verdnatura/salix
verdnatura
/
salix
3
4
Fork 0
Code Issues Pull Requests 59 Releases Wiki Activity

check if user has role from userToUpdate
gitea/salix/pipeline/head This commit looks good Details

This commit is contained in:
Alex Moreno 2022-10-28 08:09:47 +02:00
parent 5c65314162
commit ad1b429d10
2 changed files with 31 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
back/methods/account/privileges.js
View File

@ -41,9 +41,6 @@ module.exports = Self => {
const user = await models.Account.findById(userId, {fields: ['hasGrant']}, myOptions); const user = await models.Account.findById(userId, {fields: ['hasGrant']}, myOptions);
if (!user.hasGrant)
throw new UserError(`You don't have grant privilege`);
const userToUpdate = await models.Account.findById(id, { const userToUpdate = await models.Account.findById(id, {
fields: ['id', 'name', 'hasGrant', 'roleFk', 'password'], fields: ['id', 'name', 'hasGrant', 'roleFk', 'password'],
include: { include: {
@ -54,15 +51,22 @@ module.exports = Self => {
} }
}, myOptions); }, myOptions);
if (!user.hasGrant)
throw new UserError(`You don't have grant privilege`);
const hasRoleFromUser = await models.Account.hasRole(userId, userToUpdate.role().name, myOptions);
if (!hasRoleFromUser)
throw new UserError(`You don't own the role and you can't assign it to another user`);
if (hasGrant != null) if (hasGrant != null)
userToUpdate.hasGrant = hasGrant; userToUpdate.hasGrant = hasGrant;
if (roleFk) { if (roleFk) {
const role = await models.Role.findById(roleFk, {fields: ['name']}, myOptions); const role = await models.Role.findById(roleFk, {fields: ['name']}, myOptions);
const hasRole = await models.Account.hasRole(userId, role.name, myOptions); const hasRole = await models.Account.hasRole(userId, role.name, myOptions);
const hasRoleFromUser = await models.Account.hasRole(userId, userToUpdate.role().name, myOptions);
if (!hasRole || !hasRoleFromUser) if (!hasRole)
throw new UserError(`You don't own the role and you can't assign it to another user`); throw new UserError(`You don't own the role and you can't assign it to another user`);
userToUpdate.roleFk = roleFk; userToUpdate.roleFk = roleFk;

26
back/methods/account/specs/privileges.spec.js
View File

@ -4,6 +4,8 @@ describe('account privileges()', () => {
const employeeId = 1; const employeeId = 1;
const developerId = 9; const developerId = 9;
const sysadminId = 66; const sysadminId = 66;
const itBossId = 104;
const rootId = 100;
const clarkKent = 1103; const clarkKent = 1103;
it('should throw an error when user not has privileges', async() => { it('should throw an error when user not has privileges', async() => {
@ -33,12 +35,26 @@ describe('account privileges()', () => {
try { try {
const options = {transaction: tx}; const options = {transaction: tx};
const root = await models.Role.findOne({ await models.Account.privileges(ctx, employeeId, rootId, null, options);
where: {
name: 'root' await tx.rollback();
} catch (e) {
error = e;
await tx.rollback();
} }
}, options);
await models.Account.privileges(ctx, employeeId, root.id, null, options); expect(error.message).toContain(`You don't own the role and you can't assign it to another user`);
});
it('should throw an error when user has privileges but not has the role from user', async() => {
const ctx = {req: {accessToken: {userId: sysadminId}}};
const tx = await models.Account.beginTransaction({});
let error;
try {
const options = {transaction: tx};
await models.Account.privileges(ctx, itBossId, developerId, null, options);
await tx.rollback(); await tx.rollback();
} catch (e) { } catch (e) {