The simplest option is probably to change your access list templates to regular expressions. That way, you can also express constraints on the type of data accepted by the parameters.
class Auth {
static get accessList() {
return {
["Admin"]: [
/^\/api\/masters\/wing\/manageWing$/,
/^\/api\/masters\/departments\/managedepartment$/,
/^\/api\/masters\/supplier\/managesupplier$/,
/^\/api\/masters\/expensehead\/manageexpensehead$/,
/^\/api\/masters\/subHead\/manageSubHead$/,
/^\/api\/user\/save-member$/,
/^\/api\/user\/changepassword$/,
/^\/api\/masters\/budget\/getbudgetlist$/,
/^\/api\/masters\/budget\/getbudgetbywing$/,
/^\/api\/masters\/budget\/getbudgetbyexpensehead\/(\d+)\/(\d+)$/,
/^\/api\/masters\/budget\/getbudgetbyduration$/,
/^\/api\/masters\/budget\/getbudget$/,
/^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheaderlist$/,
/^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheader\/(\d+)$/,
/^\/api\/masters\/purchaserequisitionheader\/getprdetailsList$/,
/^\/api\/masters\/purchaserequisitionheader\/managepurchaserequisitionheader$/
],
["Data Entry Operator"]: [
/^\/api\/admin\/upload-data$/,
/^\/api\/admin\/upload-income-data$/,
/^\/api\/masters\/purchaserequisitionheader\/managepurchaserequisitionheader$/
],
["HOD"]: [
/^\/api\/masters\/wing\/manageWing$/,
/^\/api\/masters\/departments\/managedepartment$/,
/^\/api\/masters\/supplier\/managesupplier$/,
/^\/api\/masters\/expensehead\/manageexpensehead$/,
/^\/api\/masters\/subHead\/manageSubHead$/,
/^\/api\/user\/save-member$/,
/^\/api\/user\/changepassword$/,
/^\/api\/masters\/departments\/managedepartment$/,
/^\/api\/masters\/budget\/getbudgetlist$/,
/^\/api\/masters\/budget\/getbudgetbywing\/(\d+)\/(\d+)$/,
/^\/api\/masters\/budget\/getbudgetbyexpensehead\/(\d+)\/(\d+)$/,
/^\/api\/masters\/budget\/getbudgetbyduration$/,
/^\/api\/masters\/budget\/getbudget\/(\d+)$/,
/^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheaderlist$/,
/^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheader$/,
/^\/api\/masters\/purchaserequisitionheader\/getprdetailsList$/,
/^\/api\/masters\/purchaserequisitionheader\/managepurchaserequisitionheader$/,
/^\/api\/masters\/departments\/getdepartmentlist$/,
/^\/api\/masters\/departments\/getdepartment\/(\d+)$/,
/^\/api\/masters\/departments\/managedepartment$/,
/^\/api\/masters\/wing\/getWingList$/,
/^\/api\/masters\/wing\/getWing\/(\d+)$/
]
};
}
};
if (data.userroles[0].role != "Super Admin") {
const accessList = Auto.accessList[data.userroles[0].role];
if (!accessList || !accessList.some(d => req.originalUrl.match(d))) {
throw new Error("You have no access to update data.");
}
}