routing-context-controller.js

// routes/orders.js

import { Router } from "FRAMEWORK";
import { orders, OrderScheme } from "../controllers";
import { access } from "../lib/rbac";
import { validate } from '../lib/validators';

export const router = new Router("/orders");

router.post("/", access("user"), validate(OrderScheme), orders.create);
router.get("/", access("*"), orders.list);
router.get("/:orderId", access("*"), orders.fetchOrder, orders.getOne);
router.put("/:orderId", access("user"), validate(OrderScheme), orders.fetchOrder, orders.updateOne);
router.delete("/:orderId", access("admin"), orders.fetchOrder, orders.deleteOne);

// controllers/orders.js

import { OrderContext } from '../context/order'

export async function create(ctx) {
  const { body } = ctx.request
  const { user, order } = ctx.session

  await OrderContext.create(order, user, body)

  ctx.body = sendOk()
}

// context/order.js

import { OperatorAction } from './action'

class OrderContext {
  static async create(order, user, params) {
    if (canAssignOrder(order, user)) {
      await order.assignUser(user)
      const [action, isNew] = OperatorAction.create(params)

      if (isNew || canTake(user, action)) {
        await action.setOrder(order)
        await user.addOperatorAction(action)
      } else {
        // TODO: what to do here?
      }
    }
  }
}

function canAssignOrder(order, user) {
  return isAdmin(user) || order.OperatorUsername === null
}

function isAdmin(user) {
  return user.role === 'admin'
}

function canTake(user, action) {
  return !user.hasOperatorAction(action)
}