np-dms/lcbp3.np-dms.work
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

05.1 ปรบปรง backend ทงหมด และ frontend/login

Browse Source
This commit is contained in:
admin
2025-10-01 11:14:11 +07:00
parent 5be0f5407b
commit 905afb56f5
43 changed files with 2285 additions and 2834 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
backend/src/routes/contracts.js
View File

@@ -1,27 +1,14 @@
// FILE: src/routes/contracts.js
// Contracts routes
// - CRUD operations for contracts
// - Requires appropriate permissions via requirePerm middleware
// - Uses org scope for all permissions
// - contract.read, contract.create, contract.update, contract.delete
// - Contract fields: id (PK), org_id, project_id, contract_no, title, status, created_by
// - Basic filtering on list endpoint by project_id, org_id, contract_no
// - Uses async/await for asynchronous operations
// - Middleware functions are used for permission checks
// - Owner resolvers are used to fetch org_id for specific contract ids
import { Router } from "express";
import sql from "../db/index.js";
import { requirePerm } from "../middleware/requirePerm.js";
import { buildScopeWhere, ownerResolvers } from "../utils/scope.js";
import PERM from "../config/permissions.js";
const r = Router();
const OWN = ownerResolvers(sql, "contracts", "id");
// LIST
r.get(
"/",
requirePerm(PERM.contract.read, { scope: "global" }),
requirePerm("projects.view", { orgParam: "org_id" }),
async (req, res) => {
const {
project_id,
@@ -31,97 +18,118 @@ r.get(
limit = 50,
offset = 0,
} = req.query;
const base = buildScopeWhere(req.principal, {
tableAlias: "c",
orgColumn: "c.org_id",
projectColumn: "c.project_id",
permCode: PERM.contract.read,
preferProject: true,
});
const extra = [];
const params = {
...base.params,
limit: Number(limit),
offset: Number(offset),
};
if (project_id) {
extra.push("c.project_id = :project_id");
params.project_id = Number(project_id);
const p = req.principal;
const params = [];
const cond = [];
if (!p.is_superadmin) {
if (org_id) {
if (!p.inOrg(Number(org_id)))
return res.status(403).json({ error: "FORBIDDEN_ORG" });
cond.push("c.org_id=?");
params.push(Number(org_id));
} else if (p.org_ids?.length) {
cond.push(`c.org_id IN (${p.org_ids.map(() => "?").join(",")})`);
params.push(...p.org_ids);
}
} else if (org_id) {
cond.push("c.org_id=?");
params.push(Number(org_id));
}
if (org_id) {
extra.push("c.org_id = :org_id");
params.org_id = Number(org_id);
if (project_id) {
cond.push("c.project_id=?");
params.push(Number(project_id));
}
if (contract_no) {
extra.push("c.contract_no = :contract_no");
params.contract_no = contract_no;
cond.push("c.contract_no=?");
params.push(contract_no);
}
if (q) {
extra.push("(c.contract_no LIKE :q OR c.title LIKE :q)");
params.q = `%${q}%`;
cond.push("(c.contract_no LIKE ? OR c.title LIKE ?)");
params.push(`%${q}%`, `%${q}%`);
}
const where = [base.where, ...extra].filter(Boolean).join(" AND ");
const where = cond.length ? `WHERE ${cond.join(" AND ")}` : "";
const [rows] = await sql.query(
`SELECT c.* FROM contracts c WHERE ${where} ORDER BY c.id DESC LIMIT :limit OFFSET :offset`,
params
`SELECT c.* FROM contracts c ${where} ORDER BY c.id DESC LIMIT ? OFFSET ?`,
[...params, Number(limit), Number(offset)]
);
res.json(rows);
}
);
// GET
r.get(
"/:id",
requirePerm(PERM.contract.read, { scope: "org", getOrgId: OWN.getOrgIdById }),
requirePerm("projects.view", { orgParam: "org_id" }),
async (req, res) => {
const id = Number(req.params.id);
const [[row]] = await sql.query("SELECT * FROM contracts WHERE id=?", [id]);
if (!row) return res.status(404).json({ error: "Not found" });
const p = req.principal;
if (!p.is_superadmin && !p.inOrg(row.org_id))
return res.status(403).json({ error: "FORBIDDEN_ORG" });
res.json(row);
}
);
// CREATE
r.post(
"/",
requirePerm(PERM.contract.create, {
scope: "org",
getOrgId: async (req) => req.body?.org_id ?? null,
}),
requirePerm("projects.manage", { orgParam: "org_id" }),
async (req, res) => {
const { org_id, project_id, contract_no, title, status } = req.body;
const { org_id, project_id, contract_no, title, status } = req.body || {};
if (!org_id || !project_id || !contract_no)
return res
.status(400)
.json({ error: "org_id, project_id, contract_no required" });
const [rs] = await sql.query(
`INSERT INTO contracts (org_id, project_id, contract_no, title, status, created_by) VALUES (?,?,?,?,?,?)`,
[org_id, project_id, contract_no, title, status, req.principal.userId]
[
org_id,
project_id,
contract_no,
title || null,
status || null,
req.principal.user_id,
]
);
res.json({ id: rs.insertId });
}
);
// UPDATE
r.put(
"/:id",
requirePerm(PERM.contract.update, {
scope: "org",
getOrgId: OWN.getOrgIdById,
}),
requirePerm("projects.manage", { orgParam: "org_id" }),
async (req, res) => {
const id = Number(req.params.id);
const { title, status } = req.body;
const [[row]] = await sql.query("SELECT * FROM contracts WHERE id=?", [id]);
if (!row) return res.status(404).json({ error: "Not found" });
const p = req.principal;
if (!p.is_superadmin && !p.inOrg(row.org_id))
return res.status(403).json({ error: "FORBIDDEN_ORG" });
const { title, status } = req.body || {};
await sql.query("UPDATE contracts SET title=?, status=? WHERE id=?", [
title,
status,
title ?? row.title,
status ?? row.status,
id,
]);
res.json({ ok: 1 });
}
);
// DELETE
r.delete(
"/:id",
requirePerm(PERM.contract.delete, {
scope: "org",
getOrgId: OWN.getOrgIdById,
}),
requirePerm("projects.manage", { orgParam: "org_id" }),
async (req, res) => {
const id = Number(req.params.id);
const [[row]] = await sql.query("SELECT * FROM contracts WHERE id=?", [id]);
if (!row) return res.status(404).json({ error: "Not found" });
const p = req.principal;
if (!p.is_superadmin && !p.inOrg(row.org_id))
return res.status(403).json({ error: "FORBIDDEN_ORG" });
await sql.query("DELETE FROM contracts WHERE id=?", [id]);
res.json({ ok: 1 });
}