verdnatura/salix
verdnatura
/
salix
3
5
Fork 0
Code Issues Pull Requests 64 Releases Wiki Activity

feat(canEdit): use checkAccess
gitea/salix/pipeline/head This commit is unstable Details

This commit is contained in:
Alex Moreno 2022-10-31 14:13:06 +01:00
parent 36c0cc1a38
commit b37c257885
6 changed files with 281 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
db/changes/10491-august/00-editTrackedACL.sql → db/changes/10500-november/00-editTrackedACL.sql
View File

@ -1,3 +1,5 @@
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`) INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
VALUES VALUES
('Sale', 'editTracked', 'WRITE', 'ALLOW', 'ROLE', 'production'); ('Sale', 'editTracked', 'WRITE', 'ALLOW', 'ROLE', 'production'),
('Sale', 'editFloramondo', 'WRITE', 'ALLOW', 'ROLE', 'salesAssistant'),
('Ticket', 'editWeekly', 'WRITE', 'DENY', 'ROLE', '$authenticated');

22
loopback/server/boot/acl.js Normal file
View File

@ -0,0 +1,22 @@
module.exports = function(app) {
app.models.ACL.checkAccess = async(ctx, modelId, property, accessType = '*') => {
const models = app.models;
const context = {
accessToken: ctx.req.accessToken,
model: models[modelId],
property: property,
modelId: modelId,
accessType: accessType,
sharedMethod: {
name: property,
aliases: [],
sharedClass: true
}
};
const acl = await models.ACL.checkAccessForContext(context);
return acl.permission == 'ALLOW';
};
};

80
modules/ticket/back/methods/sale/canEdit.js
View File

@ -1,5 +1,4 @@
const UserError = require('vn-loopback/util/user-error'); const UserError = require('vn-loopback/util/user-error');
const loopBackCtx = require('vn-loopback/server/server');
module.exports = Self => { module.exports = Self => {
Self.remoteMethodCtx('canEdit', { Self.remoteMethodCtx('canEdit', {
@ -7,7 +6,7 @@ module.exports = Self => {
accessType: 'READ', accessType: 'READ',
accepts: [{ accepts: [{
arg: 'sales', arg: 'sales',
type: ['object'], type: ['number'],
required: true required: true
}], }],
returns: { returns: {
@ -16,7 +15,7 @@ module.exports = Self => {
}, },
http: { http: {
path: `/canEdit`, path: `/canEdit`,
verb: 'get' verb: 'GET'
} }
}); });
@ -27,64 +26,39 @@ module.exports = Self => {
if (typeof options == 'object') if (typeof options == 'object')
Object.assign(myOptions, options); Object.assign(myOptions, options);
console.log(ctx.req.accessToken); const salesData = await models.Sale.find({
const token = ctx.req.accessToken; fields: ['id', 'itemFk', 'ticketFk'],
let canEditTracked = await models.ACL.checkAccessForToken(token, models.Sale, null, 'refund'); where: {id: {inq: sales}},
// const newCtx = ctx; include:
// newCtx.property = 'refund'; {
// newCtx.accessType = 'WRITE'; relation: 'item',
// newCtx.methodNames = ['refund']; scope: {
// newCtx.model = await models.Sale; fields: ['id', 'isFloramondo'],
}
}
}, myOptions);
// let canEditTracked = await models.ACL.checkAccessForContext(newCtx); const ticketId = salesData[0].ticketFk;
console.log(canEditTracked);
// let canEditTracked2 = await models.ACL.checkPermission('USER', 'developer', 'Sale', 'editTracked', 'READ'); const isTicketEditable = await models.Ticket.isEditable(ctx, ticketId, myOptions);
/* const array = ['editTracked']; if (!isTicketEditable)
const AccessContext = loopBackCtx.AccessContext; throw new UserError(`The sales of this ticket can't be modified`);
const toFind = {
principals: [{
type: 'ROLE',
id: 'employee'
}],
model: 'Sale',
property: 'editTracked',
methodNames: ['editTracked'],
accessType: 'WRITE'
};
const newContext = new AccessContext(toFind);
newContext.methodNames = ['editTracked'];
let canEditTracked3 = await models.ACL.checkAccessForContext(newContext); const hasSaleTracking = await models.SaleTracking.findOne({where: {saleFk: {inq: sales}}}, myOptions);
const hasSaleCloned = await models.SaleCloned.findOne({where: {saleClonedFk: {inq: sales}}}, myOptions);
const isTicketWeekly = await models.TicketWeekly.findOne({where: {ticketFk: ticketId}}, myOptions);
const hasSaleFloramondo = salesData.find(sale => sale.item().isFloramondo);
let canEditTracked4 = await models.ACL.checkAccessForContext({ const canEditTracked = await models.ACL.checkAccess(ctx, 'Sale', 'editTracked');
principals: [{ const canEditCloned = await models.ACL.checkAccess(ctx, 'Sale', 'editCloned');
type: 'ROLE', const canEditWeekly = await models.ACL.checkAccess(ctx, 'Ticket', 'editWeekly');
id: 'developer' const canEditFloramondo = await models.ACL.checkAccess(ctx, 'Sale', 'editFloramondo');
}],
model: 'Sale',
property: 'editTracked',
methodName: 'editTracked',
methodNames: ['editTracked'],
accessType: 'WRITE'
});
// console.log(canEditTracked);
// canEditTracked = await models.ACL.resolvePermission(canEditTracked);
// let canEditCloned = await models.ACL.checkPermission('ROLE', 'employee', 'Sale', 'editCloned', '*');
// let canEditWeekly = await models.ACL.checkPermission('ROLE', 'employee', 'Ticket', 'editWeekly', '*');
// console.log(canEditTracked, canEditTracked2);
console.log('DENY: ', canEditTracked3.permission);
console.log('ALLOW: ', canEditTracked4.permission);
const shouldEditTracked = canEditTracked || !hasSaleTracking; const shouldEditTracked = canEditTracked || !hasSaleTracking;
const shouldEditCloned = canEditCloned || !hasSaleCloned; const shouldEditCloned = canEditCloned || !hasSaleCloned;
const shouldEditWeekly = canEditWeekly || !isTicketWeekly; const shouldEditWeekly = canEditWeekly || !isTicketWeekly;
const shouldEditFloramondo = canEditFloramondo || !hasSaleFloramondo;
const canEdit = shouldEditTracked && shouldEditCloned && shouldEditWeekly; return shouldEditTracked && shouldEditCloned && shouldEditWeekly && shouldEditFloramondo;
if (canEdit)
return true;
return false;*/
}; };
}; };

366
modules/ticket/back/methods/sale/specs/canEdit.spec.js
View File

@ -1,179 +1,253 @@
const models = require('vn-loopback/server/server').models; const models = require('vn-loopback/server/server').models;
describe('sale canEdit()', () => { describe('sale canEdit()', () => {
it('should return true if the role is production regardless of the saleTrackings', async() => { const employeeId = 1;
const tx = await models.Sale.beginTransaction({});
try { describe('sale editTracked', () => {
const options = {transaction: tx}; it('should return true if the role is production regardless of the saleTrackings', async() => {
const tx = await models.Sale.beginTransaction({});
const productionUserID = 49; try {
const ctx = {req: {accessToken: {userId: productionUserID}}}; const options = {transaction: tx};
const sales = [25]; const productionUserID = 49;
const ctx = {req: {accessToken: {userId: productionUserID}}};
const result = await models.Sale.canEdit(ctx, sales, options); const sales = [25];
expect(result).toEqual(true); const result = await models.Sale.canEdit(ctx, sales, options);
await tx.rollback(); expect(result).toEqual(true);
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should return true if the role is not production and none of the sales has saleTracking', async() => { await tx.rollback();
const tx = await models.Sale.beginTransaction({}); } catch (e) {
await tx.rollback();
try { throw e;
const options = {transaction: tx};
const salesPersonUserID = 18;
const ctx = {req: {accessToken: {userId: salesPersonUserID}}};
const sales = [10];
const result = await models.Sale.canEdit(ctx, sales, options);
expect(result).toEqual(true);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should return false if any of the sales has a saleTracking record', async() => {
const tx = await models.Sale.beginTransaction({});
try {
const options = {transaction: tx};
const buyerId = 35;
const ctx = {req: {accessToken: {userId: buyerId}}};
const sales = [31];
const result = await models.Sale.canEdit(ctx, sales, options);
expect(result).toEqual(false);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should return false if any of the sales is cloned', async() => {
const tx = await models.Sale.beginTransaction({});
try {
const options = {transaction: tx};
const buyerId = 35;
const ctx = {req: {accessToken: {userId: buyerId}}};
const sales = [27];
const result = await models.Sale.canEdit(ctx, sales, options);
expect(result).toEqual(false);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should return true if any of the sales is cloned and has the correct role', async() => {
const tx = await models.Sale.beginTransaction({});
const roleEnabled = await models.ACL.findOne({
where: {
model: 'Sale',
property: 'editCloned'
} }
}); });
if (!roleEnabled || !roleEnabled.principalId) return;
try { it('should return true if the role is not production and none of the sales has saleTracking', async() => {
const options = {transaction: tx}; const tx = await models.Sale.beginTransaction({});
const roleId = await models.Role.findOne({ try {
where: { const options = {transaction: tx};
name: roleEnabled.principalId
}
});
const ctx = {req: {accessToken: {userId: roleId}}};
const sales = [27]; const salesPersonUserID = 18;
const ctx = {req: {accessToken: {userId: salesPersonUserID}}};
const result = await models.Sale.canEdit(ctx, sales, options); const sales = [10];
expect(result).toEqual(true); const result = await models.Sale.canEdit(ctx, sales, options);
await tx.rollback(); expect(result).toEqual(true);
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should return false if any of the sales is of ticket weekly', async() => { await tx.rollback();
const tx = await models.Sale.beginTransaction({}); } catch (e) {
await tx.rollback();
try { throw e;
const options = {transaction: tx};
const employeeId = 1;
const ctx = {req: {accessToken: {userId: employeeId}}};
const sales = [33];
const result = await models.Sale.canEdit(ctx, sales, options);
expect(result).toEqual(false);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should return true if any of the sales is of ticketWeekly and has the correct role', async() => {
const tx = await models.Sale.beginTransaction({});
const roleEnabled = await models.ACL.findOne({
where: {
model: 'Sale',
property: 'editWeekly'
} }
}); });
if (!roleEnabled || !roleEnabled.principalId) return;
try { it('should return false if any of the sales has a saleTracking record', async() => {
const options = {transaction: tx}; const tx = await models.Sale.beginTransaction({});
const roleId = await models.Role.findOne({ try {
const options = {transaction: tx};
const buyerId = 35;
const ctx = {req: {accessToken: {userId: buyerId}}};
const sales = [31];
const result = await models.Sale.canEdit(ctx, sales, options);
expect(result).toEqual(false);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
});
describe('sale editCloned', () => {
it('should return false if any of the sales is cloned', async() => {
const tx = await models.Sale.beginTransaction({});
try {
const options = {transaction: tx};
const buyerId = 35;
const ctx = {req: {accessToken: {userId: buyerId}}};
const sales = [27];
const result = await models.Sale.canEdit(ctx, sales, options);
expect(result).toEqual(false);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should return true if any of the sales is cloned and has the correct role', async() => {
const tx = await models.Sale.beginTransaction({});
const roleEnabled = await models.ACL.findOne({
where: { where: {
name: roleEnabled.principalId model: 'Sale',
property: 'editCloned',
permission: 'ALLOW'
} }
}); });
const ctx = {req: {accessToken: {userId: roleId}}}; if (!roleEnabled || !roleEnabled.principalId) return await tx.rollback();
try {
const options = {transaction: tx};
const role = await models.Role.findOne({
where: {
name: roleEnabled.principalId
}
});
const ctx = {req: {accessToken: {userId: role.id}}};
const sales = [27];
const result = await models.Sale.canEdit(ctx, sales, options);
expect(result).toEqual(true);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
});
describe('ticket editWeekly', () => {
it('should return false if any of the sales is of ticket weekly', async() => {
const tx = await models.Sale.beginTransaction({});
try {
const options = {transaction: tx};
const ctx = {req: {accessToken: {userId: employeeId}}};
const sales = [33];
const result = await models.Sale.canEdit(ctx, sales, options);
expect(result).toEqual(false);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should return true if any of the sales is of ticketWeekly and has the correct role', async() => {
const tx = await models.Sale.beginTransaction({});
const roleEnabled = await models.ACL.findOne({
where: {
model: 'Ticket',
property: 'editWeekly',
permission: 'ALLOW'
}
});
if (!roleEnabled || !roleEnabled.principalId) return await tx.rollback();
try {
const options = {transaction: tx};
const role = await models.Role.findOne({
where: {
name: roleEnabled.principalId
}
});
const ctx = {req: {accessToken: {userId: role.id}}};
const sales = [33];
const result = await models.Sale.canEdit(ctx, sales, options);
expect(result).toEqual(true);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
});
describe('sale editFloramondo', () => {
it('should return false if any of the sales isFloramondo', async() => {
const tx = await models.Sale.beginTransaction({});
const sales = [33]; const sales = [33];
const result = await models.Sale.canEdit(ctx, sales, options); try {
const options = {transaction: tx};
expect(result).toEqual(true); const ctx = {req: {accessToken: {userId: employeeId}}};
await tx.rollback(); // For test
} catch (e) { const saleToEdit = await models.Sale.findById(sales[0], null, options);
await tx.rollback(); await saleToEdit.updateAttribute('itemFk', 9, options);
throw e;
} const result = await models.Sale.canEdit(ctx, sales, options);
expect(result).toEqual(false);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
it('should return true if any of the sales is of isFloramondo and has the correct role', async() => {
const tx = await models.Sale.beginTransaction({});
const sales = [32];
const roleEnabled = await models.ACL.findOne({
where: {
model: 'Sale',
property: 'editFloramondo',
permission: 'ALLOW'
}
});
if (!roleEnabled || !roleEnabled.principalId) return await tx.rollback();
try {
const options = {transaction: tx};
const role = await models.Role.findOne({
where: {
name: roleEnabled.principalId
}
});
const ctx = {req: {accessToken: {userId: role.id}}};
// For test
const saleToEdit = await models.Sale.findById(sales[0], null, options);
await saleToEdit.updateAttribute('itemFk', 9, options);
const result = await models.Sale.canEdit(ctx, sales, options);
expect(result).toEqual(true);
await tx.rollback();
} catch (e) {
await tx.rollback();
throw e;
}
});
}); });
}); });

4
modules/ticket/back/methods/sale/specs/reserve.spec.js
View File

@ -1,6 +1,6 @@
const models = require('vn-loopback/server/server').models; const models = require('vn-loopback/server/server').models;
fdescribe('sale reserve()', () => { describe('sale reserve()', () => {
const ctx = { const ctx = {
req: { req: {
accessToken: {userId: 1}, accessToken: {userId: 1},
@ -31,7 +31,7 @@ fdescribe('sale reserve()', () => {
expect(error).toEqual(new Error(`The sales of this ticket can't be modified`)); expect(error).toEqual(new Error(`The sales of this ticket can't be modified`));
}); });
fit('should update the given sales of a ticket to reserved', async() => { it('should update the given sales of a ticket to reserved', async() => {
const tx = await models.Sale.beginTransaction({}); const tx = await models.Sale.beginTransaction({});
try { try {

8
modules/ticket/back/methods/ticket/specs/componentUpdate.spec.js
View File

@ -1,4 +1,5 @@
const models = require('vn-loopback/server/server').models; const models = require('vn-loopback/server/server').models;
const LoopBackContext = require('loopback-context');
describe('ticket componentUpdate()', () => { describe('ticket componentUpdate()', () => {
const userID = 1101; const userID = 1101;
@ -175,10 +176,15 @@ describe('ticket componentUpdate()', () => {
} }
} }
}; };
spyOn(LoopBackContext, 'getCurrentContext').and.returnValue({
active: ctx.req
});
const oldTicket = await models.Ticket.findById(ticketID, null, options);
await models.Ticket.componentUpdate(ctx, options); await models.Ticket.componentUpdate(ctx, options);
const [newTicketID] = await models.Ticket.rawSql('SELECT MAX(id) as id FROM ticket', null, options); const [newTicketID] = await models.Ticket.rawSql('SELECT MAX(id) as id FROM ticket', null, options);
const oldTicket = await models.Ticket.findById(ticketID, null, options);
const newTicket = await models.Ticket.findById(newTicketID.id, null, options); const newTicket = await models.Ticket.findById(newTicketID.id, null, options);
const newTicketSale = await models.Sale.findOne({where: {ticketFk: args.id}}, options); const newTicketSale = await models.Sale.findOne({where: {ticketFk: args.id}}, options);