From 412638d59000f04fbe10aa45c4429230e57f1a41 Mon Sep 17 00:00:00 2001 From: jorgep Date: Wed, 8 Jan 2025 18:27:23 +0100 Subject: [PATCH] fix: refactor access control for modifying past absences --- modules/worker/back/methods/worker/createAbsence.js | 4 +--- modules/worker/back/methods/worker/deleteAbsence.js | 4 +--- .../worker/back/methods/worker/specs/createAbsence.spec.js | 2 +- .../worker/back/methods/worker/specs/deleteAbsence.spec.js | 2 +- modules/worker/back/models/worker.js | 7 +++++++ 5 files changed, 11 insertions(+), 8 deletions(-) diff --git a/modules/worker/back/methods/worker/createAbsence.js b/modules/worker/back/methods/worker/createAbsence.js index 36781bc3f..dc716c95d 100644 --- a/modules/worker/back/methods/worker/createAbsence.js +++ b/modules/worker/back/methods/worker/createAbsence.js @@ -58,12 +58,10 @@ module.exports = Self => { if (!isSubordinate || (isSubordinate && userId == id && !isTeamBoss)) throw new UserError(`You don't have enough privileges`); - const canModifyAbsenceInPast = - await models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE'); const now = Date.vnNew(); const newDate = new Date(args.dated).getTime(); - if ((now.getTime() > newDate) && !canModifyAbsenceInPast) + if (!await Self.canModifyAbsenceInPast(ctx, newDate)) throw new UserError(`Holidays to past days not available`); const labour = await models.WorkerLabour.findById(args.businessFk, diff --git a/modules/worker/back/methods/worker/deleteAbsence.js b/modules/worker/back/methods/worker/deleteAbsence.js index 11a8cb0c1..596f8f28d 100644 --- a/modules/worker/back/methods/worker/deleteAbsence.js +++ b/modules/worker/back/methods/worker/deleteAbsence.js @@ -53,10 +53,8 @@ module.exports = Self => { } } }, myOptions); - const canModifyAbsenceInPast = - await models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE'); - if (!canModifyAbsenceInPast && Date.vnNow() > absence.dated.getTime()) + if (!await Self.canModifyAbsenceInPast(ctx, absence.dated.getTime())) throw new UserError(`Holidays to past days not available`); const result = await absence.destroy(myOptions); diff --git a/modules/worker/back/methods/worker/specs/createAbsence.spec.js b/modules/worker/back/methods/worker/specs/createAbsence.spec.js index 1c7efcd28..b6600048f 100644 --- a/modules/worker/back/methods/worker/specs/createAbsence.spec.js +++ b/modules/worker/back/methods/worker/specs/createAbsence.spec.js @@ -1,7 +1,7 @@ const app = require('vn-loopback/server/server'); const LoopBackContext = require('loopback-context'); -describe('Worker createAbsence()', () => { +fdescribe('Worker createAbsence()', () => { const workerId = 18; it('should return an error for a user without enough privileges', async() => { diff --git a/modules/worker/back/methods/worker/specs/deleteAbsence.spec.js b/modules/worker/back/methods/worker/specs/deleteAbsence.spec.js index c0d05e4a2..dfbcd9835 100644 --- a/modules/worker/back/methods/worker/specs/deleteAbsence.spec.js +++ b/modules/worker/back/methods/worker/specs/deleteAbsence.spec.js @@ -1,7 +1,7 @@ const app = require('vn-loopback/server/server'); const LoopBackContext = require('loopback-context'); -describe('Worker deleteAbsence()', () => { +fdescribe('Worker deleteAbsence()', () => { const businessId = 18; const workerId = 18; const hrId = 37; diff --git a/modules/worker/back/models/worker.js b/modules/worker/back/models/worker.js index 3351c348c..e1adca77e 100644 --- a/modules/worker/back/models/worker.js +++ b/modules/worker/back/models/worker.js @@ -26,6 +26,13 @@ module.exports = Self => { message: 'Invalid TIN' }); + Self.canModifyAbsenceInPast = async(ctx, time) => { + const hasPrivs = await Self.app.models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE'); + const now = Date.vnNew(); + now.setHours(0, 0, 0, 0); + return hasPrivs || now.getTime() < time; + }; + async function tinIsValid(err, done) { const country = await Self.app.models.Country.findOne({ fields: ['code'],