mirror of
https://github.com/bigcapitalhq/bigcapital.git
synced 2026-02-20 14:50:32 +00:00
feat: add permission guards to credit note and vendor credit controllers
Add AuthorizationGuard and PermissionGuard to the following controllers: - CreditNoteRefundsController - CreditNotesApplyInvoiceController - VendorCreditApplyBillsController - VendorCreditsRefundController Add @RequirePermission decorators with appropriate actions: - View action for GET endpoints - Edit action for POST/DELETE endpoints - Refund action for refund-related operations Also fixes AuthorizationGuard to use userId from clsService instead of user.id from request for consistency with the abilities cache.
This commit is contained in:
Ahmed Bouhuolia
@@ -1,11 +1,27 @@
|
||||
import { Body, Controller, Delete, Get, Param, Post } from '@nestjs/common';
|
||||
import {
|
||||
Body,
|
||||
Controller,
|
||||
Delete,
|
||||
Get,
|
||||
Param,
|
||||
Post,
|
||||
UseGuards,
|
||||
} from '@nestjs/common';
|
||||
import { VendorCreditsRefundApplication } from './VendorCreditsRefund.application';
|
||||
import { RefundVendorCredit } from './models/RefundVendorCredit';
|
||||
import { ApiOperation, ApiTags } from '@nestjs/swagger';
|
||||
import { RefundVendorCreditDto } from './dtos/RefundVendorCredit.dto';
|
||||
import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
|
||||
import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
|
||||
import { PermissionGuard } from '@/modules/Roles/Permission.guard';
|
||||
import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
|
||||
import { AbilitySubject } from '@/modules/Roles/Roles.types';
|
||||
import { VendorCreditAction } from '../VendorCredit/types/VendorCredit.types';
|
||||
|
||||
@Controller('vendor-credits')
|
||||
@ApiTags('Vendor Credits Refunds')
|
||||
@ApiCommonHeaders()
|
||||
@UseGuards(AuthorizationGuard, PermissionGuard)
|
||||
export class VendorCreditsRefundController {
|
||||
constructor(
|
||||
private readonly vendorCreditsRefundApplication: VendorCreditsRefundApplication,
|
||||
@@ -17,6 +33,7 @@ export class VendorCreditsRefundController {
|
||||
* @returns {Promise<IRefundVendorCreditPOJO[]>}
|
||||
*/
|
||||
@Get(':vendorCreditId/refund')
|
||||
@RequirePermission(VendorCreditAction.View, AbilitySubject.VendorCredit)
|
||||
@ApiOperation({ summary: 'Retrieve the vendor credit refunds graph.' })
|
||||
public getVendorCreditRefunds(
|
||||
@Param('vendorCreditId') vendorCreditId: string,
|
||||
@@ -33,6 +50,7 @@ export class VendorCreditsRefundController {
|
||||
* @returns {Promise<RefundVendorCredit>}
|
||||
*/
|
||||
@Post(':vendorCreditId/refund')
|
||||
@RequirePermission(VendorCreditAction.Refund, AbilitySubject.VendorCredit)
|
||||
@ApiOperation({ summary: 'Create a refund for the given vendor credit.' })
|
||||
public async createRefundVendorCredit(
|
||||
@Param('vendorCreditId') vendorCreditId: string,
|
||||
@@ -50,6 +68,7 @@ export class VendorCreditsRefundController {
|
||||
* @returns {Promise<void>}
|
||||
*/
|
||||
@Delete('refunds/:refundCreditId')
|
||||
@RequirePermission(VendorCreditAction.Refund, AbilitySubject.VendorCredit)
|
||||
@ApiOperation({ summary: 'Delete a refund for the given vendor credit.' })
|
||||
public async deleteRefundVendorCredit(
|
||||
@Param('refundCreditId') refundCreditId: string,
|
||||
|
||||
Reference in New Issue
Block a user