feat: check the client to edit is in vn.client and not in account.account
gitea/salix/pipeline/head There was a failure building this commit
Details
gitea/salix/pipeline/head There was a failure building this commit
Details
This commit is contained in:
parent
732e40c42b
commit
aa51fa1722
|
@ -131,5 +131,6 @@
|
||||||
"Fichadas impares": "Odd signs",
|
"Fichadas impares": "Odd signs",
|
||||||
"Descanso diario 9h.": "Daily rest 9h.",
|
"Descanso diario 9h.": "Daily rest 9h.",
|
||||||
"Descanso semanal 36h. / 72h.": "Weekly rest 36h. / 72h.",
|
"Descanso semanal 36h. / 72h.": "Weekly rest 36h. / 72h.",
|
||||||
"Password does not meet requirements": "Password does not meet requirements"
|
"Password does not meet requirements": "Password does not meet requirements",
|
||||||
|
"Not enough privileges to edit a client": "Not enough privileges to edit a client"
|
||||||
}
|
}
|
|
@ -232,5 +232,8 @@
|
||||||
"Fichadas impares": "Fichadas impares",
|
"Fichadas impares": "Fichadas impares",
|
||||||
"Descanso diario 12h.": "Descanso diario 12h.",
|
"Descanso diario 12h.": "Descanso diario 12h.",
|
||||||
"Descanso semanal 36h. / 72h.": "Descanso semanal 36h. / 72h.",
|
"Descanso semanal 36h. / 72h.": "Descanso semanal 36h. / 72h.",
|
||||||
"Dirección incorrecta": "Dirección incorrecta"
|
"Dirección incorrecta": "Dirección incorrecta",
|
||||||
|
"Modifiable user details only by an administrator": "Detalles de usuario modificables solo por un administrador",
|
||||||
|
"Modifiable password only via recovery or by an administrator": "Contraseña modificable solo a través de la recuperación o por un administrador",
|
||||||
|
"Not enough privileges to edit a client": "No tienes suficientes privilegios para editar un cliente"
|
||||||
}
|
}
|
|
@ -1,5 +1,6 @@
|
||||||
|
const UserError = require('vn-loopback/util/user-error');
|
||||||
module.exports = Self => {
|
module.exports = Self => {
|
||||||
Self.remoteMethod('setPassword', {
|
Self.remoteMethodCtx('setPassword', {
|
||||||
description: 'Sets the password of a non-worker client',
|
description: 'Sets the password of a non-worker client',
|
||||||
accepts: [
|
accepts: [
|
||||||
{
|
{
|
||||||
|
@ -20,13 +21,21 @@ module.exports = Self => {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
Self.setPassword = async function(id, newPassword) {
|
Self.setPassword = async function(ctx, id, newPassword) {
|
||||||
const models = Self.app.models;
|
const models = Self.app.models;
|
||||||
|
const userId = ctx.req.accessToken.userId;
|
||||||
|
|
||||||
const isWorker = await models.Worker.findById(id);
|
const isSalesPerson = await models.Account.hasRole(userId, 'salesPerson');
|
||||||
if (isWorker)
|
|
||||||
throw new Error(`Can't change the password of another worker`);
|
|
||||||
|
|
||||||
await models.Account.setPassword(id, newPassword);
|
if (!isSalesPerson)
|
||||||
|
throw new UserError(`Not enough privileges to edit a client`);
|
||||||
|
|
||||||
|
const isClient = await models.Client.findById(id, null);
|
||||||
|
const isUserAccount = await models.UserAccount.findById(id, null);
|
||||||
|
|
||||||
|
if (isClient && !isUserAccount)
|
||||||
|
await models.Account.setPassword(id, newPassword);
|
||||||
|
else
|
||||||
|
throw new UserError(`Modifiable password only via recovery or by an administrator`);
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,23 +1,43 @@
|
||||||
const models = require('vn-loopback/server/server').models;
|
const models = require('vn-loopback/server/server').models;
|
||||||
|
|
||||||
describe('Client setPassword', () => {
|
describe('Client setPassword', () => {
|
||||||
it('should throw an error the setPassword target is not just a client but a worker', async() => {
|
const salesPersonId = 19;
|
||||||
let error;
|
const ctx = {
|
||||||
|
req: {accessToken: {userId: salesPersonId}}
|
||||||
|
};
|
||||||
|
|
||||||
|
it(`should throw an error if you don't have enough permissions`, async() => {
|
||||||
|
let error;
|
||||||
|
const employeeId = 1;
|
||||||
|
const ctx = {
|
||||||
|
req: {accessToken: {userId: employeeId}}
|
||||||
|
};
|
||||||
try {
|
try {
|
||||||
await models.Client.setPassword(1106, 'newPass?');
|
await models.Client.setPassword(ctx, 1, 't0pl3v3l.p455w0rd!');
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
error = e;
|
error = e;
|
||||||
}
|
}
|
||||||
|
|
||||||
expect(error.message).toEqual(`Can't change the password of another worker`);
|
expect(error.message).toEqual(`Not enough privileges to edit a client`);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should throw an error the setPassword target is not just a client but a worker', async() => {
|
||||||
|
let error;
|
||||||
|
|
||||||
|
try {
|
||||||
|
await models.Client.setPassword(ctx, 1, 't0pl3v3l.p455w0rd!');
|
||||||
|
} catch (e) {
|
||||||
|
error = e;
|
||||||
|
}
|
||||||
|
|
||||||
|
expect(error.message).toEqual(`Modifiable password only via recovery or by an administrator`);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should change the password of the client', async() => {
|
it('should change the password of the client', async() => {
|
||||||
let error;
|
let error;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
await models.Client.setPassword(1101, 't0pl3v3l.p455w0rd!');
|
await models.Client.setPassword(ctx, 1101, 't0pl3v3l.p455w0rd!');
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
error = e;
|
error = e;
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,8 +10,9 @@ describe('Client updateUser', () => {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
const salesPersonId = 19;
|
||||||
const ctx = {
|
const ctx = {
|
||||||
req: {accessToken: {userId: employeeId}},
|
req: {accessToken: {userId: salesPersonId}},
|
||||||
args: {name: 'test', active: true}
|
args: {name: 'test', active: true}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -21,8 +22,13 @@ describe('Client updateUser', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should throw an error the target user is not just a client but a worker', async() => {
|
it(`should throw an error if you don't have enough permissions`, async() => {
|
||||||
let error;
|
let error;
|
||||||
|
const employeeId = 1;
|
||||||
|
const ctx = {
|
||||||
|
req: {accessToken: {userId: employeeId}},
|
||||||
|
args: {name: 'test', active: true}
|
||||||
|
};
|
||||||
try {
|
try {
|
||||||
const clientID = 1106;
|
const clientID = 1106;
|
||||||
await models.Client.updateUser(ctx, clientID);
|
await models.Client.updateUser(ctx, clientID);
|
||||||
|
@ -30,7 +36,19 @@ describe('Client updateUser', () => {
|
||||||
error = e;
|
error = e;
|
||||||
}
|
}
|
||||||
|
|
||||||
expect(error.message).toEqual(`Can't update the user details of another worker`);
|
expect(error.message).toEqual(`Not enough privileges to edit a client`);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should throw an error the target user is not just a client but a worker', async() => {
|
||||||
|
let error;
|
||||||
|
try {
|
||||||
|
const clientID = 1;
|
||||||
|
await models.Client.updateUser(ctx, clientID);
|
||||||
|
} catch (e) {
|
||||||
|
error = e;
|
||||||
|
}
|
||||||
|
|
||||||
|
expect(error.message).toEqual(`Modifiable user details only by an administrator`);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should update the user data', async() => {
|
it('should update the user data', async() => {
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
const UserError = require('vn-loopback/util/user-error');
|
||||||
module.exports = Self => {
|
module.exports = Self => {
|
||||||
Self.remoteMethodCtx('updateUser', {
|
Self.remoteMethodCtx('updateUser', {
|
||||||
description: 'Updates the user information',
|
description: 'Updates the user information',
|
||||||
|
@ -5,8 +6,7 @@ module.exports = Self => {
|
||||||
{
|
{
|
||||||
arg: 'id',
|
arg: 'id',
|
||||||
type: 'number',
|
type: 'number',
|
||||||
description: 'The user id',
|
description: 'The user id'
|
||||||
http: {source: 'path'}
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
arg: 'name',
|
arg: 'name',
|
||||||
|
@ -15,7 +15,7 @@ module.exports = Self => {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
arg: 'email',
|
arg: 'email',
|
||||||
type: 'string',
|
type: 'any',
|
||||||
description: 'the user email'
|
description: 'the user email'
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -32,6 +32,7 @@ module.exports = Self => {
|
||||||
|
|
||||||
Self.updateUser = async function(ctx, id, options) {
|
Self.updateUser = async function(ctx, id, options) {
|
||||||
const models = Self.app.models;
|
const models = Self.app.models;
|
||||||
|
const userId = ctx.req.accessToken.userId;
|
||||||
let tx;
|
let tx;
|
||||||
const myOptions = {};
|
const myOptions = {};
|
||||||
|
|
||||||
|
@ -44,13 +45,19 @@ module.exports = Self => {
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const isWorker = await models.Worker.findById(id, null, myOptions);
|
const isSalesPerson = await models.Account.hasRole(userId, 'salesPerson', myOptions);
|
||||||
if (isWorker)
|
|
||||||
throw new Error(`Can't update the user details of another worker`);
|
|
||||||
|
|
||||||
const user = await models.Account.findById(id, null, myOptions);
|
if (!isSalesPerson)
|
||||||
|
throw new UserError(`Not enough privileges to edit a client`);
|
||||||
|
|
||||||
await user.updateAttributes(ctx.args, myOptions);
|
const isClient = await models.Client.findById(id, null, myOptions);
|
||||||
|
const isUserAccount = await models.UserAccount.findById(id, null, myOptions);
|
||||||
|
|
||||||
|
if (isClient && !isUserAccount) {
|
||||||
|
const user = await models.Account.findById(id, null, myOptions);
|
||||||
|
await user.updateAttributes(ctx.args, myOptions);
|
||||||
|
} else
|
||||||
|
throw new UserError(`Modifiable user details only by an administrator`);
|
||||||
|
|
||||||
if (tx) await tx.commit();
|
if (tx) await tx.commit();
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
|
|
Loading…
Reference in New Issue