refs #5468 descriptor account solo lo puede ejecutar sysadmin y mail-forwarding solo el mismo o un superior
gitea/salix/pipeline/head This commit looks good Details

This commit is contained in:
Alex Moreno 2023-04-25 15:17:45 +02:00
parent f2bef8dcf6
commit af0523a155
8 changed files with 88 additions and 15 deletions

View File

@ -0,0 +1,6 @@
DELETE
FROM `salix`.`ACL`
WHERE model='Account' AND property='*' AND accessType='*';
INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
VALUES('Account', '*', 'WRITE', 'ALLOW', 'ROLE', 'sysadmin');

View File

@ -15,7 +15,9 @@
</vn-item-section>
<vn-item-section side>
<vn-icon-button
ng-if="!$ctrl.isSubordinate"
icon="delete"
label="$ctrl.isSubordinate"
translate-attr="{title: 'Unsubscribe'}"
ng-click="removeConfirm.show(row)">
</vn-icon-button>

View File

@ -4,6 +4,13 @@ import Section from 'salix/components/section';
export default class Controller extends Section {
$onInit() {
this.refresh();
this.getIsSubordinate();
console.log(this.isSubordinate);
}
getIsSubordinate() {
this.$http.get(`Workers/${this.$params.id}/isSubordinate`)
.then(res => this.isSubordinate = res.data);
}
refresh() {

View File

@ -6,7 +6,7 @@
<vn-item
ng-click="deleteUser.show()"
name="deleteUser"
vn-acl="it"
vn-acl="sysadmin"
vn-acl-action="remove"
translate>
Delete
@ -15,7 +15,7 @@
ng-if="::$root.user.id == $ctrl.id"
ng-click="$ctrl.onChangePassClick(true)"
name="changePassword"
vn-acl="hr"
vn-acl="sysadmin"
vn-acl-action="remove"
translate>
Change password
@ -23,7 +23,7 @@
<vn-item
ng-click="$ctrl.onChangePassClick(false)"
name="setPassword"
vn-acl="hr"
vn-acl="sysadmin"
vn-acl-action="remove"
translate>
Set password
@ -32,7 +32,7 @@
ng-if="!$ctrl.hasAccount"
ng-click="enableAccount.show()"
name="enableAccount"
vn-acl="it"
vn-acl="sysadmin"
vn-acl-action="remove"
translate>
Enable account
@ -41,7 +41,7 @@
ng-if="$ctrl.hasAccount"
ng-click="disableAccount.show()"
name="disableAccount"
vn-acl="it"
vn-acl="sysadmin"
vn-acl-action="remove"
translate>
Disable account
@ -50,8 +50,7 @@
ng-if="!$ctrl.user.active"
ng-click="activateUser.show()"
name="activateUser"
vn-acl="hr"
vn-acl-action="remove"
vn-acl="sysadmin"
translate>
Activate user
</vn-item>
@ -59,8 +58,7 @@
ng-if="$ctrl.user.active"
ng-click="deactivateUser.show()"
name="deactivateUser"
vn-acl="hr"
vn-acl-action="remove"
vn-acl="sysadmin"
translate>
Deactivate user
</vn-item>

View File

@ -9,7 +9,7 @@
</vn-watcher>
<form
name="form"
ng-submit="watcher.submit()"
ng-submit="$ctrl.onSubmit()"
class="vn-w-md">
<vn-card class="vn-pa-lg">
<vn-vertical>

View File

@ -1,7 +1,22 @@
import ngModule from '../module';
import Section from 'salix/components/section';
import UserError from 'core/lib/user-error';
export default class Controller extends Section {}
export default class Controller extends Section {
onSubmit() {
this.getIsAuthorized();
}
getIsAuthorized() {
this.$http.get(`Workers/${this.$params.id}/authorizeSelfOrSuperior`)
.then(res => {
this.isAuthorized = res.data;
if (!this.isAuthorized) throw new UserError(`You don't have enough privileges`);
this.$.watcher.submit();
});
}
}
ngModule.component('vnUserMailForwarding', {
template: require('./index.html'),

View File

@ -0,0 +1,44 @@
module.exports = Self => {
Self.remoteMethod('authorizeSelfOrSuperior', {
description: 'Return true if is himself or a superior',
accessType: 'READ',
accepts: [{
arg: 'ctx',
type: 'Object',
http: {source: 'context'}
}, {
arg: 'id',
type: 'number',
required: true,
description: 'The worker id',
http: {source: 'path'}
}],
returns: {
type: 'boolean',
root: true
},
http: {
path: `/:id/authorizeSelfOrSuperior`,
verb: 'GET'
}
});
Self.authorizeSelfOrSuperior = async(ctx, id, options) => {
const models = Self.app.models;
const currentUserId = ctx.req.accessToken.userId;
const isHimself = currentUserId == id;
const myOptions = {};
if (typeof options == 'object')
Object.assign(myOptions, options);
const isSubordinate = await models.Worker.isSubordinate(ctx, id, myOptions);
const isTeamBoss = await models.VnUser.hasRole(currentUserId, 'teamBoss', myOptions);
if (!isSubordinate || (isSubordinate && !isHimself && !isTeamBoss))
return false;
return true;
};
};

View File

@ -16,6 +16,7 @@ module.exports = Self => {
require('../methods/worker/new')(Self);
require('../methods/worker/deallocatePDA')(Self);
require('../methods/worker/allocatePDA')(Self);
require('../methods/worker/authorizeSelfOrSuperior')(Self);
Self.validatesUniquenessOf('locker', {
message: 'This locker has already been assigned'