Merge branch 'feat/BE/sso-adjustment' into 'development'

[FIX/BE-US]add feature restrict by location and areas in roles See merge request mbugroup/lti-api!189
2026-05-20 13:31:56 +00:00 · 2026-01-28 11:22:47 +07:00
parent b468ba3df9 8410573ee6
commit 9dd4a93476
50 changed files with 2584 additions and 171 deletions
@@ -200,7 +200,7 @@ func (r *MarketingDeliveryProductRepositoryImpl) GetAllWithFilters(ctx context.C
 		Joins("JOIN marketings ON marketings.id = marketing_products.marketing_id").
 		Where("marketing_delivery_products.delivery_date IS NOT NULL")

-	if filters.ProductId > 0 || filters.WarehouseId > 0 || filters.AreaId > 0 || filters.LocationId > 0 || filters.Search != "" || filters.MarketingType != "" {
+	if filters.ProductId > 0 || filters.WarehouseId > 0 || filters.AreaId > 0 || filters.LocationId > 0 || filters.AllowedAreaIDs != nil || filters.AllowedLocationIDs != nil || filters.Search != "" || filters.MarketingType != "" {
 		db = db.Joins("LEFT JOIN product_warehouses ON product_warehouses.id = marketing_products.product_warehouse_id")
 	}

@@ -250,7 +250,7 @@ func (r *MarketingDeliveryProductRepositoryImpl) GetAllWithFilters(ctx context.C
 		db = db.Where("product_warehouses.warehouse_id = ?", filters.WarehouseId)
 	}

-	if filters.AreaId > 0 || filters.LocationId > 0 {
+	if filters.AreaId > 0 || filters.LocationId > 0 || filters.AllowedAreaIDs != nil || filters.AllowedLocationIDs != nil {
 		db = db.Joins("LEFT JOIN project_flock_kandangs ON project_flock_kandangs.id = product_warehouses.project_flock_kandang_id").
 			Joins("LEFT JOIN project_flocks ON project_flocks.id = project_flock_kandangs.project_flock_id")

@@ -261,6 +261,22 @@ func (r *MarketingDeliveryProductRepositoryImpl) GetAllWithFilters(ctx context.C
 		if filters.LocationId > 0 {
 			db = db.Where("project_flocks.location_id = ?", filters.LocationId)
 		}
+
+		if filters.AllowedAreaIDs != nil {
+			if len(filters.AllowedAreaIDs) == 0 {
+				db = db.Where("1 = 0")
+			} else {
+				db = db.Where("project_flocks.area_id IN ?", filters.AllowedAreaIDs)
+			}
+		}
+
+		if filters.AllowedLocationIDs != nil {
+			if len(filters.AllowedLocationIDs) == 0 {
+				db = db.Where("1 = 0")
+			} else {
+				db = db.Where("project_flocks.location_id IN ?", filters.AllowedLocationIDs)
+			}
+		}
 	}

 	if filters.MarketingType != "" {
@@ -71,6 +71,10 @@ func (s deliveryOrdersService) withRelations(db *gorm.DB) *gorm.DB {
 }

 func (s deliveryOrdersService) getMarketingWithDeliveries(c *fiber.Ctx, marketingId uint) (*dto.MarketingDetailDTO, error) {
+	if err := m.EnsureMarketingAccess(c, s.MarketingRepo.DB(), marketingId); err != nil {
+		return nil, err
+	}
+
 	marketing, err := s.MarketingRepo.GetByID(c.Context(), marketingId, s.withRelations)
 	if err != nil {
 		return nil, fiber.NewError(fiber.StatusInternalServerError, "Failed to fetch marketing")
@@ -95,6 +99,11 @@ func (s deliveryOrdersService) GetAll(c *fiber.Ctx, params *validation.DeliveryO
 		return nil, 0, err
 	}

+	scope, err := m.ResolveLocationScope(c, s.MarketingRepo.DB())
+	if err != nil {
+		return nil, 0, err
+	}
+
 	offset := (params.Page - 1) * params.Limit

 	marketings, total, err := s.MarketingRepo.GetAll(c.Context(), offset, params.Limit, func(db *gorm.DB) *gorm.DB {
@@ -106,6 +115,23 @@ func (s deliveryOrdersService) GetAll(c *fiber.Ctx, params *validation.DeliveryO
 			Preload("Products.ProductWarehouse.Warehouse").
 			Preload("Products.DeliveryProduct")

+		if scope.Restrict {
+			if len(scope.IDs) == 0 {
+				return db.Where("1 = 0")
+			}
+			db = db.Where(
+				`EXISTS (
+					SELECT 1
+					FROM marketing_products mp
+					JOIN product_warehouses pw ON pw.id = mp.product_warehouse_id
+					JOIN warehouses w ON w.id = pw.warehouse_id
+					WHERE mp.marketing_id = marketings.id
+						AND w.location_id IN ?
+				)`,
+				scope.IDs,
+			)
+		}
+
 		if params.MarketingId != 0 {
 			return db.Where("id = ?", params.MarketingId)
 		}
@@ -134,6 +160,9 @@ func (s deliveryOrdersService) GetAll(c *fiber.Ctx, params *validation.DeliveryO
 }

 func (s deliveryOrdersService) GetOne(c *fiber.Ctx, id uint) (*dto.MarketingDetailDTO, error) {
+	if err := m.EnsureMarketingAccess(c, s.MarketingRepo.DB(), id); err != nil {
+		return nil, err
+	}

 	marketing, err := s.MarketingRepo.GetByID(c.Context(), id, s.withRelations)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
@@ -173,6 +202,10 @@ func (s *deliveryOrdersService) CreateOne(c *fiber.Ctx, req *validation.Delivery
 		return nil, err
 	}

+	if err := m.EnsureMarketingAccess(c, s.MarketingRepo.DB(), req.MarketingId); err != nil {
+		return nil, err
+	}
+
 	if err := commonSvc.EnsureRelations(c.Context(),
 		commonSvc.RelationCheck{Name: "Marketing", ID: &req.MarketingId, Exists: s.MarketingRepo.IdExists},
 	); err != nil {
@@ -323,6 +356,10 @@ func (s deliveryOrdersService) UpdateOne(c *fiber.Ctx, req *validation.DeliveryO
 		return nil, err
 	}

+	if err := m.EnsureMarketingAccess(c, s.MarketingRepo.DB(), id); err != nil {
+		return nil, err
+	}
+
 	if err := commonSvc.EnsureRelations(c.Context(),
 		commonSvc.RelationCheck{Name: "Marketing", ID: &id, Exists: s.MarketingRepo.IdExists},
 	); err != nil {
@@ -70,6 +70,10 @@ func (s salesOrdersService) withRelations(db *gorm.DB) *gorm.DB {
 }

 func (s salesOrdersService) getOne(c *fiber.Ctx, id uint) (*entity.Marketing, error) {
+	if err := m.EnsureMarketingAccess(c, s.MarketingRepo.DB(), id); err != nil {
+		return nil, err
+	}
+
 	marketing, err := s.MarketingRepo.GetByID(c.Context(), id, s.withRelations)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, fiber.NewError(fiber.StatusNotFound, "SalesOrders not found")
@@ -108,6 +112,9 @@ func (s *salesOrdersService) CreateOne(c *fiber.Ctx, req *validation.Create) (*e
 	}

 	for _, item := range req.MarketingProducts {
+		if err := m.EnsureProductWarehouseAccess(c, s.MarketingRepo.DB(), item.ProductWarehouseId); err != nil {
+			return nil, err
+		}
 		if err := commonSvc.EnsureRelations(c.Context(),
 			commonSvc.RelationCheck{Name: "ProductWarehouse", ID: &item.ProductWarehouseId, Exists: s.ProductWarehouseRepo.IdExists},
 		); err != nil {
@@ -197,6 +204,10 @@ func (s salesOrdersService) UpdateOne(c *fiber.Ctx, req *validation.Update, id u
 		return nil, err
 	}

+	if err := m.EnsureMarketingAccess(c, s.MarketingRepo.DB(), id); err != nil {
+		return nil, err
+	}
+
 	actorID, err := m.ActorIDFromContext(c)
 	if err != nil {
 		return nil, err
@@ -219,11 +230,14 @@ func (s salesOrdersService) UpdateOne(c *fiber.Ctx, req *validation.Update, id u
 	}

 	if len(req.MarketingProducts) > 0 {
-		for _, item := range req.MarketingProducts {
-			if err := commonSvc.EnsureRelations(c.Context(),
-				commonSvc.RelationCheck{Name: "ProductWarehouse", ID: &item.ProductWarehouseId, Exists: s.ProductWarehouseRepo.IdExists},
-			); err != nil {
-				return nil, err
+	for _, item := range req.MarketingProducts {
+		if err := m.EnsureProductWarehouseAccess(c, s.MarketingRepo.DB(), item.ProductWarehouseId); err != nil {
+			return nil, err
+		}
+		if err := commonSvc.EnsureRelations(c.Context(),
+			commonSvc.RelationCheck{Name: "ProductWarehouse", ID: &item.ProductWarehouseId, Exists: s.ProductWarehouseRepo.IdExists},
+		); err != nil {
+			return nil, err
 			}
 		}
 	}
@@ -414,6 +428,10 @@ func (s salesOrdersService) UpdateOne(c *fiber.Ctx, req *validation.Update, id u
 }

 func (s salesOrdersService) DeleteOne(c *fiber.Ctx, id uint) error {
+	if err := m.EnsureMarketingAccess(c, s.MarketingRepo.DB(), id); err != nil {
+		return err
+	}
+
 	marketing, err := s.MarketingRepo.GetByID(c.Context(), id, s.withRelations)

 	if errors.Is(err, gorm.ErrRecordNotFound) {
@@ -478,6 +496,12 @@ func (s salesOrdersService) Approval(c *fiber.Ctx, req *validation.Approve) ([]e
 		return nil, err
 	}

+	for _, id := range req.ApprovableIds {
+		if err := m.EnsureMarketingAccess(c, s.MarketingRepo.DB(), id); err != nil {
+			return nil, err
+		}
+	}
+
 	actorID, err := m.ActorIDFromContext(c)
 	if err != nil {
 		return nil, err