verdnatura/salix
verdnatura
/
salix
3
4
Fork 0
Code Issues Pull Requests 62 Releases Wiki Activity

fix: update access control for modifying absences in the past
gitea/salix/pipeline/pr-master This commit looks good Details

This commit is contained in:
Jorge Penadés 2025-01-08 15:47:53 +01:00
parent f557b41feb
commit 838617e3f6
3 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
db/versions/11400-turquoiseChrysanthemum/00-firstScript.sql
View File

@ -1,2 +1,4 @@
DELETE FROM salix.ACL WHERE property = 'canCreateAbsenceInPast';
INSERT INTO salix.ACL (model,property,accessType,permission,principalType,principalId)
VALUES ('Worker','canDeleteAbsenceInPast','WRITE','ALLOW','ROLE','hr');
VALUES ('Worker','canModifyAbsenceInPast','WRITE','ALLOW','ROLE','hr');

6
modules/worker/back/methods/worker/createAbsence.js
View File

@ -58,12 +58,12 @@ module.exports = Self => {
if (!isSubordinate || (isSubordinate && userId == id && !isTeamBoss))
throw new UserError(`You don't have enough privileges`);
const canCreateAbsenceInPast =
await models.ACL.checkAccessAcl(ctx, 'Worker', 'canCreateAbsenceInPast', 'WRITE');
const canModifyAbsenceInPast =
await models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE');
const now = Date.vnNew();
const newDate = new Date(args.dated).getTime();
if ((now.getTime() > newDate) && !canCreateAbsenceInPast)
if ((now.getTime() > newDate) && !canModifyAbsenceInPast)
throw new UserError(`Holidays to past days not available`);
const labour = await models.WorkerLabour.findById(args.businessFk,

6
modules/worker/back/methods/worker/deleteAbsence.js
View File

@ -53,10 +53,10 @@ module.exports = Self => {
}
}
}, myOptions);
const canDeleteAbsenceInPast =
await models.ACL.checkAccessAcl(ctx, 'Worker', 'canDeleteAbsenceInPast', 'WRITE');
const canModifyAbsenceInPast =
await models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE');
if (!canDeleteAbsenceInPast && Date.vnNow() > absence.dated.getTime())
if (!canModifyAbsenceInPast && Date.vnNow() > absence.dated.getTime())
throw new UserError(`Holidays to past days not available`);
const result = await absence.destroy(myOptions);