feat(api): enhance SchoolsService query to handle permissions and scopes

Author: akdasa

modules/services/api/src/edu/services/schools.service.ts

@@ -9,15 +9,30 @@ import { Scope, ScopedEntitiesService } from './entities.service';
 export class SchoolsService extends ScopedEntitiesService<School, Scope> {
   constructor(@InjectRepository(School) repository: Repository<School>) {
     super(repository, (query, scope) => {
-      const orgIds = scope.permissions.getOrganizations(['orgs:read']);
-      const schoolIds = scope.permissions.getSchools(['schools:read']);
-      return {
-        where: {
-          ...query?.where,
-          id: schoolIds.length > 0 ? In(schoolIds) : undefined,
-          organizationId: In(orgIds),
-        },
-      };
+      // HACK: For some reason FindOptionsWhere<Organization> doesn't
+      //       work here, so we have to cast it to any. It doesn't contain
+      //       any fields like id, name, etc. But it should.
+      const where = query?.where as any;
+
+      // TODO Have't tested yet
+
+      // Get all scopes that have the required permission
+      // and match the organization and school ids in the query
+      // if they are provided
+      const scopes = scope.permissions
+        .getScopes(['schools:read'])
+        .filter((s) => !where?.id || s.schoolId === where?.id);
+
+      // Return the query with the scopes applied or an empty query
+      // if no scopes were found for the user permissions
+      return scopes.length > 0
+        ? {
+            where: scopes.map((s) => ({
+              ...query?.where,
+              id: s.schoolId,
+            })),
+          }
+        : { where: { id: In([]) } };
     });
   }
 }