refs #6067 feat: vnUser use verify() and more security when update user and mailForward

2023-09-25 08:33:16 +02:00 · 2023-09-25 08:33:16 +02:00 · 6cf1095b10
parent db7f72e262
commit 6cf1095b10
10 changed files with 120 additions and 73 deletions
--- a/back/methods/vn-user/update-user.js
+++ b/back/methods/vn-user/update-user.js
@ -0,0 +1,41 @@
+module.exports = Self => {
+    Self.remoteMethodCtx('updateUser', {
+        description: 'Update user data',
+        accepts: [
+            {
+                arg: 'id',
+                type: 'integer',
+                description: 'The user id',
+                required: true,
+                http: {source: 'path'}
+            }, {
+                arg: 'name',
+                type: 'string',
+                description: 'The user name',
+            }, {
+                arg: 'nickname',
+                type: 'string',
+                description: 'The user nickname',
+            }, {
+                arg: 'email',
+                type: 'string',
+                description: 'The user email'
+            }, {
+                arg: 'lang',
+                type: 'string',
+                description: 'The user lang'
+            }
+        ],
+        http: {
+            path: `/:id/update-user`,
+            verb: 'PATCH'
+        }
+    });
+
+    Self.updateUser = async(ctx, id) => {
+        await Self.userSecurity(ctx, id);
+        const user = await Self.app.models.VnUser.findById(id,
+            {fields: ['id', 'name', 'nickname', 'email', 'lang', 'password']});
+        await user.updateAttributes(ctx.args);
+    };
+};
--- a/back/models/specs/vn-user.spec.js
+++ b/back/models/specs/vn-user.spec.js
@ -12,4 +12,42 @@ describe('loopback model VnUser', () => {

        expect(result).toBeFalsy();
    });
+
+    describe('userSecurity', () => {
+        const itManagementId = 115;
+        const hrId = 37;
+        const employeeId = 1;
+
+        it('should check if you are the same user', async() => {
+            const ctx = {options: {accessToken: {userId: employeeId}}};
+            await models.VnUser.userSecurity(ctx, employeeId);
+        });
+
+        it('should check for higher privileges', async() => {
+            const ctx = {options: {accessToken: {userId: itManagementId}}};
+            await models.VnUser.userSecurity(ctx, employeeId);
+        });
+
+        it('should check if you have medium privileges and the user email is not verified', async() => {
+            const ctx = {options: {accessToken: {userId: hrId}}};
+            await models.VnUser.userSecurity(ctx, employeeId);
+        });
+
+        it('should throw an error if you have medium privileges and the users email is verified', async() => {
+            const tx = await models.VnUser.beginTransaction({});
+            const ctx = {options: {accessToken: {userId: hrId}}};
+            try {
+                const options = {transaction: tx};
+                const userToUpdate = await models.VnUser.findById(1, null, options);
+                userToUpdate.updateAttribute('emailVerified', 1, options);
+
+                await models.VnUser.userSecurity(ctx, employeeId, options);
+                await tx.rollback();
+            } catch (error) {
+                await tx.rollback();
+
+                expect(error.message).toEqual(`You don't have enough privileges`);
+            }
+        });
+    });
 });
--- a/back/models/vn-user.js
+++ b/back/models/vn-user.js
@ -13,6 +13,7 @@ module.exports = function(Self) {
    require('../methods/vn-user/privileges')(Self);
    require('../methods/vn-user/validate-auth')(Self);
    require('../methods/vn-user/renew-token')(Self);
+    require('../methods/vn-user/update-user')(Self);

    Self.definition.settings.acls = Self.definition.settings.acls.filter(acl => acl.property !== 'create');

@ -179,32 +180,31 @@ module.exports = function(Self) {
    Self.sharedClass._methods.find(method => method.name == 'changePassword').ctor.settings.acls
        .filter(acl => acl.property != 'changePassword');

-    Self.observe('before save', async ctx => {
-        const instance = ctx.currentInstance || ctx.instance;
-        console.log(ctx);
-        await Self.userSecurity(ctx, instance.id);
-    });
-
-    Self.userSecurity = async(ctx, userId) => {
+    Self.userSecurity = async(ctx, userId, options) => {
        const models = Self.app.models;
-        const accessToken = ctx.options.accessToken || LoopBackContext.getCurrentContext().active.accessToken;
-        console.log(accessToken, LoopBackContext.getCurrentContext().active.http.req);
+        const accessToken = ctx?.options?.accessToken || LoopBackContext.getCurrentContext().active.accessToken;
        const ctxToken = {req: {accessToken}};

-        const hasHigherPrivileges = await models.ACL.checkAccessAcl(ctxToken, 'VnUser', 'higherPrivileges');
+        if (userId === accessToken.userId) return;
+
+        const myOptions = {};
+        if (typeof options == 'object')
+            Object.assign(myOptions, options);
+
+        const hasHigherPrivileges = await models.ACL.checkAccessAcl(ctxToken, 'VnUser', 'higherPrivileges', myOptions);
        if (hasHigherPrivileges) return;

-        const hasMediumPrivileges = await models.ACL.checkAccessAcl(ctxToken, 'VnUser', 'mediumPrivileges');
-        const user = await models.VnUser.findById(userId, {fields: ['id', 'emailVerified']});
+        const hasMediumPrivileges = await models.ACL.checkAccessAcl(ctxToken, 'VnUser', 'mediumPrivileges', myOptions);
+        const user = await models.VnUser.findById(userId, {fields: ['id', 'emailVerified']}, myOptions);
        if (!user.emailVerified && hasMediumPrivileges) return;

-        if (userId != accessToken.userId)
-            throw new UserError(`You don't have enough privileges`);
+        throw new UserError(`You don't have enough privileges`);
    };

-    // FIXME: https://redmine.verdnatura.es/issues/5761
-    Self.afterRemote('prototype.patchAttributes', async(ctx, instance) => {
-        if (!ctx.args || !ctx.args.data.email) return;
+    Self.observe('after save', async ctx => {
+        const newEmail = ctx?.instance?.email;
+        const oldEmail = ctx?.hookState?.oldInstance?.email;
+        if (!ctx.isNewInstance && (!newEmail || !oldEmail || newEmail == oldEmail)) return;

        const loopBackContext = LoopBackContext.getCurrentContext();
        const httpCtx = {req: loopBackContext.active};
@ -217,8 +217,7 @@ module.exports = function(Self) {
            async send(verifyOptions, cb) {
                const params = {
                    url: verifyOptions.verifyHref,
-                    recipient: verifyOptions.to,
-                    lang: ctx.req.getLocale()
+                    recipient: verifyOptions.to
                };

                const email = new Email('email-verify', params);
@ -230,9 +229,9 @@ module.exports = function(Self) {

        const options = {
            type: 'email',
-            to: instance.email,
+            to: newEmail,
            from: {},
-            redirect: `${origin}/#!/account/${instance.id}/basic-data?emailConfirmed`,
+            redirect: `${origin}/#!/account/${ctx.instance.id}/basic-data?emailConfirmed`,
            template: false,
            mailer: new Mailer,
            host: url[1].split('/')[2],
@ -241,6 +240,6 @@ module.exports = function(Self) {
            user: Self
        };

-        await instance.verify(options);
+        await ctx.instance.verify(options, ctx.options);
    });
 };
--- a/back/models/vn-user.json
+++ b/back/models/vn-user.json
@ -13,11 +13,12 @@
 			"type": "number",
 			"id": true
 		},
-		"username": {
+        "name": {
 			"type": "string",
-			"mysql": {
-				"columnName": "name"
-			}
+			"required": true
+		},
+		"username": {
+			"type": "string"
 		},
 		"password": {
 			"type": "string",
@ -123,13 +124,7 @@
 			"principalType": "ROLE",
 			"principalId": "$authenticated",
 			"permission": "ALLOW"
-		},
-        {
-          "principalType": "ROLE",
-          "principalId": "$authenticated",
-          "permission": "ALLOW",
-          "property": "patchAttributes"
-        }
+		}
 	],
    "scopes": {
        "preview": {
--- a/db/changes/234001/00-account_acl.sql
+++ b/db/changes/234001/00-account_acl.sql
@ -1,12 +1,7 @@
-DELETE FROM `salix`.`ACL`
-    WHERE
-        model = 'MailForward'
-        AND accessType = '*'
-        AND property = '*'
-        AND principalId = 'hr';
-
-
 INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
    VALUES
        ('VnUser', 'higherPrivileges', '*', 'ALLOW', 'ROLE', 'itManagement'),
-        ('VnUser', 'mediumPrivileges', '*', 'ALLOW', 'ROLE', 'hr');
+        ('VnUser', 'mediumPrivileges', '*', 'ALLOW', 'ROLE', 'hr'),
+        ('VnUser', 'updateUser', '*', 'ALLOW', 'ROLE', 'employee');
+
+ALTER TABLE `account`.`user` ADD `username` varchar(30) AS (name) VIRTUAL;
--- a/modules/account/back/models/mail-forward.js
+++ b/modules/account/back/models/mail-forward.js
@ -1,9 +1,5 @@

 module.exports = Self => {
-    Self.observe('loaded', async ctx => {
-        if (!ctx.data.account) return;
-        await Self.app.models.VnUser.userSecurity(ctx, ctx.data.account);
-    });
    Self.observe('before save', async ctx => {
        const instance = ctx.currentInstance || ctx.instance;
        await Self.app.models.VnUser.userSecurity(ctx, instance.account);
--- a/modules/account/back/models/mail-forward.json
+++ b/modules/account/back/models/mail-forward.json
@ -21,19 +21,5 @@
 			"model": "VnUser",
 			"foreignKey": "account"
 		}
-	},
-	"acls": [
-        {
-			"accessType": "READ",
-			"principalType": "ROLE",
-			"principalId": "$authenticated",
-			"permission": "ALLOW"
-        },
-        {
-			"accessType": "WRITE",
-			"principalType": "ROLE",
-			"principalId": "$authenticated",
-			"permission": "ALLOW"
-        }
-    ]
+	}
 }
--- a/modules/account/front/basic-data/index.html
+++ b/modules/account/front/basic-data/index.html
@ -1,11 +1,9 @@
-<mg-ajax path="VnUsers/{{post.params.id}}" options="vnPost"></mg-ajax>
+<mg-ajax path="VnUsers/{{patch.params.id}}/update-user" options="vnPatch"></mg-ajax>
 <vn-watcher
    vn-id="watcher"
-    url="VnUsers/preview"
    data="$ctrl.user"
-    where="{id: $ctrl.$params.id}"
    form="form"
-    save="post">
+    save="patch">
 </vn-watcher>
 <form
    name="form"
--- a/modules/account/front/basic-data/index.js
+++ b/modules/account/front/basic-data/index.js
@ -2,13 +2,6 @@ import ngModule from '../module';
 import Section from 'salix/components/section';

 export default class Controller extends Section {
-    set user(value) {
-        this._user = value;
-        console.log(value);
-    }
-    get user() {
-        return this._user;
-    }
    $onInit() {
        if (this.$params.emailConfirmed)
            this.vnApp.showSuccess(this.$t('Email verified successfully!'));
@ -25,5 +18,8 @@ ngModule.component('vnUserBasicData', {
    controller: Controller,
    require: {
        card: '^vnUserCard'
+    },
+    bindings: {
+        user: '<'
    }
 });
--- a/modules/account/front/routes.json
+++ b/modules/account/front/routes.json
@ -77,7 +77,10 @@
            "url": "/basic-data?emailConfirmed",
            "state": "account.card.basicData",
            "component": "vn-user-basic-data",
-            "description": "Basic data"
+            "description": "Basic data",
+            "params": {
+                "user": "$ctrl.user"
+            }
        },
        {
            "url" : "/log",