feat(privileges): check if user has role from userToUpdate

2022-10-27 09:01:09 +02:00 · 2022-10-27 09:01:09 +02:00 · 3ffc098b56
parent f65d06fc7d
commit 3ffc098b56
5 changed files with 24 additions and 7 deletions
--- a/back/methods/account/privileges.js
+++ b/back/methods/account/privileges.js
@ -44,15 +44,28 @@ module.exports = Self => {
        if (!user.hasGrant)
            throw new UserError(`You don't have grant privilege`);

-        const userToUpdate = await models.Account.findById(id, ['name', 'hasGrant', 'roleFk'], myOptions);
+        const [userToUpdate] = await models.Account.find({
+            fields: ['id', 'name', 'hasGrant', 'roleFk', 'password'],
+            include: {
+                relation: 'role',
+                scope: {
+                    fields: ['name']
+                }
+            },
+            where: {
+                id: id
+            }
+        }, myOptions);
+
        if (hasGrant != null)
            userToUpdate.hasGrant = hasGrant;

        if (roleFk) {
            const role = await models.Role.findById(roleFk, {fields: ['name']}, myOptions);
            const hasRole = await models.Account.hasRole(userId, role.name, myOptions);
+            const hasRoleFromUser = await models.Account.hasRole(userId, userToUpdate.role().name, myOptions);

-            if (!hasRole)
+            if (!hasRole || !hasRoleFromUser)
                throw new UserError(`You don't own the role and you can't assign it to another user`);

            userToUpdate.roleFk = roleFk;
--- a/back/models/account.json
+++ b/back/models/account.json
@ -102,6 +102,13 @@
 			"principalType": "ROLE",
 			"principalId": "$authenticated",
 			"permission": "ALLOW"
+		},
+		{
+			"property": "privileges",
+			"accessType": "*",
+			"principalType": "ROLE",
+			"principalId": "$authenticated",
+			"permission": "ALLOW"
 		}
 	]
 }
--- a/db/changes/10490-august/00-user_hasGrant.sql
+++ b/db/changes/10490-august/00-user_hasGrant.sql
@ -1,4 +1 @@
 ALTER TABLE `account`.`user` ADD hasGrant TINYINT(1) NOT NULL;
-
-INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
-    VALUES('Account', 'privileges', '*', 'ALLOW', 'ROLE', '$authenticated');
--- a/modules/account/front/privileges/locale/es.yml
+++ b/modules/account/front/privileges/locale/es.yml
@ -1,2 +1,2 @@
 Privileges: Privilegios
-Has grant: Puede dar privilegios
+Has grant: Puede delegar privilegios
--- a/package.json
+++ b/package.json
@ -37,7 +37,7 @@
        "node-ssh": "^11.0.0",
        "object-diff": "0.0.4",
        "object.pick": "^1.3.0",
-        "puppeteer": "^18.0.5",
+        "puppeteer": "^19.0.0",
        "read-chunk": "^3.2.0",
        "require-yaml": "0.0.1",
        "sharp": "^0.27.1",