Merge pull request 'fix: prevent deleting absences for past dates' (!3346) from hotfix-restrictAbsencePrivs into master

Reviewed-on: #3346
Reviewed-by: Alex Moreno <alexm@verdnatura.es>

db/versions/11400-turquoiseChrysanthemum/00-firstScript.sql

@@ -0,0 +1,4 @@
+DELETE FROM salix.ACL WHERE property = 'canCreateAbsenceInPast';
+
+INSERT INTO salix.ACL (model,property,accessType,permission,principalType,principalId)
+	VALUES ('Worker','canModifyAbsenceInPast','WRITE','ALLOW','ROLE','hr');

modules/worker/back/methods/worker/createAbsence.js

@@ -58,12 +58,10 @@ module.exports = Self => {
             if (!isSubordinate || (isSubordinate && userId == id && !isTeamBoss))
                 throw new UserError(`You don't have enough privileges`);
 
-            const canCreateAbsenceInPast =
-                await models.ACL.checkAccessAcl(ctx, 'Worker', 'canCreateAbsenceInPast', 'WRITE');
             const now = Date.vnNew();
             const newDate = new Date(args.dated).getTime();
 
-            if ((now.getTime() > newDate) && !canCreateAbsenceInPast)
+            if (!await Self.canModifyAbsenceInPast(ctx, newDate))
                 throw new UserError(`Holidays to past days not available`);
 
             const labour = await models.WorkerLabour.findById(args.businessFk,

modules/worker/back/methods/worker/deleteAbsence.js

@@ -53,6 +53,10 @@ module.exports = Self => {
                     }
                 }
             }, myOptions);
+
+            if (!await Self.canModifyAbsenceInPast(ctx, absence.dated.getTime()))
+                throw new UserError(`Holidays to past days not available`);
+
             const result = await absence.destroy(myOptions);
             const labour = absence.labour();
             const department = labour && labour.department();

modules/worker/back/methods/worker/specs/deleteAbsence.spec.js

@@ -4,6 +4,8 @@ const LoopBackContext = require('loopback-context');
 describe('Worker deleteAbsence()', () => {
     const businessId = 18;
     const workerId = 18;
+    const hrId = 37;
+    const salesBossId = 19;
     const activeCtx = {
         accessToken: {userId: 1106},
         headers: {origin: 'http://localhost'}
@@ -50,16 +52,16 @@ describe('Worker deleteAbsence()', () => {
     });
 
     it('should successfully delete an absence', async() => {
-        activeCtx.accessToken.userId = 19;
+        activeCtx.accessToken.userId = salesBossId;
 
         const tx = await app.models.Calendar.beginTransaction({});
-
+        const pastDate = new Date(Date.vnNow() + 24 * 60 * 60 * 1000);
         try {
             const options = {transaction: tx};
             const createdAbsence = await app.models.Calendar.create({
                 businessFk: businessId,
                 dayOffTypeFk: 1,
-                dated: Date.vnNew()
+                dated: pastDate
             }, options);
 
             ctx.args = {absenceId: createdAbsence.id};
@@ -76,4 +78,61 @@ describe('Worker deleteAbsence()', () => {
             throw e;
         }
     });
+
+    it('should successfully delete an absence if the user is HR even if the date is in the past', async() => {
+        activeCtx.accessToken.userId = hrId;
+        const tx = await app.models.Calendar.beginTransaction({});
+
+        try {
+            const options = {transaction: tx};
+            const pastDate = new Date(Date.vnNow() - 24 * 60 * 60 * 1000); // Restar un día
+            const createdAbsence = await app.models.Calendar.create({
+                businessFk: businessId,
+                dayOffTypeFk: 1,
+                dated: pastDate
+            }, options);
+
+            ctx.args = {absenceId: createdAbsence.id};
+            await app.models.Worker.deleteAbsence(ctx, workerId, options);
+
+            const deletedAbsence = await app.models.Calendar.findById(createdAbsence.id, null, options);
+
+            expect(deletedAbsence).toBeNull();
+
+            await tx.rollback();
+        } catch (e) {
+            await tx.rollback();
+            throw e;
+        }
+    });
+
+    it('should throw an error if the date is in the past', async() => {
+        activeCtx.accessToken.userId = salesBossId;
+        const tx = await app.models.Calendar.beginTransaction({});
+
+        let error;
+        try {
+            const options = {transaction: tx};
+            const pastDate = new Date(Date.vnNow() - 24 * 60 * 60 * 1000);
+            const createdAbsence = await app.models.Calendar.create({
+                businessFk: businessId,
+                dayOffTypeFk: 1,
+                dated: pastDate
+            }, options);
+
+            ctx.args = {absenceId: createdAbsence.id};
+            await app.models.Worker.deleteAbsence(ctx, workerId, options);
+
+            const deletedAbsence = await app.models.Calendar.findById(createdAbsence.id, null, options);
+
+            expect(deletedAbsence).toBeNull();
+
+            await tx.rollback();
+        } catch (e) {
+            await tx.rollback();
+            error = e;
+        }
+
+        expect(error.message).toBe('Holidays to past days not available');
+    });
 });

modules/worker/back/models/worker.js

@@ -26,6 +26,13 @@ module.exports = Self => {
         message: 'Invalid TIN'
     });
 
+    Self.canModifyAbsenceInPast = async(ctx, time) => {
+        const hasPrivs = await Self.app.models.ACL.checkAccessAcl(ctx, 'Worker', 'canModifyAbsenceInPast', 'WRITE');
+        const today = Date.vnNew();
+        today.setHours(0, 0, 0, 0);
+        return hasPrivs || today.getTime() < time;
+    };
+
     async function tinIsValid(err, done) {
         const country = await Self.app.models.Country.findOne({
             fields: ['code'],