05.1 ปรบปรง backend ทงหมด และ frontend/login
This commit is contained in:
admin
@@ -1,51 +1,55 @@
|
||||
// FILE: src/routes/users.js
|
||||
// 03.2 11) เพิ่ม routes/users.js (ใหม่)
|
||||
// - ใช้ร่วมกับ requirePerm()
|
||||
// - สำหรับดูข้อมูลผู้ใช้ตัวเอง และรายชื่อผู้ใช้ (สำหรับ SUPER_ADMIN หรือ ADMIN เท่านั้น)
|
||||
// Users routes
|
||||
// - GET /me to get current user info and roles
|
||||
// - GET /api/users to list users (for SUPER_ADMIN or ADMIN only)
|
||||
// - Requires appropriate permissions via requirePerm middleware
|
||||
// - Uses req.principal loaded by loadPrincipal middleware
|
||||
// (make sure to use loadPrincipalMw() in app.js or the parent router)
|
||||
// (e.g. app.use('/api', requireAuth(), enrichPermissions(), loadPrincipalMw(), apiRouter);)
|
||||
// - req.principal has { userId, roleIds, roleCodes, permissions }
|
||||
// (see utils/rbac.js for details)
|
||||
// - Uses Sequelize ORM for DB access
|
||||
|
||||
// FILE: backend/src/routes/users.js
|
||||
import { Router } from "express";
|
||||
import sql from "../db/index.js";
|
||||
import { requirePerm } from "../middleware/requirePerm.js";
|
||||
import PERM from "../config/permissions.js";
|
||||
|
||||
const r = Router();
|
||||
|
||||
// ME
|
||||
// ME (ทุกคน)
|
||||
r.get("/me", async (req, res) => {
|
||||
const p = req.principal;
|
||||
const [[u]] = await sql.query(
|
||||
"SELECT user_id, username, email, first_name, last_name FROM users WHERE user_id=?",
|
||||
[req.principal.userId]
|
||||
`SELECT user_id, username, email, first_name, last_name, org_id FROM users WHERE user_id=?`,
|
||||
[p.user_id]
|
||||
);
|
||||
if (!u) return res.status(404).json({ error: "User not found" });
|
||||
|
||||
// roles in plain
|
||||
const [roles] = await sql.query(
|
||||
`
|
||||
SELECT r.role_code, r.role_name, ur.org_id, ur.project_id
|
||||
FROM user_roles ur JOIN roles r ON r.role_id = ur.role_id
|
||||
WHERE ur.user_id=?`,
|
||||
[req.principal.userId]
|
||||
`SELECT r.role_code, r.role_name, ur.org_id, ur.project_id
|
||||
FROM user_roles ur JOIN roles r ON r.role_id = ur.role_id
|
||||
WHERE ur.user_id=?`,
|
||||
[p.user_id]
|
||||
);
|
||||
|
||||
res.json({ ...u, roles, role_codes: [...req.principal.roleCodes] });
|
||||
res.json({
|
||||
...u,
|
||||
roles,
|
||||
role_codes: roles.map((r) => r.role_code),
|
||||
permissions: [...(p.permissions || [])],
|
||||
project_ids: p.project_ids,
|
||||
org_ids: p.org_ids,
|
||||
is_superadmin: p.is_superadmin,
|
||||
});
|
||||
});
|
||||
|
||||
// (optional) USERS LIST – ให้เฉพาะ SUPER_ADMIN หรือ ADMIN (ใน org ตัวเอง)
|
||||
r.get("/", requirePerm("user.read", { scope: "global" }), async (req, res) => {
|
||||
const [rows] = await sql.query(
|
||||
"SELECT user_id, username, email FROM users LIMIT 200"
|
||||
);
|
||||
res.json(rows);
|
||||
});
|
||||
// USERS LIST (ORG scope) — admin.access
|
||||
r.get(
|
||||
"/",
|
||||
requirePerm("admin.access", { orgParam: "org_id" }),
|
||||
async (req, res) => {
|
||||
const P = req.principal;
|
||||
let rows = [];
|
||||
if (P.is_superadmin) {
|
||||
[rows] = await sql.query(
|
||||
"SELECT user_id, username, email, org_id FROM users ORDER BY user_id DESC LIMIT 500"
|
||||
);
|
||||
} else if (P.org_ids?.length) {
|
||||
const inSql = P.org_ids.map(() => "?").join(",");
|
||||
[rows] = await sql.query(
|
||||
`SELECT user_id, username, email, org_id FROM users WHERE org_id IN (${inSql}) ORDER BY user_id DESC LIMIT 500`,
|
||||
P.org_ids
|
||||
);
|
||||
}
|
||||
res.json(rows);
|
||||
}
|
||||
);
|
||||
|
||||
export default r;
|
||||
|
||||
Reference in New Issue
Block a user