feat(salix): refs #6427 recoveryPhone security

2024-05-23 15:35:15 +02:00 · 2024-05-23 15:35:15 +02:00 · 4d40d825a2
parent 0f201c36de
commit 4d40d825a2
4 changed files with 9 additions and 29 deletions
--- a/back/methods/vn-user/update-user.js
+++ b/back/methods/vn-user/update-user.js
@ -20,6 +20,10 @@ module.exports = Self => {
                arg: 'email',
                type: 'string',
                description: 'The user email'
+            }, {
+                arg: 'recoveryPhone',
+                type: 'string',
+                description: 'The user email'
            }, {
                arg: 'lang',
                type: 'string',
@ -32,8 +36,8 @@ module.exports = Self => {
        }
    });

-    Self.updateUser = async(ctx, id, name, nickname, email, lang) => {
+    Self.updateUser = async(ctx, id, name, nickname, email, recoveryPhone, lang) => {
        await Self.userSecurity(ctx, id);
-        await Self.upsertWithWhere({id}, {name, nickname, email, lang});
+        await Self.upsertWithWhere({id}, {name, nickname, email, recoveryPhone, lang});
    };
 };
--- a/back/models/vn-user.js
+++ b/back/models/vn-user.js
@ -232,6 +232,8 @@ module.exports = function(Self) {
        const user = await models.VnUser.findById(userId, {fields: ['id', 'emailVerified']}, myOptions);
        if (!user.emailVerified && hasMediumPrivileges) return;

+        if (ctx.args.recoveryPhone) throw new ForbiddenError();
+
        throw new ForbiddenError();
    };

--- a/loopback/locale/es.json
+++ b/loopback/locale/es.json
@ -359,12 +359,5 @@
 	"It was not able to create the invoice": "No se pudo crear la factura",
 	"ticketCommercial": "El ticket {{ ticket }} para el vendedor {{ salesMan }} está en preparación. (mensaje generado automáticamente)",
 	"This PDA is already assigned to another user": "Este PDA ya está asignado a otro usuario",
-	"You can only have one PDA": "Solo puedes tener un PDA",
-    "Phone not valid": "Teléfono no es válido",
-	"User not valid": "Usuario no válido",
-	"Credentials not valid": "Credenciales no válidas",
-	"This worker cant be modified": "This worker cant be modified",
-	"Phone can't be updated": "Phone can't be updated",
-	"ReferenceError: models is not defined": "ReferenceError: models is not defined"
-
+	"You can only have one PDA": "Solo puedes tener un PDA"
 }
--- a/modules/worker/back/models/worker.js
+++ b/modules/worker/back/models/worker.js
@ -1,4 +1,3 @@
-const UserError = require('vn-loopback/util/user-error');
 module.exports = Self => {
    const validateTin = require('vn-loopback/util/validateTin');
    require('../methods/worker/filter')(Self);
@ -39,22 +38,4 @@ module.exports = Self => {
            err();
        done();
    }
-
-    Self.observe('before save', async function(ctx, next) {
-        if (ctx.isNewInstance) return;
-        const instanceId = ctx.currentInstance.id;
-        const userId = ctx.options.accessToken.userId;
-        const isOwner = instanceId === userId;
-        const phoneHasChanged = !!ctx.data.user?.recoveryPhone;
-
-        if (!isOwner) {
-            if (phoneHasChanged) {
-                const {recoveryPhone} = ctx.data.user;
-                const {id} = ctx.currentInstance;
-                await Self.app.models.VnUser.updateAll({id}, {recoveryPhone});
-                ctx.data.code = ctx.currentInstance.code;
-            }
-        }
-        delete ctx.data.user;
-    });
 };