Implement removing organisations

o-seliuchenko · o-seliuchenko · commit fe44554070f3 · 2025-12-18T12:12:31.000+02:00
diff --git a/src/constants/roles.ts b/src/constants/roles.ts
@@ -14,6 +14,7 @@
  */
 export const ROLES = {
   SUPER_ADMIN: 'SuperAdmin',
+  SUPER_ADMIN_PLUS: 'SuperAdminPlus',
   CITY_ADMIN: 'CityAdmin',
   VOLUNTEER_ADMIN: 'VolunteerAdmin',
   ORG_ADMIN: 'OrgAdmin',
@@ -49,6 +50,7 @@ export type Role = BaseRole | `${typeof ROLE_PREFIXES.CITY_ADMIN_FOR}${string}`
  */
 export const BASE_ROLES_ARRAY: readonly BaseRole[] = [
   ROLES.SUPER_ADMIN,
+  ROLES.SUPER_ADMIN_PLUS,
   ROLES.CITY_ADMIN,
   ROLES.VOLUNTEER_ADMIN,
   ROLES.ORG_ADMIN,
@@ -126,7 +128,7 @@ export function hasRole(authClaims: string[], role: BaseRole): boolean {
  * Check if user has SuperAdmin role
  */
 export function isSuperAdmin(authClaims: string[]): boolean {
-  return hasRole(authClaims, ROLES.SUPER_ADMIN);
+  return hasRole(authClaims, ROLES.SUPER_ADMIN) || hasRole(authClaims, ROLES.SUPER_ADMIN_PLUS);
 }
 
 /**
@@ -158,7 +160,7 @@ export function hasLocationAccess(authClaims: string[], locationSlug: string): b
  * Regular expression pattern for validating role formats
  * Matches: SuperAdmin, CityAdmin, CityAdminFor:*, AdminFor:*, SwepAdmin, SwepAdminFor:*, OrgAdmin, VolunteerAdmin
  */
-export const ROLE_VALIDATION_PATTERN = /^(SuperAdmin|CityAdmin|CityAdminFor:.+|VolunteerAdmin|SwepAdmin|SwepAdminFor:.+|OrgAdmin|AdminFor:.+)$/;
+export const ROLE_VALIDATION_PATTERN = /^(SuperAdmin|SuperAdminPlus|CityAdmin|CityAdminFor:.+|VolunteerAdmin|SwepAdmin|SwepAdminFor:.+|OrgAdmin|AdminFor:.+)$/;
 
 /**
  * Validate an array of roles
diff --git a/src/controllers/organisationController.ts b/src/controllers/organisationController.ts
@@ -6,7 +6,7 @@ import Service from '../models/serviceModel.js';
 import Accommodation from '../models/accommodationModel.js';
 import User from '../models/userModel.js';
 import { asyncHandler } from '../utils/asyncHandler.js';
-import { sendSuccess, sendCreated, sendNotFound, sendBadRequest, sendPaginatedSuccess } from '../utils/apiResponses.js';
+import { sendSuccess, sendCreated, sendNotFound, sendBadRequest, sendPaginatedSuccess, sendInternalError } from '../utils/apiResponses.js';
 import { ROLES, ROLE_PREFIXES } from '../constants/roles.js';
 import { validateOrganisation } from '../schemas/organisationSchema.js';
 import { processAddressesWithCoordinates, updateLocationIfPostcodeChanged } from '../utils/postcodeValidation.js';
@@ -37,7 +37,7 @@ export const getOrganisations = asyncHandler(async (req: Request, res: Response)
   // const userId = req.user?._id;
   
   // Role-based filtering
-  const isSuperAdmin = requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN);
+  const isSuperAdmin = requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN) || requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN_PLUS);
   const isVolunteerAdmin = requestingUserAuthClaims.includes(ROLES.VOLUNTEER_ADMIN);
   const isCityAdmin = requestingUserAuthClaims.includes(ROLES.CITY_ADMIN);
 
@@ -651,4 +651,77 @@ export const updateRelatedServices = async (
   return groupedServicesResult.modifiedCount + 
          servicesResult.modifiedCount + 
          accommodationsResult.modifiedCount;
-};
+};
+
+// @desc    Delete organisation and all related data
+// @route   DELETE /api/organisations/:id
+// @access  Private (SuperAdminPlus only)
+export const deleteOrganisation = asyncHandler(async (req: Request, res: Response) => {
+  // Start a MongoDB session for transaction
+  const session = await mongoose.startSession();
+  
+  try {
+    // Start transaction
+    await session.startTransaction();
+    
+    // Find the organisation first
+    const organisation = await Organisation.findById(req.params.id).session(session);
+    
+    if (!organisation) {
+      await session.abortTransaction();
+      return sendNotFound(res, 'Organisation not found');
+    }
+    
+    const organisationKey = organisation.Key;
+    const organisationName = organisation.Name;
+    
+    // Delete all related grouped services
+    const groupedServicesResult = await GroupedService.deleteMany(
+      { ProviderId: organisationKey },
+      { session }
+    );
+    
+    // Delete all related individual services
+    const servicesResult = await Service.deleteMany(
+      { ServiceProviderKey: organisationKey },
+      { session }
+    );
+    
+    // Delete all related accommodations
+    const accommodationsResult = await Accommodation.deleteMany(
+      { 'GeneralInfo.ServiceProviderId': organisationKey },
+      { session }
+    );
+    
+    // Delete the organisation itself
+    await Organisation.findByIdAndDelete(req.params.id, { session });
+    
+    // Commit the transaction
+    await session.commitTransaction();
+    
+    const deletionSummary = {
+      organisationName,
+      organisationKey,
+      deletedGroupedServices: groupedServicesResult.deletedCount,
+      deletedIndividualServices: servicesResult.deletedCount,
+      deletedAccommodations: accommodationsResult.deletedCount
+    };
+    
+    return sendSuccess(
+      res, 
+      deletionSummary, 
+      `Organisation "${organisationName}" and all related data deleted successfully. ` +
+      `Deleted: ${groupedServicesResult.deletedCount} grouped services, ` +
+      `${servicesResult.deletedCount} individual services, ` +
+      `${accommodationsResult.deletedCount} accommodations.`
+    );
+  } catch (error) {
+    // Abort transaction on error
+    await session.abortTransaction();
+    console.error('Error deleting organisation:', error);
+    return sendInternalError(res, 'Failed to delete organisation');
+  } finally {
+    // End session
+    session.endSession();
+  }
+});
diff --git a/src/controllers/userController.ts b/src/controllers/userController.ts
@@ -42,12 +42,13 @@ const getUsers = asyncHandler(async (req: Request, res: Response) => {
 
   // Exclude SuperAdmin users from results if requesting user is not a SuperAdmin
   const requestingUserAuthClaims = req.user?.AuthClaims || [];
-  if (!requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN)) {
+  if (!requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN) && !requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN_PLUS)) {
     conditions.push({ AuthClaims: { $ne: ROLES.SUPER_ADMIN } });
+    conditions.push({ AuthClaims: { $ne: ROLES.SUPER_ADMIN_PLUS } });
   }
 
-  // Exclude VolunteerAdmin users from results if requesting user is not a SuperAdmin or VolunteerAdmin
-  if (!requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN)) {
+  // Exclude VolunteerAdmin users from results if requesting user is not a SuperAdmin
+  if (!requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN) && !requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN_PLUS)) {
     conditions.push({ AuthClaims: { $ne: ROLES.VOLUNTEER_ADMIN } });
   }
 
@@ -133,8 +134,8 @@ const getUserById = asyncHandler(async (req: Request, res: Response) => {
 
   // Exclude SuperAdmin users from results if requesting user is not a SuperAdmin
   const requestingUserAuthClaims = req.user?.AuthClaims || [];
-  if (!requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN)) {
-    if(user.AuthClaims.some((claim: string) => claim === ROLES.SUPER_ADMIN)){
+  if (!requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN) && !requestingUserAuthClaims.includes(ROLES.SUPER_ADMIN_PLUS)) {
+    if(user.AuthClaims.some((claim: string) => claim === ROLES.SUPER_ADMIN || claim === ROLES.SUPER_ADMIN_PLUS)){
       return sendForbidden(res);
     };
   }
@@ -332,6 +333,7 @@ const deleteUser = asyncHandler(async (req: Request, res: Response) => {
   // Remove user from organisation administrators if they have org-related roles
   const hasOrgRoles = user.AuthClaims?.some((claim: string) => 
     claim === ROLES.SUPER_ADMIN || 
+    claim === ROLES.SUPER_ADMIN_PLUS || 
     claim === ROLES.VOLUNTEER_ADMIN ||
     claim.startsWith(ROLE_PREFIXES.ADMIN_FOR) ||
     claim.startsWith(ROLE_PREFIXES.CITY_ADMIN_FOR)
diff --git a/src/middleware/authMiddleware.ts b/src/middleware/authMiddleware.ts
@@ -46,7 +46,7 @@ interface JwtPayload {
  */
 const handleSuperAdminAccess = (
   userAuthClaims: string[]
-): boolean => userAuthClaims.includes(ROLES.SUPER_ADMIN);
+): boolean => userAuthClaims.includes(ROLES.SUPER_ADMIN) || userAuthClaims.includes(ROLES.SUPER_ADMIN_PLUS);
 
 /**
  * Helper: handles global privileged access rules for VolunteerAdmin.
@@ -802,7 +802,7 @@ export const requireFaqLocationAccess = (req: Request, res: Response, next: Next
 
   // If LocationKey is 'general', only SuperAdmin and VolunteerAdmin can access
   if (locationId === 'general' || locations.includes('general')) {
-    if (userAuthClaims.includes(ROLES.SUPER_ADMIN) || userAuthClaims.includes(ROLES.VOLUNTEER_ADMIN)) {
+    if (userAuthClaims.includes(ROLES.SUPER_ADMIN) || userAuthClaims.includes(ROLES.SUPER_ADMIN_PLUS) || userAuthClaims.includes(ROLES.VOLUNTEER_ADMIN)) {
       return next();
     }
     return sendForbidden(res, 'Access to general advice is restricted to SuperAdmin and VolunteerAdmin');
@@ -846,7 +846,7 @@ export const requireUserCreationAccess = asyncHandler(async (req: Request, res:
     }
   
     // SuperAdmin has access to everything.
-    if (userAuthClaims.includes(ROLES.SUPER_ADMIN)) {
+    if (userAuthClaims.includes(ROLES.SUPER_ADMIN) || userAuthClaims.includes(ROLES.SUPER_ADMIN_PLUS)) {
       return next();
     }
     
@@ -878,7 +878,7 @@ export const requireUserCreationAccess = asyncHandler(async (req: Request, res:
         // Validate that they're not trying to assign SuperAdmin role or VolunteerAdmin roles or CityAdmin roles
         const requestBody = req.body;
         if (requestBody.AuthClaims && Array.isArray(requestBody.AuthClaims)) {
-          if (requestBody.AuthClaims.includes(ROLES.SUPER_ADMIN) || requestBody.AuthClaims.includes(ROLES.VOLUNTEER_ADMIN) || requestBody.AuthClaims.includes(ROLES.CITY_ADMIN)) {
+          if (requestBody.AuthClaims.includes(ROLES.SUPER_ADMIN) || requestBody.AuthClaims.includes(ROLES.SUPER_ADMIN_PLUS) || requestBody.AuthClaims.includes(ROLES.VOLUNTEER_ADMIN) || requestBody.AuthClaims.includes(ROLES.CITY_ADMIN)) {
             return sendForbidden(res, 'OrgAdmin cannot assign SuperAdmin, VolunteerAdmin or CityAdmin roles');
           }
         }
@@ -889,7 +889,7 @@ export const requireUserCreationAccess = asyncHandler(async (req: Request, res:
       // CityAdmin can create CityAdmin, SwepAdmin, and OrgAdmin users
       if (userAuthClaims.includes(ROLES.CITY_ADMIN)) {
         // Validate that they're not trying to assign SuperAdmin or VolunteerAdmin role
-        if (newUserClaims.includes(ROLES.SUPER_ADMIN) || newUserClaims.includes(ROLES.VOLUNTEER_ADMIN)) {
+        if (newUserClaims.includes(ROLES.SUPER_ADMIN) || newUserClaims.includes(ROLES.SUPER_ADMIN_PLUS) || newUserClaims.includes(ROLES.VOLUNTEER_ADMIN)) {
           return sendForbidden(res, 'CityAdmin cannot assign SuperAdmin or VolunteerAdmin roles');
         }
 
@@ -978,7 +978,7 @@ export const requireDeletionUserAccess = asyncHandler(async (req: Request, res:
   }
 
   // 1. SuperAdmin can delete everything
-  if (userAuthClaims.includes(ROLES.SUPER_ADMIN)) {
+  if (userAuthClaims.includes(ROLES.SUPER_ADMIN) || userAuthClaims.includes(ROLES.SUPER_ADMIN_PLUS)) {
     return next();
   }
 
@@ -994,7 +994,7 @@ export const requireDeletionUserAccess = asyncHandler(async (req: Request, res:
   // 2. CityAdmin can delete specific roles within their city
   if (userAuthClaims.includes(ROLES.CITY_ADMIN)) {
     // Cannot delete SuperAdmin or VolunteerAdmin
-    if (targetUserClaims.includes(ROLES.SUPER_ADMIN) || targetUserClaims.includes(ROLES.VOLUNTEER_ADMIN)) {
+    if (targetUserClaims.includes(ROLES.SUPER_ADMIN) || targetUserClaims.includes(ROLES.SUPER_ADMIN_PLUS) || targetUserClaims.includes(ROLES.VOLUNTEER_ADMIN)) {
       return sendForbidden(res, 'CityAdmin cannot delete/deactivate/activate SuperAdmin or VolunteerAdmin users');
     }
 
@@ -1105,7 +1105,7 @@ export const requireUserAccess = asyncHandler(async (req: Request, res: Response
   const userId = req.params.id;
 
   // 1. SuperAdmin can do everything
-  if (userAuthClaims.includes(ROLES.SUPER_ADMIN)) {
+  if (userAuthClaims.includes(ROLES.SUPER_ADMIN) || userAuthClaims.includes(ROLES.SUPER_ADMIN_PLUS)) {
     // For updates, validate role structure
     if (method === HTTP_METHODS.PUT || method === HTTP_METHODS.PATCH) {
       const requestBody = req.body;
@@ -1197,14 +1197,14 @@ export const requireUserAccess = asyncHandler(async (req: Request, res: Response
 
     if (method === HTTP_METHODS.PUT || method === HTTP_METHODS.PATCH) {
       // CityAdmin cannot update SuperAdmin or VolunteerAdmin users
-      if (targetUserClaims.includes(ROLES.SUPER_ADMIN) || targetUserClaims.includes(ROLES.VOLUNTEER_ADMIN)) {
+      if (targetUserClaims.includes(ROLES.SUPER_ADMIN) || targetUserClaims.includes(ROLES.SUPER_ADMIN_PLUS) || targetUserClaims.includes(ROLES.VOLUNTEER_ADMIN)) {
         return sendForbidden(res, 'CityAdmin cannot update SuperAdmin or VolunteerAdmin users');
       }
 
       // Validate that they're not trying to assign SuperAdmin or VolunteerAdmin role
       const requestBody = req.body;
       if (requestBody.AuthClaims && Array.isArray(requestBody.AuthClaims)) {
-        if (requestBody.AuthClaims.includes(ROLES.SUPER_ADMIN) || requestBody.AuthClaims.includes(ROLES.VOLUNTEER_ADMIN)) {
+        if (requestBody.AuthClaims.includes(ROLES.SUPER_ADMIN) || requestBody.AuthClaims.includes(ROLES.SUPER_ADMIN_PLUS) || requestBody.AuthClaims.includes(ROLES.VOLUNTEER_ADMIN)) {
           return sendForbidden(res, 'CityAdmin cannot assign SuperAdmin or VolunteerAdmin roles');
         }
         
@@ -1688,3 +1688,36 @@ export const locationLogosGetAuth = [
   authenticate,
   requireLocationLogoByFiltersAccess
 ];
+
+/**
+ * Helper: handles access rules for SuperAdminPlus.
+ * - SuperAdminPlus: access for organisation removal
+ * Returns true if user has SuperAdminPlus role, otherwise false.
+ */
+const handleSuperAdminPlusAccess = (
+  userAuthClaims: string[]
+): boolean => userAuthClaims.includes(ROLES.SUPER_ADMIN_PLUS);
+
+/**
+ * Middleware to require SuperAdminPlus role for organisation deletion
+ */
+export const requireSuperAdminPlusAccess = (req: Request, res: Response, next: NextFunction) => {
+  if (ensureAuthenticated(req, res)) { return; }
+
+  const userAuthClaims = req.user?.AuthClaims || [];
+
+  // Only SuperAdminPlus can delete organisations
+  if (handleSuperAdminPlusAccess(userAuthClaims)) {
+    return next();
+  }
+
+  return sendForbidden(res, 'Only SuperAdminPlus role can perform this action');
+};
+
+/**
+ * Combined middleware for organisation deletion endpoint
+ */
+export const organisationDeleteAuth = [
+  authenticate,
+  requireSuperAdminPlusAccess
+];
diff --git a/src/routes/organisationRoutes.ts b/src/routes/organisationRoutes.ts
@@ -8,9 +8,10 @@ import {
   clearNotes,
   getOrganisationByKey,
   confirmOrganisationInfo,
-  updateAdministrator
+  updateAdministrator,
+  deleteOrganisation
 } from '../controllers/organisationController.js';
-import { organisationsAuth, organisationsByKeyAuth, organisationsByLocationAuth, verifyOrganisationsAuth } from '../middleware/authMiddleware.js';
+import { organisationsAuth, organisationsByKeyAuth, organisationsByLocationAuth, verifyOrganisationsAuth, organisationDeleteAuth } from '../middleware/authMiddleware.js';
 
 const router = Router();
 
@@ -21,6 +22,7 @@ router.put('/:id', organisationsAuth, updateOrganisation);
 router.patch('/:id/toggle-verified', verifyOrganisationsAuth, toggleVerified);
 router.patch('/:id/toggle-published', organisationsAuth, togglePublished);
 router.delete('/:id/notes', organisationsAuth, clearNotes);
+router.delete('/:id', organisationDeleteAuth, deleteOrganisation);
 router.post('/:id/confirm-info', organisationsAuth, confirmOrganisationInfo);
 router.put('/:id/administrator', organisationsAuth, updateAdministrator);
 
