refactor: enhance schedule retrieval logic in ScheduleSchema

- Update schedule retrieval to restrict access to authorized centers based on center ownership and mentorship. - Implement checks to ensure that schedules are only fetched for approved centers. - Improve error handling for user and center validation during schedule queries, preventing access in subscription contexts.
2024-11-30 21:02:03 +07:00
parent c26bf36084
commit 2c38110183
1 changed files with 40 additions and 8 deletions
--- a/src/Schedule/schedule.schema.ts
+++ b/src/Schedule/schedule.schema.ts
@@ -2,7 +2,7 @@ import { Inject, Injectable, Logger } from '@nestjs/common'
 import { Pothos, PothosRef, PothosSchema, SchemaBuilderToken } from '@smatch-corp/nestjs-pothos'
 import { Builder } from '../Graphql/graphql.builder'
 import { PrismaService } from '../Prisma/prisma.service'
-import { ScheduleDateStatus, ScheduleStatus } from '@prisma/client'
+import { CenterStatus, ScheduleDateStatus, ScheduleStatus } from '@prisma/client'
 import { ScheduleService } from './schedule.service'
 import { AppConfigService } from '../AppConfig/appconfig.service'
 import { ScheduleConfigType } from './schedule'
@@ -228,15 +228,16 @@ export class ScheduleSchema extends PothosSchema {
            throw new Error('User not found')
          }
          // only return schedule belong to center
+
          const center = await this.prisma.center.findFirst({
            where: {
-              centerMentors: {
-                some: {
-                  mentorId: ctx.http.me.id,
-                },
-              },
+              AND: [
+                { OR: [{ centerOwnerId: ctx.http.me.id }, { centerMentors: { some: { mentorId: ctx.http.me.id } } }] },
+                { centerStatus: CenterStatus.APPROVED },
+              ],
            },
          })
+
          if (!center) {
            throw new Error('Center not found')
          }
@@ -254,13 +255,44 @@ export class ScheduleSchema extends PothosSchema {
        type: [this.schedule()],
        args: this.builder.generator.findManyArgs('Schedule'),
        description: 'Retrieve a list of schedules with optional filtering, ordering, and pagination.',
-        resolve: async (query, _root, args, _ctx, _info) => {
+        resolve: async (query, _root, args, ctx, _info) => {
+          if (ctx.isSubscription) {
+            throw new Error('Cannot retrieve schedules in subscription')
+          }
+          if (!ctx.http?.me?.id) {
+            throw new Error('User not found')
+          }
+          const center = await this.prisma.center.findFirst({
+            where: {
+              OR: [{ centerOwnerId: ctx.http.me.id }, { centerMentors: { some: { mentorId: ctx.http.me.id } } }],
+            },
+            include: {
+              centerMentors: true,
+            },
+          })
+          if (!center) {
+            throw new Error('Center not found')
+          }
          return await this.prisma.schedule.findMany({
            ...query,
            skip: args.skip ?? undefined,
            take: args.take ?? undefined,
            orderBy: args.orderBy ?? undefined,
-            where: args.filter ?? undefined,
+            where: {
+              AND: [
+                {
+                  OR: [
+                    { managedService: { service: { centerId: center.id } } },
+                    {
+                      managedService: {
+                        service: { center: { centerMentors: { some: { mentorId: ctx.http.me.id } } } },
+                      },
+                    },
+                  ],
+                },
+                { managedService: { service: { centerId: center.id } } },
+              ],
+            },
          })
        },
      }),