const UserError = require('vn-loopback/util/user-error'); module.exports = Self => { Self.remoteMethodCtx('deleteTimeEntry', { description: 'Deletes a manual time entry for a worker if the user role is above the worker', accessType: 'READ', accepts: [{ arg: 'id', type: 'number', required: true, description: 'The time entry id', http: {source: 'path'} }], returns: { type: 'boolean', root: true }, http: { path: `/:id/deleteTimeEntry`, verb: 'POST' } }); Self.deleteTimeEntry = async(ctx, id) => { const currentUserId = ctx.req.accessToken.userId; const workerModel = Self.app.models.Worker; const targetTimeEntry = await Self.findById(id); const isSubordinate = await workerModel.isSubordinate(ctx, targetTimeEntry.userFk); const isHHRR = await Self.app.models.Account.hasRole(currentUserId, 'hr'); const notAllowed = isSubordinate === false || (isSubordinate && currentUserId == targetTimeEntry.userFk && !isHHRR); if (notAllowed) throw new UserError(`You don't have enough privileges`); return Self.rawSql('CALL vn.workerTimeControl_remove(?, ?)', [ targetTimeEntry.userFk, targetTimeEntry.timed]); }; };