From 2eec70b7e3d2bb6d2af8c68b8544524633338fb6 Mon Sep 17 00:00:00 2001
From: Antony Kurniawan <antonynugroho467@gmail.com>
Date: Tue, 7 Oct 2025 15:12:49 +0700
Subject: [PATCH] add verify role

---
 middleware/verifyAccess.js | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 middleware/verifyAccess.js

diff --git a/middleware/verifyAccess.js b/middleware/verifyAccess.js
new file mode 100644
index 0000000..e62fee0
--- /dev/null
+++ b/middleware/verifyAccess.js
@@ -0,0 +1,38 @@
+const { ErrorHandler } = require("../helpers/error");
+const { getUserByIdDb } = require("../db/user.db");
+
+const verifyAccess = (minLevel = 1, allowUnapprovedReadOnly = false) => {
+  return async (req, res, next) => {
+    try {
+      const user = req.user;
+
+      if (!user) throw new ErrorHandler(401, "Unauthorized: User not found");
+
+      // Super Admin bypass semua
+      if (user.is_sa) return next();
+
+      const fullUser = await getUserByIdDb(user.user_id);
+      if (!fullUser) throw new ErrorHandler(403, "Forbidden: User not found");
+
+      if (!fullUser.is_approve) {
+        if (req.method !== "GET") {
+          throw new ErrorHandler(403, "Account not approved — read-only access");
+        }
+
+        if (allowUnapprovedReadOnly) return next();
+
+        throw new ErrorHandler(403, "Account not approved");
+      }
+
+      if (!fullUser.role_level || fullUser.role_level < minLevel) {
+        throw new ErrorHandler(403, "Forbidden: Insufficient role level");
+      }
+
+      next();
+    } catch (err) {
+      next(err);
+    }
+  };
+};
+
+module.exports = verifyAccess;