fix: refs #6085 ACL canEditAlias checked, migrated to remote hooks
gitea/salix/pipeline/head This commit looks good
Details
gitea/salix/pipeline/head This commit looks good
Details
This commit is contained in:
parent
6488ea2f6c
commit
194262a93e
|
@ -1,23 +1,6 @@
|
|||
const models = require('vn-loopback/server/server').models;
|
||||
|
||||
describe('loopback model MailAliasAccount', () => {
|
||||
it('should fail to add a mail Alias if the worker doesnt have ACLs', async() => {
|
||||
const tx = await models.MailAliasAccount.beginTransaction({});
|
||||
let error;
|
||||
|
||||
try {
|
||||
const options = {transaction: tx, accessToken: {userId: 57}};
|
||||
await models.MailAliasAccount.create({mailAlias: 2, account: 5}, options);
|
||||
|
||||
await tx.rollback();
|
||||
} catch (e) {
|
||||
await tx.rollback();
|
||||
error = e;
|
||||
}
|
||||
|
||||
expect(error.message).toEqual('The alias cant be modified');
|
||||
});
|
||||
|
||||
it('should add a mail Alias', async() => {
|
||||
const tx = await models.MailAliasAccount.beginTransaction({});
|
||||
let error;
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
DELETE FROM salix.ACL
|
||||
WHERE model = 'MailAliasAccount'
|
||||
AND property = 'canEditAlias'
|
||||
AND principalType = 'ROLE'
|
||||
AND principalId = 'marketingBoss';
|
|
@ -234,13 +234,13 @@ async function dockerStart() {
|
|||
const container = new Docker('salix-db');
|
||||
await container.start();
|
||||
}
|
||||
dockerStart.description = `Starts the salix-db container`;
|
||||
dockerStart.description = `Starts the DB container`;
|
||||
|
||||
async function docker() {
|
||||
const container = new Docker('salix-db');
|
||||
await container.run();
|
||||
}
|
||||
docker.description = `Runs the salix-db container`;
|
||||
docker.description = `Builds and starts the DB container`;
|
||||
|
||||
module.exports = {
|
||||
default: defaultTask,
|
||||
|
|
|
@ -203,5 +203,7 @@
|
|||
"Cannot past travels with entries": "Cannot past travels with entries",
|
||||
"It was not able to remove the next expeditions:": "It was not able to remove the next expeditions: {{expeditions}}",
|
||||
"Incorrect pin": "Incorrect pin.",
|
||||
"The notification subscription of this worker cant be modified": "The notification subscription of this worker cant be modified"
|
||||
}
|
||||
"The notification subscription of this worker cant be modified": "The notification subscription of this worker cant be modified",
|
||||
"You are not allowed to modify the alias": "You are not allowed to modify the alias",
|
||||
"You already have the mailAlias": "You already have the mailAlias"
|
||||
}
|
||||
|
|
|
@ -335,6 +335,6 @@
|
|||
"This user does not have an assigned tablet": "Este usuario no tiene tablet asignada",
|
||||
"Incorrect pin": "Pin incorrecto.",
|
||||
"You already have the mailAlias": "Ya tienes este alias de correo",
|
||||
"The alias cant be modified": "Este alias de correo no puede ser modificado",
|
||||
"You are not allowed to modify the alias": "No estás autorizado a modificar el alias",
|
||||
"No tickets to invoice": "No hay tickets para facturar"
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
const UserError = require('vn-loopback/util/user-error');
|
||||
const ForbiddenError = require('vn-loopback/util/forbiddenError');
|
||||
|
||||
module.exports = Self => {
|
||||
Self.rewriteDbError(function(err) {
|
||||
|
@ -8,38 +8,38 @@ module.exports = Self => {
|
|||
return err;
|
||||
});
|
||||
|
||||
Self.observe('before save', async ctx => {
|
||||
const changes = ctx.currentInstance || ctx.instance;
|
||||
|
||||
await checkModifyPermission(ctx, changes.mailAlias);
|
||||
Self.beforeRemote('create', async function(ctx) {
|
||||
const mailAlias = ctx.args.data?.mailAlias;
|
||||
if (!mailAlias) return;
|
||||
await checkModifyPermission(ctx, mailAlias);
|
||||
});
|
||||
|
||||
Self.observe('before delete', async ctx => {
|
||||
const mailAliasAccount = await Self.findById(ctx.where.id);
|
||||
|
||||
await checkModifyPermission(ctx, mailAliasAccount.mailAlias);
|
||||
Self.beforeRemote('deleteById', async function(ctx) {
|
||||
const instance = await Self.findById(ctx.args.id,
|
||||
{fields: ['mailAlias']}
|
||||
);
|
||||
await checkModifyPermission(ctx, instance.mailAlias);
|
||||
});
|
||||
|
||||
async function checkModifyPermission(ctx, mailAliasFk) {
|
||||
const userId = ctx.options.accessToken.userId;
|
||||
const models = Self.app.models;
|
||||
const userId = ctx.req.accessToken.userId;
|
||||
|
||||
const roles = await models.RoleMapping.find({
|
||||
fields: ['roleId'],
|
||||
where: {principalId: userId}
|
||||
const canEditAlias = await models.ACL.checkAccessAcl(ctx,
|
||||
'MailAliasAccount', 'canEditAlias', 'WRITE');
|
||||
if (canEditAlias) return;
|
||||
|
||||
const allowedRoles = await models.MailAliasAcl.find({
|
||||
fields: ['roleFk'],
|
||||
where: {mailAliasFk}
|
||||
});
|
||||
const nRoles = allowedRoles.length &&
|
||||
await models.RoleMapping.count({
|
||||
principalId: userId,
|
||||
principalType: 'USER',
|
||||
roleId: {inq: allowedRoles.map(x => x.roleFk)}
|
||||
});
|
||||
|
||||
const availableMailAlias = await models.MailAliasAcl.findOne({
|
||||
fields: ['mailAliasFk'],
|
||||
include: {relation: 'mailAlias'},
|
||||
where: {
|
||||
roleFk: {
|
||||
inq: roles.map(role => role.roleId),
|
||||
},
|
||||
mailAliasFk
|
||||
}
|
||||
});
|
||||
|
||||
if (!availableMailAlias) throw new UserError('The alias cant be modified');
|
||||
if (!nRoles)
|
||||
throw new ForbiddenError('You are not allowed to modify the alias');
|
||||
}
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue