diff --git a/db/versions/11100-silverGerbera/00-modifyTimeControlAcls.sql b/db/versions/11100-silverGerbera/00-modifyTimeControlAcls.sql new file mode 100644 index 000000000..473441a7e --- /dev/null +++ b/db/versions/11100-silverGerbera/00-modifyTimeControlAcls.sql @@ -0,0 +1,18 @@ +UPDATE salix.ACL + SET principalId = 'teamBoss' + WHERE property IN ('addTimeEntry', 'deleteTimeEntry', 'updateTimeEntry', 'weeklyHourRecordEmail'); + +UPDATE salix.ACL SET principalId = 'developer' WHERE property = 'sendMail'; + +UPDATE salix.ACL + SET property = 'updateMailState' + WHERE property = 'updateWorkerTimeControlMail'; + +INSERT INTO salix.ACL(model, property, accessType, permission, principalType, principalId) + VALUES + ('WorkerTimeControl', 'addTimeEntry', 'WRITE', 'ALLOW', 'ROLE', 'hr'), + ('WorkerTimeControl', 'deleteTimeEntry', 'WRITE', 'ALLOW', 'ROLE', 'hr'), + ('WorkerTimeControl', 'updateTimeEntry', 'WRITE', 'ALLOW', 'ROLE', 'hr'), + ('WorkerTimeControl', 'weeklyHourRecordEmail', 'WRITE', 'ALLOW', 'ROLE', 'hr'), + ('WorkerTimeControl', 'sendMail', 'WRITE', 'ALLOW', 'ROLE', 'hr'), + ('WorkerTimeControl', 'updateMailState', 'WRITE', 'ALLOW', 'ROLE', 'hr'); \ No newline at end of file diff --git a/modules/worker/back/methods/worker-time-control/getMailStates.js b/modules/worker/back/methods/worker-time-control/getMailStates.js index 855b5adc3..d55c185a5 100644 --- a/modules/worker/back/methods/worker-time-control/getMailStates.js +++ b/modules/worker/back/methods/worker-time-control/getMailStates.js @@ -1,3 +1,5 @@ +const UserError = require('vn-loopback/util/user-error'); + module.exports = Self => { Self.remoteMethodCtx('getMailStates', { description: 'Get the states of a month about time control mail', @@ -36,6 +38,8 @@ module.exports = Self => { if (typeof options == 'object') Object.assign(myOptions, options); + if (!await models.Worker.isSubordinate(ctx, workerId)) throw new UserError(`You don't have enough privileges`); + const times = await models.Time.find({ fields: ['week'], where: { diff --git a/modules/worker/back/methods/worker-time-control/resendWeeklyHourEmail.js b/modules/worker/back/methods/worker-time-control/resendWeeklyHourEmail.js index 885637118..68d03f7e4 100644 --- a/modules/worker/back/methods/worker-time-control/resendWeeklyHourEmail.js +++ b/modules/worker/back/methods/worker-time-control/resendWeeklyHourEmail.js @@ -1,4 +1,5 @@ const moment = require('moment'); +const UserError = require('vn-loopback/util/user-error'); module.exports = Self => { Self.remoteMethodCtx('resendWeeklyHourEmail', { @@ -35,6 +36,9 @@ module.exports = Self => { const yearNumber = dated.getFullYear(); const weekNumber = moment(dated).isoWeek(); + if (!await models.Worker.isSubordinate(ctx, workerId) || workerId === ctx.req.accessToken.userId) + throw new UserError(`You don't have enough privileges`); + const workerTimeControlMail = await models.WorkerTimeControlMail.findOne({ where: { workerFk: workerId, diff --git a/modules/worker/back/methods/worker-time-control/specs/getMailStates.spec.js b/modules/worker/back/methods/worker-time-control/specs/getMailStates.spec.js index cbad32323..083236ec6 100644 --- a/modules/worker/back/methods/worker-time-control/specs/getMailStates.spec.js +++ b/modules/worker/back/methods/worker-time-control/specs/getMailStates.spec.js @@ -1,28 +1,36 @@ const models = require('vn-loopback/server/server').models; describe('workerTimeControl getMailStates()', () => { - const workerId = 9; - const ctx = {args: { - month: 12, - year: 2000 - }}; + const developerId = 9; + const developerBossId = 120; + const employeeId = 1; + + let ctx; + let tx; + let opts; + + beforeEach(async() => { + ctx = {req: {accessToken: {userId: developerBossId}}, args: {month: 12, year: 2000}}; + tx = await models.WorkerTimeControl.beginTransaction({}); + opts = {transaction: tx}; + }); + + afterEach(async() => await tx.rollback()); it('should get the states of a month about time control mail', async() => { - const tx = await models.WorkerTimeControl.beginTransaction({}); + const response = await models.WorkerTimeControl.getMailStates(ctx, developerId, opts); + expect(response[0].state).toEqual('REVISE'); + expect(response[1].state).toEqual('SENDED'); + expect(response[2].state).toEqual('CONFIRMED'); + }); + + it('should throw an error if they are not subordinates', async() => { + ctx.req.accessToken.userId = employeeId; try { - const options = {transaction: tx}; - - const response = await models.WorkerTimeControl.getMailStates(ctx, workerId, options); - - expect(response[0].state).toEqual('REVISE'); - expect(response[1].state).toEqual('SENDED'); - expect(response[2].state).toEqual('CONFIRMED'); - - await tx.rollback(); + await models.WorkerTimeControl.getMailStates(ctx, developerId, opts); } catch (e) { - await tx.rollback(); - throw e; + expect(e.message).toEqual('You don\'t have enough privileges'); } }); }); diff --git a/modules/worker/back/methods/worker-time-control/specs/updateWorkerTimeControlMail.spec.js b/modules/worker/back/methods/worker-time-control/specs/updateMailState.spec.js similarity index 82% rename from modules/worker/back/methods/worker-time-control/specs/updateWorkerTimeControlMail.spec.js rename to modules/worker/back/methods/worker-time-control/specs/updateMailState.spec.js index 3b5b2b73f..151b6ca94 100644 --- a/modules/worker/back/methods/worker-time-control/specs/updateWorkerTimeControlMail.spec.js +++ b/modules/worker/back/methods/worker-time-control/specs/updateMailState.spec.js @@ -1,10 +1,11 @@ const models = require('vn-loopback/server/server').models; -describe('updateWorkerTimeControlMail()', () => { +describe('updateMailState()', () => { + const developerId = 9; + const employeeId = 1; it('should update WorkerTimeControlMail if exist record', async() => { const tx = await models.WorkerTimeControlMail.beginTransaction({}); const args = { - workerId: 9, week: 50, year: 2000, state: 'CONFIRMED' @@ -15,15 +16,15 @@ describe('updateWorkerTimeControlMail()', () => { const options = {transaction: tx}; const beforeMail = await models.WorkerTimeControlMail.findOne({ where: { - workerFk: args.workerId, + workerFk: developerId, year: args.year, week: args.week, } }, options); - await models.WorkerTimeControl.updateWorkerTimeControlMail(ctx, options); + await models.WorkerTimeControl.updateMailState(ctx, developerId, options); const afterMail = await models.WorkerTimeControlMail.findOne({ where: { - workerFk: args.workerId, + workerFk: developerId, year: args.year, week: args.week, } @@ -42,7 +43,6 @@ describe('updateWorkerTimeControlMail()', () => { it('should insert WorkerTimeControlMail if exist record', async() => { const tx = await models.WorkerTimeControlMail.beginTransaction({}); const args = { - workerId: 1, week: 51, year: 2000, state: 'SENDED' @@ -53,15 +53,15 @@ describe('updateWorkerTimeControlMail()', () => { const options = {transaction: tx}; const beforeMail = await models.WorkerTimeControlMail.find({ where: { - workerFk: args.workerId, + workerFk: employeeId, year: args.year, week: args.week, } }, options); - await models.WorkerTimeControl.updateWorkerTimeControlMail(ctx, options); + await models.WorkerTimeControl.updateMailState(ctx, employeeId, options); const afterMail = await models.WorkerTimeControlMail.find({ where: { - workerFk: args.workerId, + workerFk: employeeId, year: args.year, week: args.week, } @@ -80,7 +80,7 @@ describe('updateWorkerTimeControlMail()', () => { it('should throw error if not exist any record in this week', async() => { const tx = await models.WorkerTimeControlMail.beginTransaction({}); const ctx = {args: { - workerId: 1, + workerId: employeeId, week: 1, year: 0, state: 'SENDED' @@ -89,7 +89,7 @@ describe('updateWorkerTimeControlMail()', () => { let error; try { const options = {transaction: tx}; - await models.WorkerTimeControl.updateWorkerTimeControlMail(ctx, options); + await models.WorkerTimeControl.updateMailState(ctx, employeeId, options); await tx.rollback(); } catch (e) { diff --git a/modules/worker/back/methods/worker-time-control/updateWorkerTimeControlMail.js b/modules/worker/back/methods/worker-time-control/updateMailState.js similarity index 85% rename from modules/worker/back/methods/worker-time-control/updateWorkerTimeControlMail.js rename to modules/worker/back/methods/worker-time-control/updateMailState.js index 3fd743fe3..c3bacaac0 100644 --- a/modules/worker/back/methods/worker-time-control/updateWorkerTimeControlMail.js +++ b/modules/worker/back/methods/worker-time-control/updateMailState.js @@ -1,12 +1,13 @@ const UserError = require('vn-loopback/util/user-error'); module.exports = Self => { - Self.remoteMethodCtx('updateWorkerTimeControlMail', { + Self.remoteMethodCtx('updateMailState', { description: 'Updates the state of WorkerTimeControlMail', accessType: 'WRITE', accepts: [{ - arg: 'workerId', + arg: 'id', type: 'number', - required: true + description: 'The worker id', + http: {source: 'path'} }, { arg: 'year', @@ -32,12 +33,12 @@ module.exports = Self => { root: true }, http: { - path: `/updateWorkerTimeControlMail`, + path: `/:id/updateMailState`, verb: 'POST' } }); - Self.updateWorkerTimeControlMail = async(ctx, options) => { + Self.updateMailState = async(ctx, id, options) => { const models = Self.app.models; const args = ctx.args; const myOptions = {}; @@ -59,14 +60,14 @@ module.exports = Self => { { year: args.year, week: args.week, - workerFk: args.workerId + workerFk: id }, { state: args.state, reason: args.reason, year: args.year, week: args.week, - workerFk: args.workerId + workerFk: id }, myOptions); diff --git a/modules/worker/back/methods/worker-time-control/weeklyHourRecordEmail.js b/modules/worker/back/methods/worker-time-control/weeklyHourRecordEmail.js index 53bc8d022..f19ab17e1 100644 --- a/modules/worker/back/methods/worker-time-control/weeklyHourRecordEmail.js +++ b/modules/worker/back/methods/worker-time-control/weeklyHourRecordEmail.js @@ -61,7 +61,7 @@ module.exports = Self => { const url = `${salix.url}worker/${args.workerId}/time-control?timestamp=${timestamp}`; ctx.args.url = url; - await models.WorkerTimeControl.updateWorkerTimeControlMail(ctx, myOptions); + await models.WorkerTimeControl.updateMailState(ctx, ctx.workerId, myOptions); return Self.sendTemplate(ctx, 'weekly-hour-record'); }; diff --git a/modules/worker/back/models/worker-time-control.js b/modules/worker/back/models/worker-time-control.js index 1457c7a46..92f1bacf0 100644 --- a/modules/worker/back/models/worker-time-control.js +++ b/modules/worker/back/models/worker-time-control.js @@ -6,7 +6,7 @@ module.exports = Self => { require('../methods/worker-time-control/deleteTimeEntry')(Self); require('../methods/worker-time-control/updateTimeEntry')(Self); require('../methods/worker-time-control/sendMail')(Self); - require('../methods/worker-time-control/updateWorkerTimeControlMail')(Self); + require('../methods/worker-time-control/updateMailState')(Self); require('../methods/worker-time-control/weeklyHourRecordEmail')(Self); require('../methods/worker-time-control/getMailStates')(Self); require('../methods/worker-time-control/resendWeeklyHourEmail')(Self); diff --git a/modules/worker/back/models/worker-time-control.json b/modules/worker/back/models/worker-time-control.json index e2b74875a..3d408c18f 100644 --- a/modules/worker/back/models/worker-time-control.json +++ b/modules/worker/back/models/worker-time-control.json @@ -36,15 +36,24 @@ "model": "VnUser", "foreignKey": "userFk" }, - "worker": { - "type": "hasOne", - "model": "Worker", - "foreignKey": "id" + "worker": { + "type": "hasOne", + "model": "Worker", + "foreignKey": "id" }, "warehouse": { "type": "belongsTo", "model": "Warehouse", "foreignKey": "warehouseFk" } - } -} + }, + "acls": [ + { + "property": "updateMailState", + "accessType": "WRITE", + "permission": "ALLOW", + "principalType": "ROLE", + "principalId": "$owner" + } + ] +} \ No newline at end of file