From 838617e3f667fdb9ad14d454cdaa1854eca7d6d5 Mon Sep 17 00:00:00 2001
From: jorgep <jorgep@verdnatura.es>
Date: Wed, 8 Jan 2025 15:47:53 +0100
Subject: [PATCH] fix: update access control for modifying absences in the past

---
 db/versions/11400-turquoiseChrysanthemum/00-firstScript.sql | 4 +++-
 modules/worker/back/methods/worker/createAbsence.js         | 6 +++---
 modules/worker/back/methods/worker/deleteAbsence.js         | 6 +++---
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/db/versions/11400-turquoiseChrysanthemum/00-firstScript.sql b/db/versions/11400-turquoiseChrysanthemum/00-firstScript.sql
index 8ab24cb0d..f3e0355a8 100644
--- a/db/versions/11400-turquoiseChrysanthemum/00-firstScript.sql
+++ b/db/versions/11400-turquoiseChrysanthemum/00-firstScript.sql
@@ -1,2 +1,4 @@
+DELETE FROM salix.ACL WHERE property = 'canCreateAbsenceInPast';
+
 INSERT INTO salix.ACL (model,property,accessType,permission,principalType,principalId)
-	VALUES ('Worker','canDeleteAbsenceInPast','WRITE','ALLOW','ROLE','hr');
\ No newline at end of file
+	VALUES ('Worker','canModifyAbsenceInPast','WRITE','ALLOW','ROLE','hr');
diff --git a/modules/worker/back/methods/worker/createAbsence.js b/modules/worker/back/methods/worker/createAbsence.js
index 93ca7fd89..36781bc3f 100644
--- a/modules/worker/back/methods/worker/createAbsence.js
+++ b/modules/worker/back/methods/worker/createAbsence.js
@@ -58,12 +58,12 @@ module.exports = Self => {
             if (!isSubordinate || (isSubordinate && userId == id && !isTeamBoss))
                 throw new UserError(`You don't have enough privileges`);
 
-            const canCreateAbsenceInPast =
-                await models.ACL.checkAccessAcl(ctx, 'Worker', 'canCreateAbsenceInPast', 'WRITE');
+            const canModifyAbsenceInPast =
+                await models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE');
             const now = Date.vnNew();
             const newDate = new Date(args.dated).getTime();
 
-            if ((now.getTime() > newDate) && !canCreateAbsenceInPast)
+            if ((now.getTime() > newDate) && !canModifyAbsenceInPast)
                 throw new UserError(`Holidays to past days not available`);
 
             const labour = await models.WorkerLabour.findById(args.businessFk,
diff --git a/modules/worker/back/methods/worker/deleteAbsence.js b/modules/worker/back/methods/worker/deleteAbsence.js
index a7c6efc21..11a8cb0c1 100644
--- a/modules/worker/back/methods/worker/deleteAbsence.js
+++ b/modules/worker/back/methods/worker/deleteAbsence.js
@@ -53,10 +53,10 @@ module.exports = Self => {
                     }
                 }
             }, myOptions);
-            const canDeleteAbsenceInPast =
-                await models.ACL.checkAccessAcl(ctx, 'Worker', 'canDeleteAbsenceInPast', 'WRITE');
+            const canModifyAbsenceInPast =
+                await models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE');
 
-            if (!canDeleteAbsenceInPast && Date.vnNow() > absence.dated.getTime())
+            if (!canModifyAbsenceInPast && Date.vnNow() > absence.dated.getTime())
                 throw new UserError(`Holidays to past days not available`);
 
             const result = await absence.destroy(myOptions);