verdnatura/salix
verdnatura
/
salix
3
4
Fork 0
Code Issues Pull Requests 64 Releases Wiki Activity

fix: refactor access control for modifying past absences

This commit is contained in:
Jorge Penadés 2025-01-08 18:27:23 +01:00
parent 838617e3f6
commit 412638d590
5 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/worker/back/methods/worker/createAbsence.js
View File

@ -58,12 +58,10 @@ module.exports = Self => {
if (!isSubordinate || (isSubordinate && userId == id && !isTeamBoss)) if (!isSubordinate || (isSubordinate && userId == id && !isTeamBoss))
throw new UserError(`You don't have enough privileges`); throw new UserError(`You don't have enough privileges`);
const canModifyAbsenceInPast =
await models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE');
const now = Date.vnNew(); const now = Date.vnNew();
const newDate = new Date(args.dated).getTime(); const newDate = new Date(args.dated).getTime();
if ((now.getTime() > newDate) && !canModifyAbsenceInPast) if (!await Self.canModifyAbsenceInPast(ctx, newDate))
throw new UserError(`Holidays to past days not available`); throw new UserError(`Holidays to past days not available`);
const labour = await models.WorkerLabour.findById(args.businessFk, const labour = await models.WorkerLabour.findById(args.businessFk,

4
modules/worker/back/methods/worker/deleteAbsence.js
View File

@ -53,10 +53,8 @@ module.exports = Self => {
} }
} }
}, myOptions); }, myOptions);
const canModifyAbsenceInPast =
await models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE');
if (!canModifyAbsenceInPast && Date.vnNow() > absence.dated.getTime()) if (!await Self.canModifyAbsenceInPast(ctx, absence.dated.getTime()))
throw new UserError(`Holidays to past days not available`); throw new UserError(`Holidays to past days not available`);
const result = await absence.destroy(myOptions); const result = await absence.destroy(myOptions);

2
modules/worker/back/methods/worker/specs/createAbsence.spec.js
View File

@ -1,7 +1,7 @@
const app = require('vn-loopback/server/server'); const app = require('vn-loopback/server/server');
const LoopBackContext = require('loopback-context'); const LoopBackContext = require('loopback-context');
describe('Worker createAbsence()', () => { fdescribe('Worker createAbsence()', () => {
const workerId = 18; const workerId = 18;
it('should return an error for a user without enough privileges', async() => { it('should return an error for a user without enough privileges', async() => {

2
modules/worker/back/methods/worker/specs/deleteAbsence.spec.js
View File

@ -1,7 +1,7 @@
const app = require('vn-loopback/server/server'); const app = require('vn-loopback/server/server');
const LoopBackContext = require('loopback-context'); const LoopBackContext = require('loopback-context');
describe('Worker deleteAbsence()', () => { fdescribe('Worker deleteAbsence()', () => {
const businessId = 18; const businessId = 18;
const workerId = 18; const workerId = 18;
const hrId = 37; const hrId = 37;

7
modules/worker/back/models/worker.js
View File

@ -26,6 +26,13 @@ module.exports = Self => {
message: 'Invalid TIN' message: 'Invalid TIN'
}); });
Self.canModifyAbsenceInPast = async(ctx, time) => {
const hasPrivs = await Self.app.models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE');
const now = Date.vnNew();
now.setHours(0, 0, 0, 0);
return hasPrivs || now.getTime() < time;
};
async function tinIsValid(err, done) { async function tinIsValid(err, done) {
const country = await Self.app.models.Country.findOne({ const country = await Self.app.models.Country.findOne({
fields: ['code'], fields: ['code'],