const Company = require('../models/Company'); const User = require('../models/User'); const { validationResult } = require('express-validator'); // @desc Get all companies // @route GET /api/companies // @access Private (superadmin: all companies, companyadmin/employer: only their company) exports.getCompanies = async (req, res, next) => { try { let companies; // If superadmin, get all companies if (req.user.role === 'superadmin') { companies = await Company.find(); } else { // For companyadmin and employer, get only their company companies = await Company.find({ _id: req.user.companyId }); } res.status(200).json({ success: true, count: companies.length, data: companies }); } catch (error) { next(error); } }; // @desc Get single company // @route GET /api/companies/:id // @access Private (superadmin: any company, companyadmin/employer: only their company) exports.getCompany = async (req, res, next) => { try { const company = await Company.findById(req.params.id); if (!company) { return res.status(404).json({ success: false, message: 'Company not found' }); } // Check if user is trying to access a company they don't belong to if (req.user.role !== 'superadmin' && company._id.toString() !== req.user.companyId.toString()) { return res.status(403).json({ success: false, message: 'Not authorized to access this company' }); } res.status(200).json({ success: true, data: company }); } catch (error) { next(error); } }; // @desc Create company // @route POST /api/companies // @access Private (superadmin only) exports.createCompany = async (req, res, next) => { try { const errors = validationResult(req); if (!errors.isEmpty()) { return res.status(400).json({ success: false, errors: errors.array() }); } // Only superadmin can create companies if (req.user.role !== 'superadmin') { return res.status(403).json({ success: false, message: 'Only superadmin can create companies' }); } const company = await Company.create({ ...req.body, createdBy: req.user._id }); res.status(201).json({ success: true, data: company }); } catch (error) { next(error); } }; // @desc Update company // @route PUT /api/companies/:id // @access Private (superadmin only) exports.updateCompany = async (req, res, next) => { try { const errors = validationResult(req); if (!errors.isEmpty()) { return res.status(400).json({ success: false, errors: errors.array() }); } // Only superadmin can update companies if (req.user.role !== 'superadmin') { return res.status(403).json({ success: false, message: 'Only superadmin can update companies' }); } let company = await Company.findById(req.params.id); if (!company) { return res.status(404).json({ success: false, message: 'Company not found' }); } company = await Company.findByIdAndUpdate( req.params.id, req.body, { new: true, runValidators: true } ); res.status(200).json({ success: true, data: company }); } catch (error) { next(error); } }; // @desc Delete company // @route DELETE /api/companies/:id // @access Private (superadmin only) exports.deleteCompany = async (req, res, next) => { try { // Only superadmin can delete companies if (req.user.role !== 'superadmin') { return res.status(403).json({ success: false, message: 'Only superadmin can delete companies' }); } const company = await Company.findById(req.params.id); if (!company) { return res.status(404).json({ success: false, message: 'Company not found' }); } // Check if there are users associated with this company const usersCount = await User.countDocuments({ companyId: company._id }); if (usersCount > 0) { return res.status(400).json({ success: false, message: 'Cannot delete company with associated users' }); } await company.deleteOne(); res.status(200).json({ success: true, data: {} }); } catch (error) { next(error); } };