refs #5488 replace hasRole for checkAccessAcl
gitea/salix/pipeline/head There was a failure building this commit
Details
gitea/salix/pipeline/head There was a failure building this commit
Details
This commit is contained in:
parent
c1d4281b1b
commit
39333a9119
|
|
@ -0,0 +1,65 @@
|
|||
DELETE FROM `salix`.`ACL` WHERE id=7;
|
||||
|
||||
INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
|
||||
VALUES
|
||||
('Client', 'setRating', 'READ', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'setRating', 'WRITE', 'ALLOW', 'ROLE', 'financial');
|
||||
|
||||
INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
|
||||
VALUES
|
||||
('Client', '*', 'READ', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'addressesPropagateRe', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'canBeInvoiced', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'canCreateTicket', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'consumption', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'createAddress', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'createWithUser', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'extendedListFilter', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'getAverageInvoiced', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'getCard', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'getDebt', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'getMana', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'transactions', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'hasCustomerRole', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'isValidClient', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'lastActiveTickets', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'sendSms', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'setPassword', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'summary', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'updateAddress', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'updateFiscalData', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'updateUser', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'uploadFile', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'campaignMetricsPdf', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'campaignMetricsEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'clientWelcomeHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'clientWelcomeEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'printerSetupHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'printerSetupEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'sepaCoreEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'letterDebtorPdf', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'letterDebtorStHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'letterDebtorStEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'letterDebtorNdHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'letterDebtorNdEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'clientDebtStatementPdf', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'clientDebtStatementHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'clientDebtStatementEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'creditRequestPdf', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'creditRequestHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'creditRequestEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'incotermsAuthorizationPdf', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'incotermsAuthorizationHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'incotermsAuthorizationEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'consumptionSendQueued', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'filter', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'getClientOrSupplierReference', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'upsert', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'create', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'replaceById', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'updateAttributes', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'updateAttributes', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'deleteById', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'replaceOrCreate', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'updateAll', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||
('Client', 'upsertWithWhere', '*', 'ALLOW', 'ROLE', 'employee');
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
create or replace definer = root@localhost view User as
|
||||
create or replace definer = root@localhost view `salix`.`User` as
|
||||
select `account`.`user`.`id` AS `id`,
|
||||
`account`.`user`.`realm` AS `realm`,
|
||||
`account`.`user`.`name` AS `name`,
|
||||
|
|
|
|||
|
|
@ -20,3 +20,9 @@ INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `pri
|
|||
FROM `hedera`.`imageCollection` i
|
||||
JOIN `account`.`role` r ON r.id = i.readRoleFk;
|
||||
|
||||
-- ClaimState
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`claimState` c
|
||||
JOIN `account`.`role` r ON r.id = c.roleFk;
|
||||
|
||||
|
|
@ -5,4 +5,5 @@ INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `pri
|
|||
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'administrative'),
|
||||
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'productionBoss'),
|
||||
('Claim', 'createAfterDeadline', 'WRITE', 'ALLOW', 'ROLE', 'claimManager'),
|
||||
('Client', 'editAddressLogifloraAllowed', 'WRITE', 'ALLOW', 'ROLE', 'salesAssistant'),
|
||||
('Claim', 'editState', 'WRITE', 'ALLOW', 'ROLE', 'claimManager');
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
DELETE FROM salix.ACL
|
||||
WHERE id=101;
|
||||
|
|
@ -1774,6 +1774,11 @@ INSERT INTO `vn`.`claimState`(`id`, `code`, `description`, `roleFk`, `priority`,
|
|||
( 6, 'mana', 'Mana', 72, 4, 0),
|
||||
( 7, 'lack', 'Faltas', 72, 2, 0);
|
||||
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`claimState` c
|
||||
JOIN `account`.`role` r ON r.id = c.roleFk;
|
||||
|
||||
INSERT INTO `vn`.`claim`(`id`, `ticketCreated`, `claimStateFk`, `clientFk`, `workerFk`, `responsibility`, `isChargedToMana`, `created`, `packages`, `rma`, `ticketFk`)
|
||||
VALUES
|
||||
(1, util.VN_CURDATE(), 1, 1101, 18, 3, 0, util.VN_CURDATE(), 0, '02676A049183', 11),
|
||||
|
|
|
|||
|
|
@ -20,19 +20,14 @@ module.exports = Self => {
|
|||
});
|
||||
|
||||
Self.isEditable = async(ctx, id, options) => {
|
||||
const userId = ctx.req.accessToken.userId;
|
||||
const models = Self.app.models;
|
||||
const myOptions = {};
|
||||
|
||||
if (typeof options == 'object')
|
||||
Object.assign(myOptions, options);
|
||||
const state = await models.ClaimState.findById(id, {fields: ['code']}, myOptions);
|
||||
if (!state) return false;
|
||||
|
||||
const state = await models.ClaimState.findById(id, {
|
||||
include: {
|
||||
relation: 'writeRole'
|
||||
}
|
||||
}, myOptions);
|
||||
const roleWithGrants = state && state.writeRole().name;
|
||||
return await models.VnUser.hasRole(userId, roleWithGrants, myOptions);
|
||||
return await models.ACL.checkAccessAcl(ctx, 'ClaimState', state.code);
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -59,12 +59,14 @@ module.exports = Self => {
|
|||
|
||||
const landedPlusWeek = new Date(ticket.landed);
|
||||
landedPlusWeek.setDate(landedPlusWeek.getDate() + 7);
|
||||
const hasClaimManagerRole = await models.VnUser.hasRole(userId, 'claimManager', myOptions);
|
||||
const isClaimable = landedPlusWeek >= Date.vnNew();
|
||||
|
||||
const canCreateClaimAfterDeadline =
|
||||
await models.ACL.checkAccessAcl(ctx, 'Claim', 'createAfterDeadline', 'WRITE');
|
||||
|
||||
if (ticket.isDeleted)
|
||||
throw new UserError(`You can't create a claim for a removed ticket`);
|
||||
if (!isClaimable && !hasClaimManagerRole)
|
||||
if (!isClaimable && !canCreateClaimAfterDeadline)
|
||||
throw new UserError(`You can't create a claim from a ticket delivered more than seven days ago`);
|
||||
|
||||
const newClaim = await Self.create({
|
||||
|
|
|
|||
|
|
@ -87,15 +87,15 @@ module.exports = function(Self) {
|
|||
Self.updateAddress = async(ctx, clientId, addressId, options) => {
|
||||
const models = Self.app.models;
|
||||
const args = ctx.args;
|
||||
const userId = ctx.req.accessToken.userId;
|
||||
const myOptions = {};
|
||||
|
||||
if (typeof options == 'object')
|
||||
Object.assign(myOptions, options);
|
||||
|
||||
const isSalesAssistant = await models.VnUser.hasRole(userId, 'salesAssistant', myOptions);
|
||||
const canEditAddressLogifloraAllowed =
|
||||
await models.ACL.checkAccessAcl(ctx, 'Client', 'editAddressLogifloraAllowed');
|
||||
|
||||
if (args.isLogifloraAllowed && !isSalesAssistant)
|
||||
if (args.isLogifloraAllowed && !canEditAddressLogifloraAllowed)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
const address = await models.Address.findOne({
|
||||
|
|
|
|||
Loading…
Reference in New Issue