verdnatura/salix
verdnatura
/
salix
3
4
Fork 0
Code Issues Pull Requests 57 Releases Wiki Activity

refs #5488 fix(): use hasWriteRole
gitea/salix/pipeline/head There was a failure building this commit Details

This commit is contained in:
Alex Moreno 2023-04-28 09:35:15 +02:00
parent 28ead70615
commit 42e3c8f29d
14 changed files with 162 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
back/methods/dms/removeFile.js
View File

@ -35,14 +35,14 @@ module.exports = Self => {
try {
const dms = await models.Dms.findById(id, null, myOptions);
const hasWriteRole = await models.DmsType.checkRole(ctx, dms.dmsTypeFk, 'WRITE', myOptions);
if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`);
const trashDmsType = await models.DmsType.findOne({
where: {code: 'trash'}
}, myOptions);
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, dms.dmsTypeFk, myOptions);
if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`);
await dms.updateAttribute('dmsTypeFk', trashDmsType.id, myOptions);
if (tx) await tx.commit();

2
back/methods/dms/updateFile.js
View File

@ -71,7 +71,7 @@ module.exports = Self => {
}
try {
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE');
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId);
if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`);

2
back/methods/dms/uploadFile.js
View File

@ -66,7 +66,7 @@ module.exports = Self => {
let srcFile;
try {
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE');
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId, myOptions);
if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`);

2
back/methods/image/download.js
View File

@ -67,7 +67,7 @@ module.exports = Self => {
if (!image) return false;
const hasReadRole = await models.ACL.checkAccessAcl(ctx, 'ImageCollection', collection, 'READ');
const hasReadRole = await models.ImageCollection.hasReadRole(ctx, collection);
if (!hasReadRole)
throw new UserError(`You don't have enough privileges`);

2
back/methods/image/upload.js
View File

@ -37,7 +37,7 @@ module.exports = Self => {
let tempFilePath;
try {
const hasWriteRole = await models.ACL.checkAccessAcl(ctx, 'ImageCollection', args.collection, 'WRITE');
const hasWriteRole = await models.ImageCollection.hasWriteRole(ctx, args.collection);
if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`);

55
back/models/dms-type.js
View File

@ -1,18 +1,65 @@
module.exports = Self => {
/**
* Checks if current user has
* read privileges over a dms
*
* @param {Object} ctx - Request context
* @param {Interger} id - DmsType id
* @param {Object} options - Query options
* @return {Boolean} True for user with read privileges
*/
Self.hasReadRole = async(ctx, id, options) => {
const models = Self.app.models;
const dmsType = await models.DmsType.findById(id, {
include: {
relation: 'readRole'
}
}, options);
return await hasRole(ctx, dmsType, options);
};
/**
* Checks if current user has
* write privileges over a dms
*
* @param {Object} ctx - Request context
* @param {Interger} id - DmsType id
* @param {String} type - Acl accessType
* @param {Object} options - Query options
* @return {Boolean} True for user with write privileges
*/
Self.checkRole = async(ctx, id, type, options) => {
Self.hasWriteRole = async(ctx, id, options) => {
const models = Self.app.models;
const dmsType = await models.DmsType.findById(id, {fields: ['code']}, options);
const dmsType = await models.DmsType.findById(id, {
include: {
relation: 'writeRole'
}
}, options);
return await models.ACL.checkAccessAcl(ctx, 'DmsType', dmsType.code, type);
return await hasRole(ctx, dmsType, options);
};
/**
* Checks if current user has
* read or write privileges
* @param {Object} ctx - Context
* @param {Object} dmsType - Dms type [read/write]
* @param {Object} options - Query options
*/
async function hasRole(ctx, dmsType, options) {
const models = Self.app.models;
const myUserId = ctx.req.accessToken.userId;
const readRole = dmsType.readRole() && dmsType.readRole().name;
const writeRole = dmsType.writeRole() && dmsType.writeRole().name;
const requiredRole = readRole || writeRole;
const hasRequiredRole = await models.VnUser.hasRole(myUserId, requiredRole, options);
const isRoot = await models.VnUser.hasRole(myUserId, 'root', options);
if (isRoot || hasRequiredRole)
return true;
return false;
}
};

29
back/models/dms-type.json
View File

@ -38,27 +38,10 @@
"foreignKey": "writeRoleFk"
}
},
"acls": [
{
"property": "find",
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW"
},
{
"property": "findById",
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW"
},
{
"property": "findOne",
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW"
}
]
"acls": [{
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW"
}]
}

4
back/models/dms.js
View File

@ -7,11 +7,11 @@ module.exports = Self => {
require('../methods/dms/updateFile')(Self);
require('../methods/dms/deleteTrashFiles')(Self);
Self.checkRole = async function(ctx, id, type) {
Self.checkRole = async function(ctx, id) {
const models = Self.app.models;
const dms = await Self.findById(id);
return await models.DmsType.checkRole(ctx, dms.dmsTypeFk, type);
return await models.DmsType.hasReadRole(ctx, dms.dmsTypeFk);
};
Self.getFile = async function(id) {

64
back/models/image-collection.js Normal file
View File

@ -0,0 +1,64 @@
module.exports = Self => {
/**
* Checks if current user has
* read privileges over a collection
*
* @param {object} ctx - Request context
* @param {interger} name - Collection name
* @param {object} options - Query options
* @return {boolean} True for user with read privileges
*/
Self.hasReadRole = async(ctx, name, options) => {
const collection = await Self.findOne({where: {name}}, {
include: {
relation: 'readRole'
}
}, options);
return await hasRole(ctx, collection, options);
};
/**
* Checks if current user has
* write privileges over a collection
*
* @param {object} ctx - Request context
* @param {string} name - Collection name
* @param {object} options - Query options
* @return {boolean} True for user with write privileges
*/
Self.hasWriteRole = async(ctx, name, options) => {
const collection = await Self.findOne({
include: {
relation: 'writeRole'
},
where: {name}
}, options);
return await hasRole(ctx, collection, options);
};
/**
* Checks if current user has
* read or write privileges
* @param {Object} ctx - Context
* @param {Object} collection - Collection [read/write]
* @param {Object} options - Query options
*/
async function hasRole(ctx, collection, options) {
const models = Self.app.models;
const myUserId = ctx.req.accessToken.userId;
const readRole = collection.readRole() && collection.readRole().name;
const writeRole = collection.writeRole() && collection.writeRole().name;
const requiredRole = readRole || writeRole;
const hasRequiredRole = await models.VnUser.hasRole(myUserId, requiredRole, options);
const isRoot = await models.VnUser.hasRole(myUserId, 'root', options);
if (isRoot || hasRequiredRole)
return true;
return false;
}
};

28
db/changes/231601/00-modelsAcls.sql
View File

@ -1,28 +0,0 @@
-- DmsType model
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'DmsType', d.code, 'WRITE', 'ALLOW', 'ROLE', r.name
FROM `vn`.`dmsType` d
JOIN `account`.`role` r ON r.id = d.writeRoleFk;
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'DmsType', d.code, 'READ', 'ALLOW', 'ROLE', r.name
FROM `vn`.`dmsType` d
JOIN `account`.`role` r ON r.id = d.readRoleFk;
-- ImageCollection model
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'ImageCollection', i.name, 'WRITE', 'ALLOW', 'ROLE', r.name
FROM `hedera`.`imageCollection` i
JOIN `account`.`role` r ON r.id = i.writeRoleFk;
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'ImageCollection', i.name, 'READ', 'ALLOW', 'ROLE', r.name
FROM `hedera`.`imageCollection` i
JOIN `account`.`role` r ON r.id = i.readRoleFk;
-- ClaimState
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
FROM `vn`.`claimState` c
JOIN `account`.`role` r ON r.id = c.roleFk;

55
db/dump/fixtures.sql
View File

@ -1775,11 +1775,6 @@ INSERT INTO `vn`.`claimState`(`id`, `code`, `description`, `roleFk`, `priority`,
( 6, 'mana', 'Mana', 72, 4, 0),
( 7, 'lack', 'Faltas', 72, 2, 0);
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
FROM `vn`.`claimState` c
JOIN `account`.`role` r ON r.id = c.roleFk;
INSERT INTO `vn`.`claim`(`id`, `ticketCreated`, `claimStateFk`, `clientFk`, `workerFk`, `responsibility`, `isChargedToMana`, `created`, `packages`, `rma`, `ticketFk`)
VALUES
(1, util.VN_CURDATE(), 1, 1101, 18, 3, 0, util.VN_CURDATE(), 0, '02676A049183', 11),
@ -2326,36 +2321,26 @@ INSERT INTO `vn`.`workerTimeControl`(`userFk`, `timed`, `manual`, `direction`, `
INSERT INTO `vn`.`dmsType`(`id`, `name`, `path`, `readRoleFk`, `writeRoleFk`, `code`)
VALUES
(1, 'Facturas Recibidas', 'recibidas', 1, 1, 'invoiceIn'),
(2, 'Doc oficial', 'oficial', 1, 1, 'officialDoc'),
(3, 'Laboral', 'laboral', 37, 37, 'hhrrData'),
(4, 'Albaranes recibidos', 'entradas', 1, 1, 'deliveryNote'),
(5, 'Otros', 'otros', 1, 1, 'miscellaneous'),
(6, 'Pruebas', 'pruebas', 1, 1, 'tests'),
(7, 'IAE Clientes', 'IAE_Clientes', 1, 1, 'economicActivitiesTax'),
(8, 'Fiscal', 'fiscal', 1, 1, 'fiscal'),
(9, 'Vehiculos', 'vehiculos', 1, 1, 'vehicles'),
(10, 'Plantillas', 'plantillas', 1, 1, 'templates'),
(11, 'Contratos', 'contratos', 1, 1, 'contracts'),
(12, 'ley de pagos', 'ley pagos', 1, 1, 'paymentsLaw'),
(13, 'Basura', 'basura', 1, 1, 'trash'),
(14, 'Ticket', 'tickets', 1, 1, 'ticket'),
(15, 'Presupuestos', 'Presupuestos', 1, 1, 'budgets'),
(16, 'Logistica', 'logistica', 1, 1, 'logistics'),
(17, 'cmr', 'cmr', 1, 1, 'cmr'),
(18, 'dua', 'dua', 1, 1, 'dua'),
(19, 'inmovilizado', 'inmovilizado', 1, 1, 'fixedAssets'),
(20, 'Reclamación', 'reclamacion', 1, 1, 'claim');
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'DmsType', d.code, 'WRITE', 'ALLOW', 'ROLE', r.name
FROM `vn`.`dmsType` d
JOIN `account`.`role` r ON r.id = d.writeRoleFk;
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'DmsType', d.code, 'READ', 'ALLOW', 'ROLE', r.name
FROM `vn`.`dmsType` d
JOIN `account`.`role` r ON r.id = d.readRoleFk;
(1, 'Facturas Recibidas', 'recibidas', NULL, NULL, 'invoiceIn'),
(2, 'Doc oficial', 'oficial', NULL, NULL, 'officialDoc'),
(3, 'Laboral', 'laboral', 37, 37, 'hhrrData'),
(4, 'Albaranes recibidos', 'entradas', NULL, NULL, 'deliveryNote'),
(5, 'Otros', 'otros', 1, 1, 'miscellaneous'),
(6, 'Pruebas', 'pruebas', NULL, NULL, 'tests'),
(7, 'IAE Clientes', 'IAE_Clientes', 1, 1, 'economicActivitiesTax'),
(8, 'Fiscal', 'fiscal', NULL, NULL, 'fiscal'),
(9, 'Vehiculos', 'vehiculos', NULL, NULL, 'vehicles'),
(10, 'Plantillas', 'plantillas', NULL, NULL, 'templates'),
(11, 'Contratos', 'contratos', NULL, NULL, 'contracts'),
(12, 'ley de pagos', 'ley pagos', 1, 1, 'paymentsLaw'),
(13, 'Basura', 'basura', 1, 1, 'trash'),
(14, 'Ticket', 'tickets', 1, 1, 'ticket'),
(15, 'Presupuestos', 'Presupuestos', NULL, NULL, 'budgets'),
(16, 'Logistica', 'logistica', NULL, NULL, 'logistics'),
(17, 'cmr', 'cmr', NULL, NULL, 'cmr'),
(18, 'dua', 'dua', NULL, NULL, 'dua'),
(19, 'inmovilizado', 'inmovilizado', NULL, NULL, 'fixedAssets'),
(20, 'Reclamación', 'reclamacion', 1, 1, 'claim');
INSERT INTO `vn`.`dms`(`id`, `dmsTypeFk`, `file`, `contentType`, `workerFk`, `warehouseFk`, `companyFk`, `hardCopyNumber`, `hasFile`, `reference`, `description`, `created`)
VALUES

11
modules/claim/back/methods/claim-state/isEditable.js
View File

@ -20,14 +20,19 @@ module.exports = Self => {
});
Self.isEditable = async(ctx, id, options) => {
const userId = ctx.req.accessToken.userId;
const models = Self.app.models;
const myOptions = {};
if (typeof options == 'object')
Object.assign(myOptions, options);
const state = await models.ClaimState.findById(id, {fields: ['code']}, myOptions);
if (!state) return false;
return await models.ACL.checkAccessAcl(ctx, 'ClaimState', state.code);
const state = await models.ClaimState.findById(id, {
include: {
relation: 'writeRole'
}
}, myOptions);
const roleWithGrants = state && state.writeRole().name;
return await models.VnUser.hasRole(userId, roleWithGrants, myOptions);
};
};

2
modules/claim/back/methods/claim/uploadFile.js
View File

@ -75,7 +75,7 @@ module.exports = Self => {
let srcFile;
try {
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE', myOptions);
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId, myOptions);
if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`);

2
modules/worker/back/methods/worker-dms/downloadFile.js
View File

@ -33,7 +33,7 @@ module.exports = Self => {
});
Self.downloadFile = async function(ctx, id) {
if (!await Self.app.models.Dms.checkRole(ctx, id, 'READ') && !await Self.isMine(ctx, id))
if (!await Self.app.models.Dms.checkRole(ctx, id) && !await Self.isMine(ctx, id))
throw new UserError(`You don't have enough privileges`);
return await Self.app.models.Dms.getFile(id);
};