fix: refs #6085 ACL canEditAlias checked, migrated to remote hooks

2024-01-29 13:48:02 +01:00 · 2024-01-29 13:48:02 +01:00 · 194262a93e
parent 6488ea2f6c
commit 194262a93e
6 changed files with 38 additions and 48 deletions
--- a/back/models/specs/mailAliasAccount.spec.js
+++ b/back/models/specs/mailAliasAccount.spec.js
@ -1,23 +1,6 @@
 const models = require('vn-loopback/server/server').models;
 describe('loopback model MailAliasAccount', () => {
    it('should fail to add a mail Alias if the worker doesnt have ACLs', async() => {
        const tx = await models.MailAliasAccount.beginTransaction({});
        let error;
        try {
            const options = {transaction: tx, accessToken: {userId: 57}};
            await models.MailAliasAccount.create({mailAlias: 2, account: 5}, options);
            await tx.rollback();
        } catch (e) {
            await tx.rollback();
            error = e;
        }
        expect(error.message).toEqual('The alias cant be modified');
    });
    it('should add a mail Alias', async() => {
        const tx = await models.MailAliasAccount.beginTransaction({});
        let error;
--- a/db/changes/240404/00-revokeMailAliasAccount.sql
+++ b/db/changes/240404/00-revokeMailAliasAccount.sql
@ -0,0 +1,5 @@
 DELETE FROM salix.ACL
 	WHERE model = 'MailAliasAccount'
 		AND property = 'canEditAlias'
 		AND principalType = 'ROLE'
 		AND principalId = 'marketingBoss';
--- a/gulpfile.js
+++ b/gulpfile.js
@ -234,13 +234,13 @@ async function dockerStart() {
    const container = new Docker('salix-db');
    await container.start();
 }
-dockerStart.description = `Starts the salix-db container`;
+dockerStart.description = `Starts the DB container`;
 async function docker() {
    const container = new Docker('salix-db');
    await container.run();
 }
-docker.description = `Runs the salix-db container`;
+docker.description = `Builds and starts the DB container`;
 module.exports = {
    default: defaultTask,
--- a/loopback/locale/en.json
+++ b/loopback/locale/en.json
@ -203,5 +203,7 @@
 	"Cannot past travels with entries": "Cannot past travels with entries",
 	"It was not able to remove the next expeditions:": "It was not able to remove the next expeditions: {{expeditions}}",
 	"Incorrect pin": "Incorrect pin.",
-	"The notification subscription of this worker cant be modified": "The notification subscription of this worker cant be modified"
+	"The notification subscription of this worker cant be modified": "The notification subscription of this worker cant be modified",
-}
+	"You are not allowed to modify the alias": "You are not allowed to modify the alias",
 	"You already have the mailAlias": "You already have the mailAlias"
 }
--- a/loopback/locale/es.json
+++ b/loopback/locale/es.json
@ -335,6 +335,6 @@
 	"This user does not have an assigned tablet": "Este usuario no tiene tablet asignada",
 	"Incorrect pin": "Pin incorrecto.",
 	"You already have the mailAlias": "Ya tienes este alias de correo",
-	"The alias cant be modified": "Este alias de correo no puede ser modificado",
+	"You are not allowed to modify the alias": "No estás autorizado a modificar el alias",
 	"No tickets to invoice": "No hay tickets para facturar"
 }
--- a/modules/account/back/models/mail-alias-account.js
+++ b/modules/account/back/models/mail-alias-account.js
@ -1,5 +1,5 @@
-const UserError = require('vn-loopback/util/user-error');
+const ForbiddenError = require('vn-loopback/util/forbiddenError');
 module.exports = Self => {
    Self.rewriteDbError(function(err) {
@ -8,38 +8,38 @@ module.exports = Self => {
        return err;
    });
-    Self.observe('before save', async ctx => {
+    Self.beforeRemote('create', async function(ctx) {
-        const changes = ctx.currentInstance || ctx.instance;
+        const mailAlias = ctx.args.data?.mailAlias;
-
+        if (!mailAlias) return;
-        await checkModifyPermission(ctx, changes.mailAlias);
+        await checkModifyPermission(ctx, mailAlias);
    });
-
+    Self.beforeRemote('deleteById', async function(ctx) {
-    Self.observe('before delete', async ctx => {
+        const instance = await Self.findById(ctx.args.id,
-        const mailAliasAccount = await Self.findById(ctx.where.id);
+            {fields: ['mailAlias']}
-
+        );
-        await checkModifyPermission(ctx, mailAliasAccount.mailAlias);
+        await checkModifyPermission(ctx, instance.mailAlias);
    });
    async function checkModifyPermission(ctx, mailAliasFk) {
        const userId = ctx.options.accessToken.userId;
        const models = Self.app.models;
        const userId = ctx.req.accessToken.userId;
-        const roles = await models.RoleMapping.find({
+        const canEditAlias = await models.ACL.checkAccessAcl(ctx,
-            fields: ['roleId'],
+            'MailAliasAccount', 'canEditAlias', 'WRITE');
-            where: {principalId: userId}
+        if (canEditAlias) return;
        const allowedRoles = await models.MailAliasAcl.find({
            fields: ['roleFk'],
            where: {mailAliasFk}
        });
        const nRoles = allowedRoles.length &&
            await models.RoleMapping.count({
                principalId: userId,
                principalType: 'USER',
                roleId: {inq: allowedRoles.map(x => x.roleFk)}
            });
-        const availableMailAlias = await models.MailAliasAcl.findOne({
+        if (!nRoles)
-            fields: ['mailAliasFk'],
+            throw new ForbiddenError('You are not allowed to modify the alias');
            include: {relation: 'mailAlias'},
            where: {
                roleFk: {
                    inq: roles.map(role => role.roleId),
                },
                mailAliasFk
            }
        });
        if (!availableMailAlias) throw new UserError('The alias cant be modified');
    }
 };