Merge pull request 'fix: prevent deleting absences for past dates' (!3346) from hotfix-restrictAbsencePrivs into master
gitea/salix/pipeline/head This commit looks good
Details
gitea/salix/pipeline/head This commit looks good
Details
Reviewed-on: #3346 Reviewed-by: Alex Moreno <alexm@verdnatura.es>
This commit is contained in:
commit
bd5610afb6
|
@ -0,0 +1,4 @@
|
|||
DELETE FROM salix.ACL WHERE property = 'canCreateAbsenceInPast';
|
||||
|
||||
INSERT INTO salix.ACL (model,property,accessType,permission,principalType,principalId)
|
||||
VALUES ('Worker','canModifyAbsenceInPast','WRITE','ALLOW','ROLE','hr');
|
|
@ -58,12 +58,10 @@ module.exports = Self => {
|
|||
if (!isSubordinate || (isSubordinate && userId == id && !isTeamBoss))
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
const canCreateAbsenceInPast =
|
||||
await models.ACL.checkAccessAcl(ctx, 'Worker', 'canCreateAbsenceInPast', 'WRITE');
|
||||
const now = Date.vnNew();
|
||||
const newDate = new Date(args.dated).getTime();
|
||||
|
||||
if ((now.getTime() > newDate) && !canCreateAbsenceInPast)
|
||||
if (!await Self.canModifyAbsenceInPast(ctx, newDate))
|
||||
throw new UserError(`Holidays to past days not available`);
|
||||
|
||||
const labour = await models.WorkerLabour.findById(args.businessFk,
|
||||
|
|
|
@ -53,6 +53,10 @@ module.exports = Self => {
|
|||
}
|
||||
}
|
||||
}, myOptions);
|
||||
|
||||
if (!await Self.canModifyAbsenceInPast(ctx, absence.dated.getTime()))
|
||||
throw new UserError(`Holidays to past days not available`);
|
||||
|
||||
const result = await absence.destroy(myOptions);
|
||||
const labour = absence.labour();
|
||||
const department = labour && labour.department();
|
||||
|
|
|
@ -4,6 +4,8 @@ const LoopBackContext = require('loopback-context');
|
|||
describe('Worker deleteAbsence()', () => {
|
||||
const businessId = 18;
|
||||
const workerId = 18;
|
||||
const hrId = 37;
|
||||
const salesBossId = 19;
|
||||
const activeCtx = {
|
||||
accessToken: {userId: 1106},
|
||||
headers: {origin: 'http://localhost'}
|
||||
|
@ -50,16 +52,16 @@ describe('Worker deleteAbsence()', () => {
|
|||
});
|
||||
|
||||
it('should successfully delete an absence', async() => {
|
||||
activeCtx.accessToken.userId = 19;
|
||||
activeCtx.accessToken.userId = salesBossId;
|
||||
|
||||
const tx = await app.models.Calendar.beginTransaction({});
|
||||
|
||||
const pastDate = new Date(Date.vnNow() + 24 * 60 * 60 * 1000);
|
||||
try {
|
||||
const options = {transaction: tx};
|
||||
const createdAbsence = await app.models.Calendar.create({
|
||||
businessFk: businessId,
|
||||
dayOffTypeFk: 1,
|
||||
dated: Date.vnNew()
|
||||
dated: pastDate
|
||||
}, options);
|
||||
|
||||
ctx.args = {absenceId: createdAbsence.id};
|
||||
|
@ -76,4 +78,61 @@ describe('Worker deleteAbsence()', () => {
|
|||
throw e;
|
||||
}
|
||||
});
|
||||
|
||||
it('should successfully delete an absence if the user is HR even if the date is in the past', async() => {
|
||||
activeCtx.accessToken.userId = hrId;
|
||||
const tx = await app.models.Calendar.beginTransaction({});
|
||||
|
||||
try {
|
||||
const options = {transaction: tx};
|
||||
const pastDate = new Date(Date.vnNow() - 24 * 60 * 60 * 1000); // Restar un día
|
||||
const createdAbsence = await app.models.Calendar.create({
|
||||
businessFk: businessId,
|
||||
dayOffTypeFk: 1,
|
||||
dated: pastDate
|
||||
}, options);
|
||||
|
||||
ctx.args = {absenceId: createdAbsence.id};
|
||||
await app.models.Worker.deleteAbsence(ctx, workerId, options);
|
||||
|
||||
const deletedAbsence = await app.models.Calendar.findById(createdAbsence.id, null, options);
|
||||
|
||||
expect(deletedAbsence).toBeNull();
|
||||
|
||||
await tx.rollback();
|
||||
} catch (e) {
|
||||
await tx.rollback();
|
||||
throw e;
|
||||
}
|
||||
});
|
||||
|
||||
it('should throw an error if the date is in the past', async() => {
|
||||
activeCtx.accessToken.userId = salesBossId;
|
||||
const tx = await app.models.Calendar.beginTransaction({});
|
||||
|
||||
let error;
|
||||
try {
|
||||
const options = {transaction: tx};
|
||||
const pastDate = new Date(Date.vnNow() - 24 * 60 * 60 * 1000);
|
||||
const createdAbsence = await app.models.Calendar.create({
|
||||
businessFk: businessId,
|
||||
dayOffTypeFk: 1,
|
||||
dated: pastDate
|
||||
}, options);
|
||||
|
||||
ctx.args = {absenceId: createdAbsence.id};
|
||||
await app.models.Worker.deleteAbsence(ctx, workerId, options);
|
||||
|
||||
const deletedAbsence = await app.models.Calendar.findById(createdAbsence.id, null, options);
|
||||
|
||||
expect(deletedAbsence).toBeNull();
|
||||
|
||||
await tx.rollback();
|
||||
} catch (e) {
|
||||
await tx.rollback();
|
||||
error = e;
|
||||
}
|
||||
|
||||
expect(error.message).toBe('Holidays to past days not available');
|
||||
});
|
||||
});
|
||||
|
|
|
@ -26,6 +26,13 @@ module.exports = Self => {
|
|||
message: 'Invalid TIN'
|
||||
});
|
||||
|
||||
Self.canModifyAbsenceInPast = async(ctx, time) => {
|
||||
const hasPrivs = await Self.app.models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE');
|
||||
const today = Date.vnNew();
|
||||
today.setHours(0, 0, 0, 0);
|
||||
return hasPrivs || today.getTime() < time;
|
||||
};
|
||||
|
||||
async function tinIsValid(err, done) {
|
||||
const country = await Self.app.models.Country.findOne({
|
||||
fields: ['code'],
|
||||
|
|
Loading…
Reference in New Issue