verdnatura/salix
verdnatura
/
salix
3
5
Fork 0
Code Issues Pull Requests 64 Releases Wiki Activity

refs #5488 fix(): use hasWriteRole
gitea/salix/pipeline/head There was a failure building this commit Details

This commit is contained in:
Alex Moreno 2023-04-28 09:35:15 +02:00
parent 28ead70615
commit 42e3c8f29d
14 changed files with 162 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
back/methods/dms/removeFile.js
View File

@ -35,14 +35,14 @@ module.exports = Self => {
try { try {
const dms = await models.Dms.findById(id, null, myOptions); const dms = await models.Dms.findById(id, null, myOptions);
const hasWriteRole = await models.DmsType.checkRole(ctx, dms.dmsTypeFk, 'WRITE', myOptions);
if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`);
const trashDmsType = await models.DmsType.findOne({ const trashDmsType = await models.DmsType.findOne({
where: {code: 'trash'} where: {code: 'trash'}
}, myOptions); }, myOptions);
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, dms.dmsTypeFk, myOptions);
if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`);
await dms.updateAttribute('dmsTypeFk', trashDmsType.id, myOptions); await dms.updateAttribute('dmsTypeFk', trashDmsType.id, myOptions);
if (tx) await tx.commit(); if (tx) await tx.commit();

2
back/methods/dms/updateFile.js
View File

@ -71,7 +71,7 @@ module.exports = Self => {
} }
try { try {
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE'); const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId);
if (!hasWriteRole) if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`); throw new UserError(`You don't have enough privileges`);

2
back/methods/dms/uploadFile.js
View File

@ -66,7 +66,7 @@ module.exports = Self => {
let srcFile; let srcFile;
try { try {
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE'); const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId, myOptions);
if (!hasWriteRole) if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`); throw new UserError(`You don't have enough privileges`);

2
back/methods/image/download.js
View File

@ -67,7 +67,7 @@ module.exports = Self => {
if (!image) return false; if (!image) return false;
const hasReadRole = await models.ACL.checkAccessAcl(ctx, 'ImageCollection', collection, 'READ'); const hasReadRole = await models.ImageCollection.hasReadRole(ctx, collection);
if (!hasReadRole) if (!hasReadRole)
throw new UserError(`You don't have enough privileges`); throw new UserError(`You don't have enough privileges`);

2
back/methods/image/upload.js
View File

@ -37,7 +37,7 @@ module.exports = Self => {
let tempFilePath; let tempFilePath;
try { try {
const hasWriteRole = await models.ACL.checkAccessAcl(ctx, 'ImageCollection', args.collection, 'WRITE'); const hasWriteRole = await models.ImageCollection.hasWriteRole(ctx, args.collection);
if (!hasWriteRole) if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`); throw new UserError(`You don't have enough privileges`);

55
back/models/dms-type.js
View File

@ -1,18 +1,65 @@
module.exports = Self => { module.exports = Self => {
/**
* Checks if current user has
* read privileges over a dms
*
* @param {Object} ctx - Request context
* @param {Interger} id - DmsType id
* @param {Object} options - Query options
* @return {Boolean} True for user with read privileges
*/
Self.hasReadRole = async(ctx, id, options) => {
const models = Self.app.models;
const dmsType = await models.DmsType.findById(id, {
include: {
relation: 'readRole'
}
}, options);
return await hasRole(ctx, dmsType, options);
};
/** /**
* Checks if current user has * Checks if current user has
* write privileges over a dms * write privileges over a dms
* *
* @param {Object} ctx - Request context * @param {Object} ctx - Request context
* @param {Interger} id - DmsType id * @param {Interger} id - DmsType id
* @param {String} type - Acl accessType
* @param {Object} options - Query options * @param {Object} options - Query options
* @return {Boolean} True for user with write privileges * @return {Boolean} True for user with write privileges
*/ */
Self.checkRole = async(ctx, id, type, options) => { Self.hasWriteRole = async(ctx, id, options) => {
const models = Self.app.models; const models = Self.app.models;
const dmsType = await models.DmsType.findById(id, {fields: ['code']}, options); const dmsType = await models.DmsType.findById(id, {
include: {
relation: 'writeRole'
}
}, options);
return await models.ACL.checkAccessAcl(ctx, 'DmsType', dmsType.code, type); return await hasRole(ctx, dmsType, options);
}; };
/**
* Checks if current user has
* read or write privileges
* @param {Object} ctx - Context
* @param {Object} dmsType - Dms type [read/write]
* @param {Object} options - Query options
*/
async function hasRole(ctx, dmsType, options) {
const models = Self.app.models;
const myUserId = ctx.req.accessToken.userId;
const readRole = dmsType.readRole() && dmsType.readRole().name;
const writeRole = dmsType.writeRole() && dmsType.writeRole().name;
const requiredRole = readRole || writeRole;
const hasRequiredRole = await models.VnUser.hasRole(myUserId, requiredRole, options);
const isRoot = await models.VnUser.hasRole(myUserId, 'root', options);
if (isRoot || hasRequiredRole)
return true;
return false;
}
}; };

29
back/models/dms-type.json
View File

@ -38,27 +38,10 @@
"foreignKey": "writeRoleFk" "foreignKey": "writeRoleFk"
} }
}, },
"acls": [ "acls": [{
{ "accessType": "READ",
"property": "find", "principalType": "ROLE",
"accessType": "READ", "principalId": "$everyone",
"principalType": "ROLE", "permission": "ALLOW"
"principalId": "$everyone", }]
"permission": "ALLOW"
},
{
"property": "findById",
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW"
},
{
"property": "findOne",
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW"
}
]
} }

4
back/models/dms.js
View File

@ -7,11 +7,11 @@ module.exports = Self => {
require('../methods/dms/updateFile')(Self); require('../methods/dms/updateFile')(Self);
require('../methods/dms/deleteTrashFiles')(Self); require('../methods/dms/deleteTrashFiles')(Self);
Self.checkRole = async function(ctx, id, type) { Self.checkRole = async function(ctx, id) {
const models = Self.app.models; const models = Self.app.models;
const dms = await Self.findById(id); const dms = await Self.findById(id);
return await models.DmsType.checkRole(ctx, dms.dmsTypeFk, type); return await models.DmsType.hasReadRole(ctx, dms.dmsTypeFk);
}; };
Self.getFile = async function(id) { Self.getFile = async function(id) {

64
back/models/image-collection.js Normal file
View File

@ -0,0 +1,64 @@
module.exports = Self => {
/**
* Checks if current user has
* read privileges over a collection
*
* @param {object} ctx - Request context
* @param {interger} name - Collection name
* @param {object} options - Query options
* @return {boolean} True for user with read privileges
*/
Self.hasReadRole = async(ctx, name, options) => {
const collection = await Self.findOne({where: {name}}, {
include: {
relation: 'readRole'
}
}, options);
return await hasRole(ctx, collection, options);
};
/**
* Checks if current user has
* write privileges over a collection
*
* @param {object} ctx - Request context
* @param {string} name - Collection name
* @param {object} options - Query options
* @return {boolean} True for user with write privileges
*/
Self.hasWriteRole = async(ctx, name, options) => {
const collection = await Self.findOne({
include: {
relation: 'writeRole'
},
where: {name}
}, options);
return await hasRole(ctx, collection, options);
};
/**
* Checks if current user has
* read or write privileges
* @param {Object} ctx - Context
* @param {Object} collection - Collection [read/write]
* @param {Object} options - Query options
*/
async function hasRole(ctx, collection, options) {
const models = Self.app.models;
const myUserId = ctx.req.accessToken.userId;
const readRole = collection.readRole() && collection.readRole().name;
const writeRole = collection.writeRole() && collection.writeRole().name;
const requiredRole = readRole || writeRole;
const hasRequiredRole = await models.VnUser.hasRole(myUserId, requiredRole, options);
const isRoot = await models.VnUser.hasRole(myUserId, 'root', options);
if (isRoot || hasRequiredRole)
return true;
return false;
}
};

28
db/changes/231601/00-modelsAcls.sql
View File

@ -1,28 +0,0 @@
-- DmsType model
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'DmsType', d.code, 'WRITE', 'ALLOW', 'ROLE', r.name
FROM `vn`.`dmsType` d
JOIN `account`.`role` r ON r.id = d.writeRoleFk;
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'DmsType', d.code, 'READ', 'ALLOW', 'ROLE', r.name
FROM `vn`.`dmsType` d
JOIN `account`.`role` r ON r.id = d.readRoleFk;
-- ImageCollection model
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'ImageCollection', i.name, 'WRITE', 'ALLOW', 'ROLE', r.name
FROM `hedera`.`imageCollection` i
JOIN `account`.`role` r ON r.id = i.writeRoleFk;
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'ImageCollection', i.name, 'READ', 'ALLOW', 'ROLE', r.name
FROM `hedera`.`imageCollection` i
JOIN `account`.`role` r ON r.id = i.readRoleFk;
-- ClaimState
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
FROM `vn`.`claimState` c
JOIN `account`.`role` r ON r.id = c.roleFk;

55
db/dump/fixtures.sql
View File

@ -1775,11 +1775,6 @@ INSERT INTO `vn`.`claimState`(`id`, `code`, `description`, `roleFk`, `priority`,
( 6, 'mana', 'Mana', 72, 4, 0), ( 6, 'mana', 'Mana', 72, 4, 0),
( 7, 'lack', 'Faltas', 72, 2, 0); ( 7, 'lack', 'Faltas', 72, 2, 0);
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
FROM `vn`.`claimState` c
JOIN `account`.`role` r ON r.id = c.roleFk;
INSERT INTO `vn`.`claim`(`id`, `ticketCreated`, `claimStateFk`, `clientFk`, `workerFk`, `responsibility`, `isChargedToMana`, `created`, `packages`, `rma`, `ticketFk`) INSERT INTO `vn`.`claim`(`id`, `ticketCreated`, `claimStateFk`, `clientFk`, `workerFk`, `responsibility`, `isChargedToMana`, `created`, `packages`, `rma`, `ticketFk`)
VALUES VALUES
(1, util.VN_CURDATE(), 1, 1101, 18, 3, 0, util.VN_CURDATE(), 0, '02676A049183', 11), (1, util.VN_CURDATE(), 1, 1101, 18, 3, 0, util.VN_CURDATE(), 0, '02676A049183', 11),
@ -2326,36 +2321,26 @@ INSERT INTO `vn`.`workerTimeControl`(`userFk`, `timed`, `manual`, `direction`, `
INSERT INTO `vn`.`dmsType`(`id`, `name`, `path`, `readRoleFk`, `writeRoleFk`, `code`) INSERT INTO `vn`.`dmsType`(`id`, `name`, `path`, `readRoleFk`, `writeRoleFk`, `code`)
VALUES VALUES
(1, 'Facturas Recibidas', 'recibidas', 1, 1, 'invoiceIn'), (1, 'Facturas Recibidas', 'recibidas', NULL, NULL, 'invoiceIn'),
(2, 'Doc oficial', 'oficial', 1, 1, 'officialDoc'), (2, 'Doc oficial', 'oficial', NULL, NULL, 'officialDoc'),
(3, 'Laboral', 'laboral', 37, 37, 'hhrrData'), (3, 'Laboral', 'laboral', 37, 37, 'hhrrData'),
(4, 'Albaranes recibidos', 'entradas', 1, 1, 'deliveryNote'), (4, 'Albaranes recibidos', 'entradas', NULL, NULL, 'deliveryNote'),
(5, 'Otros', 'otros', 1, 1, 'miscellaneous'), (5, 'Otros', 'otros', 1, 1, 'miscellaneous'),
(6, 'Pruebas', 'pruebas', 1, 1, 'tests'), (6, 'Pruebas', 'pruebas', NULL, NULL, 'tests'),
(7, 'IAE Clientes', 'IAE_Clientes', 1, 1, 'economicActivitiesTax'), (7, 'IAE Clientes', 'IAE_Clientes', 1, 1, 'economicActivitiesTax'),
(8, 'Fiscal', 'fiscal', 1, 1, 'fiscal'), (8, 'Fiscal', 'fiscal', NULL, NULL, 'fiscal'),
(9, 'Vehiculos', 'vehiculos', 1, 1, 'vehicles'), (9, 'Vehiculos', 'vehiculos', NULL, NULL, 'vehicles'),
(10, 'Plantillas', 'plantillas', 1, 1, 'templates'), (10, 'Plantillas', 'plantillas', NULL, NULL, 'templates'),
(11, 'Contratos', 'contratos', 1, 1, 'contracts'), (11, 'Contratos', 'contratos', NULL, NULL, 'contracts'),
(12, 'ley de pagos', 'ley pagos', 1, 1, 'paymentsLaw'), (12, 'ley de pagos', 'ley pagos', 1, 1, 'paymentsLaw'),
(13, 'Basura', 'basura', 1, 1, 'trash'), (13, 'Basura', 'basura', 1, 1, 'trash'),
(14, 'Ticket', 'tickets', 1, 1, 'ticket'), (14, 'Ticket', 'tickets', 1, 1, 'ticket'),
(15, 'Presupuestos', 'Presupuestos', 1, 1, 'budgets'), (15, 'Presupuestos', 'Presupuestos', NULL, NULL, 'budgets'),
(16, 'Logistica', 'logistica', 1, 1, 'logistics'), (16, 'Logistica', 'logistica', NULL, NULL, 'logistics'),
(17, 'cmr', 'cmr', 1, 1, 'cmr'), (17, 'cmr', 'cmr', NULL, NULL, 'cmr'),
(18, 'dua', 'dua', 1, 1, 'dua'), (18, 'dua', 'dua', NULL, NULL, 'dua'),
(19, 'inmovilizado', 'inmovilizado', 1, 1, 'fixedAssets'), (19, 'inmovilizado', 'inmovilizado', NULL, NULL, 'fixedAssets'),
(20, 'Reclamación', 'reclamacion', 1, 1, 'claim'); (20, 'Reclamación', 'reclamacion', 1, 1, 'claim');
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'DmsType', d.code, 'WRITE', 'ALLOW', 'ROLE', r.name
FROM `vn`.`dmsType` d
JOIN `account`.`role` r ON r.id = d.writeRoleFk;
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
SELECT 'DmsType', d.code, 'READ', 'ALLOW', 'ROLE', r.name
FROM `vn`.`dmsType` d
JOIN `account`.`role` r ON r.id = d.readRoleFk;
INSERT INTO `vn`.`dms`(`id`, `dmsTypeFk`, `file`, `contentType`, `workerFk`, `warehouseFk`, `companyFk`, `hardCopyNumber`, `hasFile`, `reference`, `description`, `created`) INSERT INTO `vn`.`dms`(`id`, `dmsTypeFk`, `file`, `contentType`, `workerFk`, `warehouseFk`, `companyFk`, `hardCopyNumber`, `hasFile`, `reference`, `description`, `created`)
VALUES VALUES

11
modules/claim/back/methods/claim-state/isEditable.js
View File

@ -20,14 +20,19 @@ module.exports = Self => {
}); });
Self.isEditable = async(ctx, id, options) => { Self.isEditable = async(ctx, id, options) => {
const userId = ctx.req.accessToken.userId;
const models = Self.app.models; const models = Self.app.models;
const myOptions = {}; const myOptions = {};
if (typeof options == 'object') if (typeof options == 'object')
Object.assign(myOptions, options); Object.assign(myOptions, options);
const state = await models.ClaimState.findById(id, {fields: ['code']}, myOptions);
if (!state) return false;
return await models.ACL.checkAccessAcl(ctx, 'ClaimState', state.code); const state = await models.ClaimState.findById(id, {
include: {
relation: 'writeRole'
}
}, myOptions);
const roleWithGrants = state && state.writeRole().name;
return await models.VnUser.hasRole(userId, roleWithGrants, myOptions);
}; };
}; };

2
modules/claim/back/methods/claim/uploadFile.js
View File

@ -75,7 +75,7 @@ module.exports = Self => {
let srcFile; let srcFile;
try { try {
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE', myOptions); const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId, myOptions);
if (!hasWriteRole) if (!hasWriteRole)
throw new UserError(`You don't have enough privileges`); throw new UserError(`You don't have enough privileges`);

2
modules/worker/back/methods/worker-dms/downloadFile.js
View File

@ -33,7 +33,7 @@ module.exports = Self => {
}); });
Self.downloadFile = async function(ctx, id) { Self.downloadFile = async function(ctx, id) {
if (!await Self.app.models.Dms.checkRole(ctx, id, 'READ') && !await Self.isMine(ctx, id)) if (!await Self.app.models.Dms.checkRole(ctx, id) && !await Self.isMine(ctx, id))
throw new UserError(`You don't have enough privileges`); throw new UserError(`You don't have enough privileges`);
return await Self.app.models.Dms.getFile(id); return await Self.app.models.Dms.getFile(id);
}; };