ininventer/backend/controllers/companyController.js

const Company = require('../models/Company');
const User = require('../models/User');
const { validationResult } = require('express-validator');

// @desc    Get all companies
// @route   GET /api/companies
// @access  Private (superadmin: all companies, companyadmin/employer: only their company)
exports.getCompanies = async (req, res, next) => {
  try {
    let companies;
    
    // If superadmin, get all companies
    if (req.user.role === 'superadmin') {
      companies = await Company.find();
    } else {
      // For companyadmin and employer, get only their company
      companies = await Company.find({ _id: req.user.companyId });
    }
    
    res.status(200).json({
      success: true,
      count: companies.length,
      data: companies
    });
  } catch (error) {
    next(error);
  }
};

// @desc    Get single company
// @route   GET /api/companies/:id
// @access  Private (superadmin: any company, companyadmin/employer: only their company)
exports.getCompany = async (req, res, next) => {
  try {
    const company = await Company.findById(req.params.id);
    
    if (!company) {
      return res.status(404).json({
        success: false,
        message: 'Company not found'
      });
    }
    
    // Check if user is trying to access a company they don't belong to
    if (req.user.role !== 'superadmin' && 
        company._id.toString() !== req.user.companyId.toString()) {
      return res.status(403).json({
        success: false,
        message: 'Not authorized to access this company'
      });
    }
    
    res.status(200).json({
      success: true,
      data: company
    });
  } catch (error) {
    next(error);
  }
};

// @desc    Create company
// @route   POST /api/companies
// @access  Private (superadmin only)
exports.createCompany = async (req, res, next) => {
  try {
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
      return res.status(400).json({ 
        success: false, 
        errors: errors.array() 
      });
    }
    
    // Only superadmin can create companies
    if (req.user.role !== 'superadmin') {
      return res.status(403).json({
        success: false,
        message: 'Only superadmin can create companies'
      });
    }
    
    const company = await Company.create({
      ...req.body,
      createdBy: req.user._id
    });
    
    res.status(201).json({
      success: true,
      data: company
    });
  } catch (error) {
    next(error);
  }
};

// @desc    Update company
// @route   PUT /api/companies/:id
// @access  Private (superadmin only)
exports.updateCompany = async (req, res, next) => {
  try {
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
      return res.status(400).json({ 
        success: false, 
        errors: errors.array() 
      });
    }
    
    // Only superadmin can update companies
    if (req.user.role !== 'superadmin') {
      return res.status(403).json({
        success: false,
        message: 'Only superadmin can update companies'
      });
    }
    
    let company = await Company.findById(req.params.id);
    
    if (!company) {
      return res.status(404).json({
        success: false,
        message: 'Company not found'
      });
    }
    
    company = await Company.findByIdAndUpdate(
      req.params.id,
      req.body,
      { new: true, runValidators: true }
    );
    
    res.status(200).json({
      success: true,
      data: company
    });
  } catch (error) {
    next(error);
  }
};

// @desc    Delete company
// @route   DELETE /api/companies/:id
// @access  Private (superadmin only)
exports.deleteCompany = async (req, res, next) => {
  try {
    // Only superadmin can delete companies
    if (req.user.role !== 'superadmin') {
      return res.status(403).json({
        success: false,
        message: 'Only superadmin can delete companies'
      });
    }
    
    const company = await Company.findById(req.params.id);
    
    if (!company) {
      return res.status(404).json({
        success: false,
        message: 'Company not found'
      });
    }
    
    // Check if there are users associated with this company
    const usersCount = await User.countDocuments({ companyId: company._id });
    
    if (usersCount > 0) {
      return res.status(400).json({
        success: false,
        message: 'Cannot delete company with associated users'
      });
    }
    
    await company.deleteOne();
    
    res.status(200).json({
      success: true,
      data: {}
    });
  } catch (error) {
    next(error);
  }
};