From 1b504febb8343226e54d8bc535aca7b767599aa6 Mon Sep 17 00:00:00 2001
From: Gerard <gerard@verdnatura.es>
Date: Fri, 19 Oct 2018 14:50:15 +0200
Subject: [PATCH] fixed ACLS

---
 client/client/src/basic-data/index.html       |  5 ++--
 .../client/specs/updateBasicData.spec.js      | 25 +++++++++++++++----
 .../common/methods/client/updateBasicData.js  | 13 +++++++---
 .../methods/client/updateBillingData.js       |  2 +-
 4 files changed, 33 insertions(+), 12 deletions(-)

diff --git a/client/client/src/basic-data/index.html b/client/client/src/basic-data/index.html
index b4547ba6e..beb4bc745 100644
--- a/client/client/src/basic-data/index.html
+++ b/client/client/src/basic-data/index.html
@@ -1,4 +1,4 @@
-<mg-ajax path="/client/api/Clients/{{patch.params.id}}" options="vnPatch"></mg-ajax>
+<mg-ajax path="/client/api/Clients/{{patch.params.id}}/updateBasicData" options="vnPatch"></mg-ajax>
 <vn-watcher
     vn-id="watcher"
     data="$ctrl.client"
@@ -34,7 +34,8 @@
                 show-field="firstName"
                 value-field="id"
                 label="Salesperson"
-                vn-acl="salesAssistant">
+                vn-acl="salesAssistant, employee"
+                acl-conditional-to-employee="{{!$ctrl.client.isTaxDataChecked}}">
                 <tpl-item>{{firstName}} {{name}}</tpl-item>
             </vn-autocomplete>
             <vn-autocomplete vn-one
diff --git a/services/loopback/common/methods/client/specs/updateBasicData.spec.js b/services/loopback/common/methods/client/specs/updateBasicData.spec.js
index a38e179db..a368e45a9 100644
--- a/services/loopback/common/methods/client/specs/updateBasicData.spec.js
+++ b/services/loopback/common/methods/client/specs/updateBasicData.spec.js
@@ -3,18 +3,33 @@ const app = require(`${servicesDir}/client/server/server`);
 describe('Client updateBasicData', () => {
     afterAll(async() => {
         let id = 101;
+        let ctx = {req: {accessToken: {userId: 1}}};
         let validparams = {email: 'BruceWayne@verdnatura.es'};
 
-        await app.models.Client.updateBasicData(validparams, id);
+        await app.models.Client.updateBasicData(ctx, validparams, id);
     });
 
     it('should return an error if the params aint valid', async() => {
         let error;
-
+        let ctx = {req: {accessToken: {userId: 1}}};
         let id = 101;
         let invalidparams = {invalid: 'param for update'};
 
-        await app.models.Client.updateBasicData(invalidparams, id)
+        await app.models.Client.updateBasicData(ctx, invalidparams, id)
+            .catch(e => {
+                error = e;
+            });
+
+        expect(error.toString()).toContain(`You don't have enough privileges to do that`);
+    });
+
+    it('should return an error if the client has isTaxDataChecked and employee try to change his salesPerson', async() => {
+        let error;
+        let ctx = {req: {accessToken: {userId: 1}}};
+        let id = 101;
+        let params = {salesPerson: 3};
+
+        await app.models.Client.updateBasicData(ctx, params, id)
             .catch(e => {
                 error = e;
             });
@@ -29,8 +44,8 @@ describe('Client updateBasicData', () => {
         expect(client.email).toEqual('BruceWayne@verdnatura.es');
 
         let validparams = {email: 'myNewEmail@myDomain.es'};
-
-        let result = await app.models.Client.updateBasicData(validparams, id);
+        let ctx = {req: {accessToken: {userId: 1}}};
+        let result = await app.models.Client.updateBasicData(ctx, validparams, id);
 
         expect(result.email).toEqual('myNewEmail@myDomain.es');
     });
diff --git a/services/loopback/common/methods/client/updateBasicData.js b/services/loopback/common/methods/client/updateBasicData.js
index 33721a5c5..bd05fde22 100644
--- a/services/loopback/common/methods/client/updateBasicData.js
+++ b/services/loopback/common/methods/client/updateBasicData.js
@@ -1,7 +1,7 @@
 let UserError = require('../../helpers').UserError;
 
 module.exports = Self => {
-    Self.remoteMethod('updateBasicData', {
+    Self.remoteMethodCtx('updateBasicData', {
         description: 'Updates billing data of a client',
         accessType: 'WRITE',
         accepts: [{
@@ -28,7 +28,9 @@ module.exports = Self => {
         }
     });
 
-    Self.updateBasicData = async(params, id) => {
+    Self.updateBasicData = async(ctx, params, id) => {
+        let userId = ctx.req.accessToken.userId;
+
         let validUpdateParams = [
             'contact',
             'name',
@@ -39,11 +41,14 @@ module.exports = Self => {
             'contactChannelFk'
         ];
 
+        let isSalesAssistant = await Self.app.models.Account.hasRole(userId, 'salesAssistant');
+        let client = await Self.app.models.Client.findById(id);
+
         for (const key in params) {
-            if (validUpdateParams.indexOf(key) === -1)
+            if (validUpdateParams.indexOf(key) === -1 || key == 'salesPersonFk' && client.isTaxDataChecked && !isSalesAssistant)
                 throw new UserError(`You don't have enough privileges to do that`);
         }
-        let client = await Self.app.models.Client.findById(id);
+
         return await client.updateAttributes(params);
     };
 };
diff --git a/services/loopback/common/methods/client/updateBillingData.js b/services/loopback/common/methods/client/updateBillingData.js
index c361807ad..21f20e77a 100644
--- a/services/loopback/common/methods/client/updateBillingData.js
+++ b/services/loopback/common/methods/client/updateBillingData.js
@@ -45,7 +45,7 @@ module.exports = Self => {
         let isSalesAssistant = await Self.app.models.Account.hasRole(userId, 'salesAssistant');
         let client = await Self.app.models.Client.findOne({where: {id: id}});
 
-        if (!isSalesAssistant)
+        if (!isSalesAssistant && client.isTaxDataChecked)
             throw new UserError(`You don't have enough privileges to do that`);
 
         return client.updateAttributes(data);