ export const resolvers = {
         throw new Error('Registration request was not found.');
       }
 
-      if (!isSuperManager(manager) && request.reviewedById && request.reviewedById !== manager.id) {
-        throw new Error('Registration request is assigned to another manager.');
-      }
-
       return context.prisma.registrationRequest.update({
         where: { id: input.requestId },
         data: {
@@ -1393,7 +1366,7 @@ export const resolvers = {
       const existingOrder = await context.prisma.order.findUnique({
         where: { id: input.orderId },
       });
-      assertManagerCanAccessOrder(existingOrder, manager);
+      assertManagerCanAccessOrder(existingOrder);
 
       const order = await context.prisma.order.update({
         where: { id: input.orderId },
@@ -1460,7 +1433,7 @@ export const resolvers = {
     managerFinalizeOrder: async (_, { orderId, decision }, context) => {
       const manager = requireManagerAccess(context);
       const order = await context.prisma.order.findUnique({ where: { id: orderId } });
-      assertManagerCanAccessOrder(order, manager);
+      assertManagerCanAccessOrder(order);
 
       const status = decision === 'REJECT'
         ? 'MANAGER_REJECTED'
@@ -1502,7 +1475,7 @@ export const resolvers = {
       const order = await context.prisma.order.findUnique({
         where: { id: input.orderId },
       });
-      assertManagerCanAccessOrder(order, manager);
+      assertManagerCanAccessOrder(order);
 
       const updated = await context.prisma.order.update({
         where: { id: input.orderId },
@@ -1525,7 +1498,7 @@ export const resolvers = {
     startOrderWork: async (_, { orderId }, context) => {
       const manager = requireManagerAccess(context);
       const order = await context.prisma.order.findUnique({ where: { id: orderId } });
-      assertManagerCanAccessOrder(order, manager);
+      assertManagerCanAccessOrder(order);
       if (order.status !== 'CONFIRMED') {
         throw new Error('Only confirmed order can be started.');
       }
@@ -1550,7 +1523,7 @@ export const resolvers = {
     completeOrder: async (_, { orderId }, context) => {
       const manager = requireManagerAccess(context);
       const order = await context.prisma.order.findUnique({ where: { id: orderId } });
-      assertManagerCanAccessOrder(order, manager);
+      assertManagerCanAccessOrder(order);
       if (order.status !== 'IN_PROGRESS') {
         throw new Error('Only in-progress order can be completed.');
       }