From 4f802211012350cf664f5dc34c15763ced3a7873 Mon Sep 17 00:00:00 2001 From: jorgep Date: Mon, 24 Jul 2023 10:34:44 +0200 Subject: [PATCH] refs #5929 added ACL and accurate errors --- db/changes/233201/00-updatePrice.sql | 2 ++ loopback/locale/es.json | 6 +++-- .../ticket/back/methods/ticket/isEditable.js | 23 +++++++++++++++---- 3 files changed, 25 insertions(+), 6 deletions(-) create mode 100644 db/changes/233201/00-updatePrice.sql diff --git a/db/changes/233201/00-updatePrice.sql b/db/changes/233201/00-updatePrice.sql new file mode 100644 index 000000000..93888df6e --- /dev/null +++ b/db/changes/233201/00-updatePrice.sql @@ -0,0 +1,2 @@ +INSERT INTO `salix`.`ACL` (`model`,`property`,`accessType`,`permission`,`principalType`,`principalId`) + VALUES ('Ticket','*','*','ALLOW','ROLE','buyer'); diff --git a/loopback/locale/es.json b/loopback/locale/es.json index d95e8d8a4..1a200709f 100644 --- a/loopback/locale/es.json +++ b/loopback/locale/es.json @@ -307,5 +307,7 @@ "Negative basis of tickets": "Base negativa para los tickets: {{ticketsIds}}", "The company has not informed the supplier account for bank transfers": "La empresa no tiene informado la cuenta de proveedor para transferencias bancarias", "You cannot assign/remove an alias that you are not assigned to": "No puede asignar/eliminar un alias que no tenga asignado", - "This invoice has a linked vehicle.": "Esta factura tiene un vehiculo vinculado" -} + "This invoice has a linked vehicle.": "Esta factura tiene un vehiculo vinculado", + "You don't have enough privileges.": "You don't have enough privileges.", + "This ticket is locked.": "This ticket is locked." +} \ No newline at end of file diff --git a/modules/ticket/back/methods/ticket/isEditable.js b/modules/ticket/back/methods/ticket/isEditable.js index 13bd4d57f..9f7e14dcc 100644 --- a/modules/ticket/back/methods/ticket/isEditable.js +++ b/modules/ticket/back/methods/ticket/isEditable.js @@ -1,3 +1,5 @@ +const UserError = require('vn-loopback/util/user-error'); + module.exports = Self => { Self.remoteMethodCtx('isEditable', { description: 'Check if a ticket is editable', @@ -31,7 +33,7 @@ module.exports = Self => { }, myOptions); const isRoleAdvanced = await models.ACL.checkAccessAcl(ctx, 'Ticket', 'isRoleAdvanced', '*'); - + const canEditWeeklyTicket = await models.ACL.checkAccessAcl(ctx, 'Ticket', 'buyer', 'WRITE'); const alertLevel = state ? state.alertLevel : null; const ticket = await models.Ticket.findById(id, { fields: ['clientFk'], @@ -48,13 +50,26 @@ module.exports = Self => { const isLocked = await models.Ticket.isLocked(id, myOptions); const isWeekly = await models.TicketWeekly.findOne({where: {ticketFk: id}}, myOptions); + console.log('isRoleAdvanced', isRoleAdvanced); + console.log('canEditWeeklyTicket', canEditWeeklyTicket); + console.log('ticket', ticket); + console.log('isLocked', isLocked); + console.log('isWeekly', isWeekly); const alertLevelGreaterThanZero = (alertLevel && alertLevel > 0); const isNormalClient = ticket && ticket.client().type().code == 'normal'; const isEditable = !(alertLevelGreaterThanZero && isNormalClient); + if (!ticket) + throw new UserError(`The ticket doesn't exist.`); - if (ticket && (isEditable || isRoleAdvanced) && !isLocked && !isWeekly) - return true; + if (!isEditable && !isRoleAdvanced) + throw new UserError(`This ticket is not editable.`); - return false; + if (isLocked) + throw new UserError(`This ticket is locked.`); + + if (isWeekly && !canEditWeeklyTicket) + throw new UserError(`You don't have enough privileges.`); + + return true; }; };