fix: refs #6085 ACL canEditAlias checked, migrated to remote hooks
gitea/salix/pipeline/head This commit looks good
Details
gitea/salix/pipeline/head This commit looks good
Details
This commit is contained in:
parent
6488ea2f6c
commit
194262a93e
|
@ -1,23 +1,6 @@
|
||||||
const models = require('vn-loopback/server/server').models;
|
const models = require('vn-loopback/server/server').models;
|
||||||
|
|
||||||
describe('loopback model MailAliasAccount', () => {
|
describe('loopback model MailAliasAccount', () => {
|
||||||
it('should fail to add a mail Alias if the worker doesnt have ACLs', async() => {
|
|
||||||
const tx = await models.MailAliasAccount.beginTransaction({});
|
|
||||||
let error;
|
|
||||||
|
|
||||||
try {
|
|
||||||
const options = {transaction: tx, accessToken: {userId: 57}};
|
|
||||||
await models.MailAliasAccount.create({mailAlias: 2, account: 5}, options);
|
|
||||||
|
|
||||||
await tx.rollback();
|
|
||||||
} catch (e) {
|
|
||||||
await tx.rollback();
|
|
||||||
error = e;
|
|
||||||
}
|
|
||||||
|
|
||||||
expect(error.message).toEqual('The alias cant be modified');
|
|
||||||
});
|
|
||||||
|
|
||||||
it('should add a mail Alias', async() => {
|
it('should add a mail Alias', async() => {
|
||||||
const tx = await models.MailAliasAccount.beginTransaction({});
|
const tx = await models.MailAliasAccount.beginTransaction({});
|
||||||
let error;
|
let error;
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
DELETE FROM salix.ACL
|
||||||
|
WHERE model = 'MailAliasAccount'
|
||||||
|
AND property = 'canEditAlias'
|
||||||
|
AND principalType = 'ROLE'
|
||||||
|
AND principalId = 'marketingBoss';
|
|
@ -234,13 +234,13 @@ async function dockerStart() {
|
||||||
const container = new Docker('salix-db');
|
const container = new Docker('salix-db');
|
||||||
await container.start();
|
await container.start();
|
||||||
}
|
}
|
||||||
dockerStart.description = `Starts the salix-db container`;
|
dockerStart.description = `Starts the DB container`;
|
||||||
|
|
||||||
async function docker() {
|
async function docker() {
|
||||||
const container = new Docker('salix-db');
|
const container = new Docker('salix-db');
|
||||||
await container.run();
|
await container.run();
|
||||||
}
|
}
|
||||||
docker.description = `Runs the salix-db container`;
|
docker.description = `Builds and starts the DB container`;
|
||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
default: defaultTask,
|
default: defaultTask,
|
||||||
|
|
|
@ -203,5 +203,7 @@
|
||||||
"Cannot past travels with entries": "Cannot past travels with entries",
|
"Cannot past travels with entries": "Cannot past travels with entries",
|
||||||
"It was not able to remove the next expeditions:": "It was not able to remove the next expeditions: {{expeditions}}",
|
"It was not able to remove the next expeditions:": "It was not able to remove the next expeditions: {{expeditions}}",
|
||||||
"Incorrect pin": "Incorrect pin.",
|
"Incorrect pin": "Incorrect pin.",
|
||||||
"The notification subscription of this worker cant be modified": "The notification subscription of this worker cant be modified"
|
"The notification subscription of this worker cant be modified": "The notification subscription of this worker cant be modified",
|
||||||
|
"You are not allowed to modify the alias": "You are not allowed to modify the alias",
|
||||||
|
"You already have the mailAlias": "You already have the mailAlias"
|
||||||
}
|
}
|
|
@ -335,6 +335,6 @@
|
||||||
"This user does not have an assigned tablet": "Este usuario no tiene tablet asignada",
|
"This user does not have an assigned tablet": "Este usuario no tiene tablet asignada",
|
||||||
"Incorrect pin": "Pin incorrecto.",
|
"Incorrect pin": "Pin incorrecto.",
|
||||||
"You already have the mailAlias": "Ya tienes este alias de correo",
|
"You already have the mailAlias": "Ya tienes este alias de correo",
|
||||||
"The alias cant be modified": "Este alias de correo no puede ser modificado",
|
"You are not allowed to modify the alias": "No estás autorizado a modificar el alias",
|
||||||
"No tickets to invoice": "No hay tickets para facturar"
|
"No tickets to invoice": "No hay tickets para facturar"
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
const UserError = require('vn-loopback/util/user-error');
|
const ForbiddenError = require('vn-loopback/util/forbiddenError');
|
||||||
|
|
||||||
module.exports = Self => {
|
module.exports = Self => {
|
||||||
Self.rewriteDbError(function(err) {
|
Self.rewriteDbError(function(err) {
|
||||||
|
@ -8,38 +8,38 @@ module.exports = Self => {
|
||||||
return err;
|
return err;
|
||||||
});
|
});
|
||||||
|
|
||||||
Self.observe('before save', async ctx => {
|
Self.beforeRemote('create', async function(ctx) {
|
||||||
const changes = ctx.currentInstance || ctx.instance;
|
const mailAlias = ctx.args.data?.mailAlias;
|
||||||
|
if (!mailAlias) return;
|
||||||
await checkModifyPermission(ctx, changes.mailAlias);
|
await checkModifyPermission(ctx, mailAlias);
|
||||||
});
|
});
|
||||||
|
Self.beforeRemote('deleteById', async function(ctx) {
|
||||||
Self.observe('before delete', async ctx => {
|
const instance = await Self.findById(ctx.args.id,
|
||||||
const mailAliasAccount = await Self.findById(ctx.where.id);
|
{fields: ['mailAlias']}
|
||||||
|
);
|
||||||
await checkModifyPermission(ctx, mailAliasAccount.mailAlias);
|
await checkModifyPermission(ctx, instance.mailAlias);
|
||||||
});
|
});
|
||||||
|
|
||||||
async function checkModifyPermission(ctx, mailAliasFk) {
|
async function checkModifyPermission(ctx, mailAliasFk) {
|
||||||
const userId = ctx.options.accessToken.userId;
|
|
||||||
const models = Self.app.models;
|
const models = Self.app.models;
|
||||||
|
const userId = ctx.req.accessToken.userId;
|
||||||
|
|
||||||
const roles = await models.RoleMapping.find({
|
const canEditAlias = await models.ACL.checkAccessAcl(ctx,
|
||||||
fields: ['roleId'],
|
'MailAliasAccount', 'canEditAlias', 'WRITE');
|
||||||
where: {principalId: userId}
|
if (canEditAlias) return;
|
||||||
|
|
||||||
|
const allowedRoles = await models.MailAliasAcl.find({
|
||||||
|
fields: ['roleFk'],
|
||||||
|
where: {mailAliasFk}
|
||||||
|
});
|
||||||
|
const nRoles = allowedRoles.length &&
|
||||||
|
await models.RoleMapping.count({
|
||||||
|
principalId: userId,
|
||||||
|
principalType: 'USER',
|
||||||
|
roleId: {inq: allowedRoles.map(x => x.roleFk)}
|
||||||
});
|
});
|
||||||
|
|
||||||
const availableMailAlias = await models.MailAliasAcl.findOne({
|
if (!nRoles)
|
||||||
fields: ['mailAliasFk'],
|
throw new ForbiddenError('You are not allowed to modify the alias');
|
||||||
include: {relation: 'mailAlias'},
|
|
||||||
where: {
|
|
||||||
roleFk: {
|
|
||||||
inq: roles.map(role => role.roleId),
|
|
||||||
},
|
|
||||||
mailAliasFk
|
|
||||||
}
|
|
||||||
});
|
|
||||||
|
|
||||||
if (!availableMailAlias) throw new UserError('The alias cant be modified');
|
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue