From 2e5a43af681294dcea50df303773138458f521d2 Mon Sep 17 00:00:00 2001
From: vicent <vicent@verdnatura.es>
Date: Wed, 26 Apr 2023 11:40:21 +0200
Subject: [PATCH] refs #5468 restringido permisos 'WRITE' para sysadmin en
 VnUser

---
 db/changes/231601/00-aclAccount.sql         | 3 +++
 db/changes/231601/00-userAcl.sql            | 3 ++-
 modules/account/front/descriptor/index.html | 2 ++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/db/changes/231601/00-aclAccount.sql b/db/changes/231601/00-aclAccount.sql
index 42579a65b..875c4aa8a 100644
--- a/db/changes/231601/00-aclAccount.sql
+++ b/db/changes/231601/00-aclAccount.sql
@@ -4,3 +4,6 @@ DELETE
 
 INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
     VALUES('Account', '*', 'WRITE', 'ALLOW', 'ROLE', 'sysadmin');
+
+INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
+    VALUES('Account', '*', 'READ', 'ALLOW', 'ROLE', 'employee');
diff --git a/db/changes/231601/00-userAcl.sql b/db/changes/231601/00-userAcl.sql
index 64803bf18..b880496d7 100644
--- a/db/changes/231601/00-userAcl.sql
+++ b/db/changes/231601/00-userAcl.sql
@@ -1,6 +1,7 @@
 INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
     VALUES
-        ('VnUser', '*', '*', 'ALLOW', 'ROLE', 'employee'),
+        ('VnUser', '*', 'READ', 'ALLOW', 'ROLE', 'employee'),
+        ('VnUser', '*', 'WRITE', 'ALLOW', 'ROLE', 'sysadmin'),
         ('VnUser','acl','READ','ALLOW','ROLE','account'),
         ('VnUser','getCurrentUserData','READ','ALLOW','ROLE','account'),
         ('VnUser','changePassword', 'WRITE', 'ALLOW', 'ROLE', 'account'),
diff --git a/modules/account/front/descriptor/index.html b/modules/account/front/descriptor/index.html
index 625c50ba2..61c7c5ee1 100644
--- a/modules/account/front/descriptor/index.html
+++ b/modules/account/front/descriptor/index.html
@@ -51,6 +51,7 @@
             ng-click="activateUser.show()"
             name="activateUser"
             vn-acl="sysadmin"
+            vn-acl-action="remove"
             translate>
             Activate user
         </vn-item>
@@ -59,6 +60,7 @@
             ng-click="deactivateUser.show()"
             name="deactivateUser"
             vn-acl="sysadmin"
+            vn-acl-action="remove"
             translate>
             Deactivate user
         </vn-item>