fix: refs #6286 update WorkerTimeControl permissions

db/versions/11100-silverGerbera/00-modifyTimeControlAcls.sql

@@ -0,0 +1,18 @@
+UPDATE salix.ACL
+	SET principalId = 'teamBoss'
+	WHERE property IN ('addTimeEntry', 'deleteTimeEntry', 'updateTimeEntry', 'weeklyHourRecordEmail');
+
+UPDATE salix.ACL SET principalId = 'developer' WHERE property = 'sendMail';
+
+UPDATE salix.ACL
+	SET property = 'updateMailState'
+	WHERE property = 'updateWorkerTimeControlMail';
+
+INSERT INTO salix.ACL(model, property, accessType, permission, principalType, principalId)
+	VALUES
+		('WorkerTimeControl', 'addTimeEntry', 'WRITE', 'ALLOW', 'ROLE', 'hr'),
+		('WorkerTimeControl', 'deleteTimeEntry', 'WRITE', 'ALLOW', 'ROLE', 'hr'),
+		('WorkerTimeControl', 'updateTimeEntry', 'WRITE', 'ALLOW', 'ROLE', 'hr'),
+		('WorkerTimeControl', 'weeklyHourRecordEmail', 'WRITE', 'ALLOW', 'ROLE', 'hr'),
+		('WorkerTimeControl', 'sendMail', 'WRITE', 'ALLOW', 'ROLE', 'hr'),
+		('WorkerTimeControl', 'updateMailState', 'WRITE', 'ALLOW', 'ROLE', 'hr');

modules/worker/back/methods/worker-time-control/getMailStates.js

@@ -1,3 +1,5 @@
+const UserError = require('vn-loopback/util/user-error');
+
 module.exports = Self => {
     Self.remoteMethodCtx('getMailStates', {
         description: 'Get the states of a month about time control mail',
@@ -36,6 +38,8 @@ module.exports = Self => {
         if (typeof options == 'object')
             Object.assign(myOptions, options);
 
+        if (!await models.Worker.isSubordinate(ctx, workerId)) throw new UserError(`You don't have enough privileges`);
+
         const times = await models.Time.find({
             fields: ['week'],
             where: {

modules/worker/back/methods/worker-time-control/resendWeeklyHourEmail.js

@@ -1,4 +1,5 @@
 const moment = require('moment');
+const UserError = require('vn-loopback/util/user-error');
 
 module.exports = Self => {
     Self.remoteMethodCtx('resendWeeklyHourEmail', {
@@ -35,6 +36,9 @@ module.exports = Self => {
         const yearNumber = dated.getFullYear();
         const weekNumber = moment(dated).isoWeek();
 
+        if (!await models.Worker.isSubordinate(ctx, workerId) || workerId === ctx.req.accessToken.userId)
+            throw new UserError(`You don't have enough privileges`);
+
         const workerTimeControlMail = await models.WorkerTimeControlMail.findOne({
             where: {
                 workerFk: workerId,

modules/worker/back/methods/worker-time-control/specs/getMailStates.spec.js

@@ -1,28 +1,36 @@
 const models = require('vn-loopback/server/server').models;
 
 describe('workerTimeControl getMailStates()', () => {
-    const workerId = 9;
+    const developerId = 9;
-    const ctx = {args: {
+    const developerBossId = 120;
-        month: 12,
+    const employeeId = 1;
-        year: 2000
+
-    }};
+    let ctx;
+    let tx;
+    let opts;
+
+    beforeEach(async() => {
+        ctx = {req: {accessToken: {userId: developerBossId}}, args: {month: 12, year: 2000}};
+        tx = await models.WorkerTimeControl.beginTransaction({});
+        opts = {transaction: tx};
+    });
+
+    afterEach(async() => await tx.rollback());
 
     it('should get the states of a month about time control mail', async() => {
-        const tx = await models.WorkerTimeControl.beginTransaction({});
+        const response = await models.WorkerTimeControl.getMailStates(ctx, developerId, opts);
 
+        expect(response[0].state).toEqual('REVISE');
+        expect(response[1].state).toEqual('SENDED');
+        expect(response[2].state).toEqual('CONFIRMED');
+    });
+
+    it('should throw an error if they are not subordinates', async() => {
+        ctx.req.accessToken.userId = employeeId;
         try {
-            const options = {transaction: tx};
+            await models.WorkerTimeControl.getMailStates(ctx, developerId, opts);
-
-            const response = await models.WorkerTimeControl.getMailStates(ctx, workerId, options);
-
-            expect(response[0].state).toEqual('REVISE');
-            expect(response[1].state).toEqual('SENDED');
-            expect(response[2].state).toEqual('CONFIRMED');
-
-            await tx.rollback();
         } catch (e) {
-            await tx.rollback();
+            expect(e.message).toEqual('You don\'t have enough privileges');
-            throw e;
         }
     });
 });

modules/worker/back/methods/worker-time-control/specs/updateMailState.spec.js

@@ -1,10 +1,11 @@
 const models = require('vn-loopback/server/server').models;
 
-describe('updateWorkerTimeControlMail()', () => {
+describe('updateMailState()', () => {
+    const developerId = 9;
+    const employeeId = 1;
     it('should update WorkerTimeControlMail if exist record', async() => {
         const tx = await models.WorkerTimeControlMail.beginTransaction({});
         const args = {
-            workerId: 9,
             week: 50,
             year: 2000,
             state: 'CONFIRMED'
@@ -15,15 +16,15 @@ describe('updateWorkerTimeControlMail()', () => {
             const options = {transaction: tx};
             const beforeMail = await models.WorkerTimeControlMail.findOne({
                 where: {
-                    workerFk: args.workerId,
+                    workerFk: developerId,
                     year: args.year,
                     week: args.week,
                 }
             }, options);
-            await models.WorkerTimeControl.updateWorkerTimeControlMail(ctx, options);
+            await models.WorkerTimeControl.updateMailState(ctx, developerId, options);
             const afterMail = await models.WorkerTimeControlMail.findOne({
                 where: {
-                    workerFk: args.workerId,
+                    workerFk: developerId,
                     year: args.year,
                     week: args.week,
                 }
@@ -42,7 +43,6 @@ describe('updateWorkerTimeControlMail()', () => {
     it('should insert WorkerTimeControlMail if exist record', async() => {
         const tx = await models.WorkerTimeControlMail.beginTransaction({});
         const args = {
-            workerId: 1,
             week: 51,
             year: 2000,
             state: 'SENDED'
@@ -53,15 +53,15 @@ describe('updateWorkerTimeControlMail()', () => {
             const options = {transaction: tx};
             const beforeMail = await models.WorkerTimeControlMail.find({
                 where: {
-                    workerFk: args.workerId,
+                    workerFk: employeeId,
                     year: args.year,
                     week: args.week,
                 }
             }, options);
-            await models.WorkerTimeControl.updateWorkerTimeControlMail(ctx, options);
+            await models.WorkerTimeControl.updateMailState(ctx, employeeId, options);
             const afterMail = await models.WorkerTimeControlMail.find({
                 where: {
-                    workerFk: args.workerId,
+                    workerFk: employeeId,
                     year: args.year,
                     week: args.week,
                 }
@@ -80,7 +80,7 @@ describe('updateWorkerTimeControlMail()', () => {
     it('should throw error if not exist any record in this week', async() => {
         const tx = await models.WorkerTimeControlMail.beginTransaction({});
         const ctx = {args: {
-            workerId: 1,
+            workerId: employeeId,
             week: 1,
             year: 0,
             state: 'SENDED'
@@ -89,7 +89,7 @@ describe('updateWorkerTimeControlMail()', () => {
         let error;
         try {
             const options = {transaction: tx};
-            await models.WorkerTimeControl.updateWorkerTimeControlMail(ctx, options);
+            await models.WorkerTimeControl.updateMailState(ctx, employeeId, options);
 
             await tx.rollback();
         } catch (e) {

modules/worker/back/methods/worker-time-control/updateMailState.js

@@ -1,12 +1,13 @@
 const UserError = require('vn-loopback/util/user-error');
 module.exports = Self => {
-    Self.remoteMethodCtx('updateWorkerTimeControlMail', {
+    Self.remoteMethodCtx('updateMailState', {
         description: 'Updates the state of WorkerTimeControlMail',
         accessType: 'WRITE',
         accepts: [{
-            arg: 'workerId',
+            arg: 'id',
             type: 'number',
-            required: true
+            description: 'The worker id',
+            http: {source: 'path'}
         },
         {
             arg: 'year',
@@ -32,12 +33,12 @@ module.exports = Self => {
             root: true
         },
         http: {
-            path: `/updateWorkerTimeControlMail`,
+            path: `/:id/updateMailState`,
             verb: 'POST'
         }
     });
 
-    Self.updateWorkerTimeControlMail = async(ctx, options) => {
+    Self.updateMailState = async(ctx, id, options) => {
         const models = Self.app.models;
         const args = ctx.args;
         const myOptions = {};
@@ -59,14 +60,14 @@ module.exports = Self => {
             {
                 year: args.year,
                 week: args.week,
-                workerFk: args.workerId
+                workerFk: id
             },
             {
                 state: args.state,
                 reason: args.reason,
                 year: args.year,
                 week: args.week,
-                workerFk: args.workerId
+                workerFk: id
             },
             myOptions);
 

modules/worker/back/methods/worker-time-control/weeklyHourRecordEmail.js

@@ -61,7 +61,7 @@ module.exports = Self => {
         const url = `${salix.url}worker/${args.workerId}/time-control?timestamp=${timestamp}`;
         ctx.args.url = url;
 
-        await models.WorkerTimeControl.updateWorkerTimeControlMail(ctx, myOptions);
+        await models.WorkerTimeControl.updateMailState(ctx, ctx.workerId, myOptions);
         return Self.sendTemplate(ctx, 'weekly-hour-record');
     };
 

modules/worker/back/models/worker-time-control.js

@@ -6,7 +6,7 @@ module.exports = Self => {
     require('../methods/worker-time-control/deleteTimeEntry')(Self);
     require('../methods/worker-time-control/updateTimeEntry')(Self);
     require('../methods/worker-time-control/sendMail')(Self);
-    require('../methods/worker-time-control/updateWorkerTimeControlMail')(Self);
+    require('../methods/worker-time-control/updateMailState')(Self);
     require('../methods/worker-time-control/weeklyHourRecordEmail')(Self);
     require('../methods/worker-time-control/getMailStates')(Self);
     require('../methods/worker-time-control/resendWeeklyHourEmail')(Self);

modules/worker/back/models/worker-time-control.json

@@ -36,15 +36,24 @@
             "model": "VnUser",
             "foreignKey": "userFk"
         },
-		"worker": {
+        "worker": {
-			"type": "hasOne",
+            "type": "hasOne",
-			"model": "Worker",
+            "model": "Worker",
-			"foreignKey": "id"
+            "foreignKey": "id"
         },
         "warehouse": {
             "type": "belongsTo",
             "model": "Warehouse",
             "foreignKey": "warehouseFk"
         }
-    }
+    },
-}
+    "acls": [
+        {
+            "property": "updateMailState",
+            "accessType": "WRITE",
+            "permission": "ALLOW",
+            "principalType": "ROLE",
+            "principalId": "$owner"
+        }
+    ]
+}