refs #6067 refactor: vnUser and mailForward privileges. fix: emailVerification

2023-09-20 15:10:28 +02:00 · 2023-09-20 15:10:28 +02:00 · 3b90d7e5e5
parent 72a8256aee
commit 3b90d7e5e5
6 changed files with 107 additions and 42 deletions
--- a/back/models/vn-user.js
+++ b/back/models/vn-user.js
@ -1,6 +1,7 @@
 const vnModel = require('vn-loopback/common/models/vn-model');
 const LoopBackContext = require('loopback-context');
 const {Email} = require('vn-print');
+const UserError = require('vn-loopback/util/user-error');

 module.exports = function(Self) {
    vnModel(Self);
@ -178,45 +179,68 @@ module.exports = function(Self) {
    Self.sharedClass._methods.find(method => method.name == 'changePassword').ctor.settings.acls
        .filter(acl => acl.property != 'changePassword');

+    Self.observe('before save', async ctx => {
+        const instance = ctx.currentInstance || ctx.instance;
+        console.log(ctx);
+        await Self.userSecurity(ctx, instance.id);
+    });
+
+    Self.userSecurity = async(ctx, userId) => {
+        const models = Self.app.models;
+        const accessToken = ctx.options.accessToken || LoopBackContext.getCurrentContext().active.accessToken;
+        console.log(accessToken, LoopBackContext.getCurrentContext().active.http.req);
+        const ctxToken = {req: {accessToken}};
+
+        const hasHigherPrivileges = await models.ACL.checkAccessAcl(ctxToken, 'VnUser', 'higherPrivileges');
+        if (hasHigherPrivileges) return;
+
+        const hasMediumPrivileges = await models.ACL.checkAccessAcl(ctxToken, 'VnUser', 'mediumPrivileges');
+        const user = await models.VnUser.findById(userId, {fields: ['id', 'emailVerified']});
+        if (!user.emailVerified && hasMediumPrivileges) return;
+
+        if (userId != accessToken.userId)
+            throw new UserError(`You don't have enough privileges`);
+    };
+
    // FIXME: https://redmine.verdnatura.es/issues/5761
-    // Self.afterRemote('prototype.patchAttributes', async(ctx, instance) => {
-    //     if (!ctx.args || !ctx.args.data.email) return;
+    Self.afterRemote('prototype.patchAttributes', async(ctx, instance) => {
+        if (!ctx.args || !ctx.args.data.email) return;

-    //     const loopBackContext = LoopBackContext.getCurrentContext();
-    //     const httpCtx = {req: loopBackContext.active};
-    //     const httpRequest = httpCtx.req.http.req;
-    //     const headers = httpRequest.headers;
-    //     const origin = headers.origin;
-    //     const url = origin.split(':');
+        const loopBackContext = LoopBackContext.getCurrentContext();
+        const httpCtx = {req: loopBackContext.active};
+        const httpRequest = httpCtx.req.http.req;
+        const headers = httpRequest.headers;
+        const origin = headers.origin;
+        const url = origin.split(':');

-    //     class Mailer {
-    //         async send(verifyOptions, cb) {
-    //             const params = {
-    //                 url: verifyOptions.verifyHref,
-    //                 recipient: verifyOptions.to,
-    //                 lang: ctx.req.getLocale()
-    //             };
+        class Mailer {
+            async send(verifyOptions, cb) {
+                const params = {
+                    url: verifyOptions.verifyHref,
+                    recipient: verifyOptions.to,
+                    lang: ctx.req.getLocale()
+                };

-    //             const email = new Email('email-verify', params);
-    //             email.send();
+                const email = new Email('email-verify', params);
+                email.send();

-    //             cb(null, verifyOptions.to);
-    //         }
-    //     }
+                cb(null, verifyOptions.to);
+            }
+        }

-    //     const options = {
-    //         type: 'email',
-    //         to: instance.email,
-    //         from: {},
-    //         redirect: `${origin}/#!/account/${instance.id}/basic-data?emailConfirmed`,
-    //         template: false,
-    //         mailer: new Mailer,
-    //         host: url[1].split('/')[2],
-    //         port: url[2],
-    //         protocol: url[0],
-    //         user: Self
-    //     };
+        const options = {
+            type: 'email',
+            to: instance.email,
+            from: {},
+            redirect: `${origin}/#!/account/${instance.id}/basic-data?emailConfirmed`,
+            template: false,
+            mailer: new Mailer,
+            host: url[1].split('/')[2],
+            port: url[2],
+            protocol: url[0],
+            user: Self
+        };

-    //     await instance.verify(options);
-    // });
+        await instance.verify(options);
+    });
 };
--- a/back/models/vn-user.json
+++ b/back/models/vn-user.json
@ -13,10 +13,6 @@
 			"type": "number",
 			"id": true
 		},
-		"name": {
-			"type": "string",
-			"required": true
-		},
 		"username": {
 			"type": "string",
 			"mysql": {
@ -127,7 +123,13 @@
 			"principalType": "ROLE",
 			"principalId": "$authenticated",
 			"permission": "ALLOW"
-		}
+		},
+        {
+          "principalType": "ROLE",
+          "principalId": "$authenticated",
+          "permission": "ALLOW",
+          "property": "patchAttributes"
+        }
 	],
    "scopes": {
        "preview": {
--- a/db/changes/234001/00-account_acl.sql
+++ b/db/changes/234001/00-account_acl.sql
@ -0,0 +1,12 @@
+DELETE FROM `salix`.`ACL`
+    WHERE
+        model = 'MailForward'
+        AND accessType = '*'
+        AND property = '*'
+        AND principalId = 'hr';
+
+
+INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
+    VALUES
+        ('VnUser', 'higherPrivileges', '*', 'ALLOW', 'ROLE', 'itManagement'),
+        ('VnUser', 'mediumPrivileges', '*', 'ALLOW', 'ROLE', 'hr');
--- a/modules/account/back/models/mail-forward.js
+++ b/modules/account/back/models/mail-forward.js
@ -0,0 +1,14 @@
+
+module.exports = Self => {
+    Self.observe('loaded', async ctx => {
+        if (!ctx.data.account) return;
+        await Self.app.models.VnUser.userSecurity(ctx, ctx.data.account);
+    });
+    Self.observe('before save', async ctx => {
+        const instance = ctx.currentInstance || ctx.instance;
+        await Self.app.models.VnUser.userSecurity(ctx, instance.account);
+    });
+    Self.observe('before delete', async ctx => {
+        await Self.app.models.VnUser.userSecurity(ctx, ctx.where.account);
+    });
+};
--- a/modules/account/back/models/mail-forward.json
+++ b/modules/account/back/models/mail-forward.json
@ -21,5 +21,19 @@
 			"model": "VnUser",
 			"foreignKey": "account"
 		}
-	}
+	},
+	"acls": [
+        {
+			"accessType": "READ",
+			"principalType": "ROLE",
+			"principalId": "$authenticated",
+			"permission": "ALLOW"
+        },
+        {
+			"accessType": "WRITE",
+			"principalType": "ROLE",
+			"principalId": "$authenticated",
+			"permission": "ALLOW"
+        }
+    ]
 }
--- a/modules/account/front/routes.json
+++ b/modules/account/front/routes.json
@ -77,8 +77,7 @@
            "url": "/basic-data?emailConfirmed",
            "state": "account.card.basicData",
            "component": "vn-user-basic-data",
-            "description": "Basic data",
-            "acl": ["itManagement"]
+            "description": "Basic data"
        },
        {
            "url" : "/log",