Merge pull request '6067-vnUser_privileges_and_verifyEmail' (!1764) from 6067-vnUser_privileges_and_verifyEmail into dev
gitea/salix/pipeline/head This commit looks good
Details
gitea/salix/pipeline/head This commit looks good
Details
Reviewed-on: #1764 Reviewed-by: Juan Ferrer <juan@verdnatura.es>
This commit is contained in:
commit
44b2155c2b
|
@ -0,0 +1,40 @@
|
|||
module.exports = function(Self) {
|
||||
Self.remoteMethod('getByUser', {
|
||||
description: 'returns the starred modules for the current user',
|
||||
accessType: 'READ',
|
||||
accepts: [{
|
||||
arg: 'userId',
|
||||
type: 'number',
|
||||
description: 'The user id',
|
||||
required: true,
|
||||
http: {source: 'path'}
|
||||
}],
|
||||
returns: {
|
||||
type: 'object',
|
||||
root: true
|
||||
},
|
||||
http: {
|
||||
path: `/:userId/get-by-user`,
|
||||
verb: 'GET'
|
||||
}
|
||||
});
|
||||
|
||||
Self.getByUser = async userId => {
|
||||
const models = Self.app.models;
|
||||
const appNames = ['hedera'];
|
||||
const filter = {
|
||||
fields: ['appName', 'url'],
|
||||
where: {
|
||||
appName: {inq: appNames},
|
||||
environment: process.env.NODE_ENV ?? 'development',
|
||||
}
|
||||
};
|
||||
|
||||
const isWorker = await models.Account.findById(userId, {fields: ['id']});
|
||||
if (!isWorker)
|
||||
return models.Url.find(filter);
|
||||
|
||||
appNames.push('salix');
|
||||
return models.Url.find(filter);
|
||||
};
|
||||
};
|
|
@ -0,0 +1,19 @@
|
|||
const {models} = require('vn-loopback/server/server');
|
||||
|
||||
describe('getByUser()', () => {
|
||||
const worker = 1;
|
||||
const notWorker = 2;
|
||||
it(`should return only hedera url if not is worker`, async() => {
|
||||
const urls = await models.Url.getByUser(notWorker);
|
||||
|
||||
expect(urls.length).toEqual(1);
|
||||
expect(urls[0].appName).toEqual('hedera');
|
||||
});
|
||||
|
||||
it(`should return more than hedera url`, async() => {
|
||||
const urls = await models.Url.getByUser(worker);
|
||||
|
||||
expect(urls.length).toBeGreaterThan(1);
|
||||
expect(urls.find(url => url.appName == 'salix').appName).toEqual('salix');
|
||||
});
|
||||
});
|
|
@ -0,0 +1,39 @@
|
|||
module.exports = Self => {
|
||||
Self.remoteMethodCtx('updateUser', {
|
||||
description: 'Update user data',
|
||||
accepts: [
|
||||
{
|
||||
arg: 'id',
|
||||
type: 'integer',
|
||||
description: 'The user id',
|
||||
required: true,
|
||||
http: {source: 'path'}
|
||||
}, {
|
||||
arg: 'name',
|
||||
type: 'string',
|
||||
description: 'The user name',
|
||||
}, {
|
||||
arg: 'nickname',
|
||||
type: 'string',
|
||||
description: 'The user nickname',
|
||||
}, {
|
||||
arg: 'email',
|
||||
type: 'string',
|
||||
description: 'The user email'
|
||||
}, {
|
||||
arg: 'lang',
|
||||
type: 'string',
|
||||
description: 'The user lang'
|
||||
}
|
||||
],
|
||||
http: {
|
||||
path: `/:id/update-user`,
|
||||
verb: 'PATCH'
|
||||
}
|
||||
});
|
||||
|
||||
Self.updateUser = async(ctx, id, name, nickname, email, lang) => {
|
||||
await Self.userSecurity(ctx, id);
|
||||
await Self.upsertWithWhere({id}, {name, nickname, email, lang});
|
||||
};
|
||||
};
|
|
@ -1,4 +1,5 @@
|
|||
const models = require('vn-loopback/server/server').models;
|
||||
const ForbiddenError = require('vn-loopback/util/forbiddenError');
|
||||
|
||||
describe('loopback model VnUser', () => {
|
||||
it('should return true if the user has the given role', async() => {
|
||||
|
@ -12,4 +13,42 @@ describe('loopback model VnUser', () => {
|
|||
|
||||
expect(result).toBeFalsy();
|
||||
});
|
||||
|
||||
describe('userSecurity', () => {
|
||||
const itManagementId = 115;
|
||||
const hrId = 37;
|
||||
const employeeId = 1;
|
||||
|
||||
it('should check if you are the same user', async() => {
|
||||
const ctx = {options: {accessToken: {userId: employeeId}}};
|
||||
await models.VnUser.userSecurity(ctx, employeeId);
|
||||
});
|
||||
|
||||
it('should check for higher privileges', async() => {
|
||||
const ctx = {options: {accessToken: {userId: itManagementId}}};
|
||||
await models.VnUser.userSecurity(ctx, employeeId);
|
||||
});
|
||||
|
||||
it('should check if you have medium privileges and the user email is not verified', async() => {
|
||||
const ctx = {options: {accessToken: {userId: hrId}}};
|
||||
await models.VnUser.userSecurity(ctx, employeeId);
|
||||
});
|
||||
|
||||
it('should throw an error if you have medium privileges and the users email is verified', async() => {
|
||||
const tx = await models.VnUser.beginTransaction({});
|
||||
const ctx = {options: {accessToken: {userId: hrId}}};
|
||||
try {
|
||||
const options = {transaction: tx};
|
||||
const userToUpdate = await models.VnUser.findById(1, null, options);
|
||||
userToUpdate.updateAttribute('emailVerified', 1, options);
|
||||
|
||||
await models.VnUser.userSecurity(ctx, employeeId, options);
|
||||
await tx.rollback();
|
||||
} catch (error) {
|
||||
await tx.rollback();
|
||||
|
||||
expect(error).toEqual(new ForbiddenError());
|
||||
}
|
||||
});
|
||||
});
|
||||
});
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
module.exports = Self => {
|
||||
require('../methods/url/getByUser')(Self);
|
||||
};
|
|
@ -1,6 +1,7 @@
|
|||
const vnModel = require('vn-loopback/common/models/vn-model');
|
||||
const LoopBackContext = require('loopback-context');
|
||||
const {Email} = require('vn-print');
|
||||
const ForbiddenError = require('vn-loopback/util/forbiddenError');
|
||||
|
||||
module.exports = function(Self) {
|
||||
vnModel(Self);
|
||||
|
@ -12,6 +13,7 @@ module.exports = function(Self) {
|
|||
require('../methods/vn-user/privileges')(Self);
|
||||
require('../methods/vn-user/validate-auth')(Self);
|
||||
require('../methods/vn-user/renew-token')(Self);
|
||||
require('../methods/vn-user/update-user')(Self);
|
||||
|
||||
Self.definition.settings.acls = Self.definition.settings.acls.filter(acl => acl.property !== 'create');
|
||||
|
||||
|
@ -178,45 +180,75 @@ module.exports = function(Self) {
|
|||
Self.sharedClass._methods.find(method => method.name == 'changePassword').ctor.settings.acls
|
||||
.filter(acl => acl.property != 'changePassword');
|
||||
|
||||
// FIXME: https://redmine.verdnatura.es/issues/5761
|
||||
// Self.afterRemote('prototype.patchAttributes', async(ctx, instance) => {
|
||||
// if (!ctx.args || !ctx.args.data.email) return;
|
||||
Self.userSecurity = async(ctx, userId, options) => {
|
||||
const models = Self.app.models;
|
||||
const accessToken = ctx?.options?.accessToken || LoopBackContext.getCurrentContext().active.accessToken;
|
||||
const ctxToken = {req: {accessToken}};
|
||||
|
||||
// const loopBackContext = LoopBackContext.getCurrentContext();
|
||||
// const httpCtx = {req: loopBackContext.active};
|
||||
// const httpRequest = httpCtx.req.http.req;
|
||||
// const headers = httpRequest.headers;
|
||||
// const origin = headers.origin;
|
||||
// const url = origin.split(':');
|
||||
if (userId === accessToken.userId) return;
|
||||
|
||||
// class Mailer {
|
||||
// async send(verifyOptions, cb) {
|
||||
// const params = {
|
||||
// url: verifyOptions.verifyHref,
|
||||
// recipient: verifyOptions.to,
|
||||
// lang: ctx.req.getLocale()
|
||||
// };
|
||||
const myOptions = {};
|
||||
if (typeof options == 'object')
|
||||
Object.assign(myOptions, options);
|
||||
|
||||
// const email = new Email('email-verify', params);
|
||||
// email.send();
|
||||
const hasHigherPrivileges = await models.ACL.checkAccessAcl(ctxToken, 'VnUser', 'higherPrivileges', myOptions);
|
||||
if (hasHigherPrivileges) return;
|
||||
|
||||
// cb(null, verifyOptions.to);
|
||||
// }
|
||||
// }
|
||||
const hasMediumPrivileges = await models.ACL.checkAccessAcl(ctxToken, 'VnUser', 'mediumPrivileges', myOptions);
|
||||
const user = await models.VnUser.findById(userId, {fields: ['id', 'emailVerified']}, myOptions);
|
||||
if (!user.emailVerified && hasMediumPrivileges) return;
|
||||
|
||||
// const options = {
|
||||
// type: 'email',
|
||||
// to: instance.email,
|
||||
// from: {},
|
||||
// redirect: `${origin}/#!/account/${instance.id}/basic-data?emailConfirmed`,
|
||||
// template: false,
|
||||
// mailer: new Mailer,
|
||||
// host: url[1].split('/')[2],
|
||||
// port: url[2],
|
||||
// protocol: url[0],
|
||||
// user: Self
|
||||
// };
|
||||
|
||||
// await instance.verify(options);
|
||||
// });
|
||||
throw new ForbiddenError();
|
||||
};
|
||||
|
||||
Self.observe('after save', async ctx => {
|
||||
const instance = ctx?.instance;
|
||||
const newEmail = instance?.email;
|
||||
const oldEmail = ctx?.hookState?.oldInstance?.email;
|
||||
if (!ctx.isNewInstance && (!newEmail || !oldEmail || newEmail == oldEmail)) return;
|
||||
|
||||
const loopBackContext = LoopBackContext.getCurrentContext();
|
||||
const httpCtx = {req: loopBackContext.active};
|
||||
const httpRequest = httpCtx.req.http.req;
|
||||
const headers = httpRequest.headers;
|
||||
const origin = headers.origin;
|
||||
const url = origin.split(':');
|
||||
|
||||
const env = process.env.NODE_ENV;
|
||||
const liliumUrl = await Self.app.models.Url.findOne({
|
||||
where: {and: [
|
||||
{appName: 'lilium'},
|
||||
{environment: env}
|
||||
]}
|
||||
});
|
||||
|
||||
class Mailer {
|
||||
async send(verifyOptions, cb) {
|
||||
const params = {
|
||||
url: verifyOptions.verifyHref,
|
||||
recipient: verifyOptions.to
|
||||
};
|
||||
|
||||
const email = new Email('email-verify', params);
|
||||
email.send();
|
||||
|
||||
cb(null, verifyOptions.to);
|
||||
}
|
||||
}
|
||||
|
||||
const options = {
|
||||
type: 'email',
|
||||
to: newEmail,
|
||||
from: {},
|
||||
redirect: `${liliumUrl.url}verifyEmail?userId=${instance.id}`,
|
||||
template: false,
|
||||
mailer: new Mailer,
|
||||
host: url[1].split('/')[2],
|
||||
port: url[2],
|
||||
protocol: url[0],
|
||||
user: Self
|
||||
};
|
||||
|
||||
await instance.verify(options, ctx.options);
|
||||
});
|
||||
};
|
||||
|
|
|
@ -18,10 +18,7 @@
|
|||
"required": true
|
||||
},
|
||||
"username": {
|
||||
"type": "string",
|
||||
"mysql": {
|
||||
"columnName": "name"
|
||||
}
|
||||
"type": "string"
|
||||
},
|
||||
"roleFk": {
|
||||
"type": "number",
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
|
||||
VALUES
|
||||
('VnUser', 'higherPrivileges', '*', 'ALLOW', 'ROLE', 'itManagement'),
|
||||
('VnUser', 'mediumPrivileges', '*', 'ALLOW', 'ROLE', 'hr'),
|
||||
('VnUser', 'updateUser', '*', 'ALLOW', 'ROLE', 'employee');
|
||||
|
||||
ALTER TABLE `account`.`user` ADD `username` varchar(30) AS (name) VIRTUAL;
|
|
@ -0,0 +1,7 @@
|
|||
INSERT INTO `salix`.`url` (`appName`, `environment`, `url`)
|
||||
VALUES
|
||||
('hedera', 'test', 'https://test-shop.verdnatura.es/'),
|
||||
('hedera', 'production', 'https://shop.verdnatura.es/');
|
||||
|
||||
INSERT INTO `salix`.`ACL` ( model, property, accessType, permission, principalType, principalId)
|
||||
VALUES('Url', 'getByUser', 'READ', 'ALLOW', 'ROLE', '$everyone');
|
|
@ -2867,6 +2867,7 @@ INSERT INTO `vn`.`profileType` (`id`, `name`)
|
|||
INSERT INTO `salix`.`url` (`appName`, `environment`, `url`)
|
||||
VALUES
|
||||
('lilium', 'development', 'http://localhost:9000/#/'),
|
||||
('hedera', 'development', 'http://localhost:9090/'),
|
||||
('salix', 'development', 'http://localhost:5000/#!/');
|
||||
|
||||
INSERT INTO `vn`.`report` (`id`, `name`, `paperSizeFk`, `method`)
|
||||
|
|
|
@ -21,5 +21,16 @@
|
|||
"model": "VnUser",
|
||||
"foreignKey": "account"
|
||||
}
|
||||
}
|
||||
},
|
||||
"acls": [{
|
||||
"accessType": "READ",
|
||||
"principalType": "ROLE",
|
||||
"principalId": "$owner",
|
||||
"permission": "ALLOW"
|
||||
}, {
|
||||
"accessType": "WRITE",
|
||||
"principalType": "ROLE",
|
||||
"principalId": "$owner",
|
||||
"permission": "ALLOW"
|
||||
}]
|
||||
}
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
<mg-ajax path="VnUsers/{{patch.params.id}}/update-user" options="vnPatch"></mg-ajax>
|
||||
<vn-watcher
|
||||
vn-id="watcher"
|
||||
url="VnUsers"
|
||||
data="$ctrl.user"
|
||||
id-value="$ctrl.$params.id"
|
||||
form="form">
|
||||
form="form"
|
||||
save="patch">
|
||||
</vn-watcher>
|
||||
<form
|
||||
name="form"
|
||||
|
|
|
@ -18,5 +18,8 @@ ngModule.component('vnUserBasicData', {
|
|||
controller: Controller,
|
||||
require: {
|
||||
card: '^vnUserCard'
|
||||
},
|
||||
bindings: {
|
||||
user: '<'
|
||||
}
|
||||
});
|
||||
|
|
|
@ -78,7 +78,9 @@
|
|||
"state": "account.card.basicData",
|
||||
"component": "vn-user-basic-data",
|
||||
"description": "Basic data",
|
||||
"acl": ["itManagement"]
|
||||
"params": {
|
||||
"user": "$ctrl.user"
|
||||
}
|
||||
},
|
||||
{
|
||||
"url" : "/log",
|
||||
|
|
Loading…
Reference in New Issue