refs #5488 replace hasWriteRole, hasReadRole
gitea/salix/pipeline/head This commit looks good
Details
gitea/salix/pipeline/head This commit looks good
Details
This commit is contained in:
parent
bde81e685f
commit
c1d4281b1b
|
|
@ -35,14 +35,14 @@ module.exports = Self => {
|
|||
|
||||
try {
|
||||
const dms = await models.Dms.findById(id, null, myOptions);
|
||||
const trashDmsType = await models.DmsType.findOne({
|
||||
where: {code: 'trash'}
|
||||
}, myOptions);
|
||||
|
||||
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, dms.dmsTypeFk, myOptions);
|
||||
const hasWriteRole = await models.DmsType.checkRole(ctx, dms.dmsTypeFk, 'WRITE', myOptions);
|
||||
if (!hasWriteRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
const trashDmsType = await models.DmsType.findOne({
|
||||
where: {code: 'trash'}
|
||||
}, myOptions);
|
||||
await dms.updateAttribute('dmsTypeFk', trashDmsType.id, myOptions);
|
||||
|
||||
if (tx) await tx.commit();
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ module.exports = Self => {
|
|||
}
|
||||
|
||||
try {
|
||||
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId);
|
||||
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE');
|
||||
if (!hasWriteRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
|
|
|
|||
|
|
@ -66,7 +66,7 @@ module.exports = Self => {
|
|||
|
||||
let srcFile;
|
||||
try {
|
||||
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId, myOptions);
|
||||
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE');
|
||||
if (!hasWriteRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ module.exports = Self => {
|
|||
|
||||
if (!image) return false;
|
||||
|
||||
const hasReadRole = models.ImageCollection.hasReadRole(ctx, collection);
|
||||
const hasReadRole = await models.ACL.checkAccessAcl(ctx, 'ImageCollection', collection, 'READ');
|
||||
if (!hasReadRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ module.exports = Self => {
|
|||
|
||||
let tempFilePath;
|
||||
try {
|
||||
const hasWriteRole = await models.ImageCollection.hasWriteRole(ctx, args.collection);
|
||||
const hasWriteRole = await models.ACL.checkAccessAcl(ctx, 'ImageCollection', args.collection, 'WRITE');
|
||||
if (!hasWriteRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
|
|
|
|||
|
|
@ -1,65 +1,18 @@
|
|||
module.exports = Self => {
|
||||
/**
|
||||
* Checks if current user has
|
||||
* read privileges over a dms
|
||||
*
|
||||
* @param {Object} ctx - Request context
|
||||
* @param {Interger} id - DmsType id
|
||||
* @param {Object} options - Query options
|
||||
* @return {Boolean} True for user with read privileges
|
||||
*/
|
||||
Self.hasReadRole = async(ctx, id, options) => {
|
||||
const models = Self.app.models;
|
||||
const dmsType = await models.DmsType.findById(id, {
|
||||
include: {
|
||||
relation: 'readRole'
|
||||
}
|
||||
}, options);
|
||||
|
||||
return await hasRole(ctx, dmsType, options);
|
||||
};
|
||||
|
||||
/**
|
||||
* Checks if current user has
|
||||
* write privileges over a dms
|
||||
*
|
||||
* @param {Object} ctx - Request context
|
||||
* @param {Interger} id - DmsType id
|
||||
* @param {String} type - Acl accessType
|
||||
* @param {Object} options - Query options
|
||||
* @return {Boolean} True for user with write privileges
|
||||
*/
|
||||
Self.hasWriteRole = async(ctx, id, options) => {
|
||||
Self.checkRole = async(ctx, id, type, options) => {
|
||||
const models = Self.app.models;
|
||||
const dmsType = await models.DmsType.findById(id, {
|
||||
include: {
|
||||
relation: 'writeRole'
|
||||
}
|
||||
}, options);
|
||||
const dmsType = await models.DmsType.findById(id, {fields: ['code']}, options);
|
||||
|
||||
return await hasRole(ctx, dmsType, options);
|
||||
return await models.ACL.checkAccessAcl(ctx, 'DmsType', dmsType.code, type);
|
||||
};
|
||||
|
||||
/**
|
||||
* Checks if current user has
|
||||
* read or write privileges
|
||||
* @param {Object} ctx - Context
|
||||
* @param {Object} dmsType - Dms type [read/write]
|
||||
* @param {Object} options - Query options
|
||||
*/
|
||||
async function hasRole(ctx, dmsType, options) {
|
||||
const models = Self.app.models;
|
||||
const myUserId = ctx.req.accessToken.userId;
|
||||
|
||||
const readRole = dmsType.readRole() && dmsType.readRole().name;
|
||||
const writeRole = dmsType.writeRole() && dmsType.writeRole().name;
|
||||
const requiredRole = readRole || writeRole;
|
||||
|
||||
const hasRequiredRole = await models.VnUser.hasRole(myUserId, requiredRole, options);
|
||||
const isRoot = await models.VnUser.hasRole(myUserId, 'root', options);
|
||||
|
||||
if (isRoot || hasRequiredRole)
|
||||
return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
};
|
||||
|
|
|
|||
|
|
@ -38,10 +38,27 @@
|
|||
"foreignKey": "writeRoleFk"
|
||||
}
|
||||
},
|
||||
"acls": [{
|
||||
"accessType": "READ",
|
||||
"principalType": "ROLE",
|
||||
"principalId": "$everyone",
|
||||
"permission": "ALLOW"
|
||||
}]
|
||||
}
|
||||
"acls": [
|
||||
{
|
||||
"property": "find",
|
||||
"accessType": "READ",
|
||||
"principalType": "ROLE",
|
||||
"principalId": "$everyone",
|
||||
"permission": "ALLOW"
|
||||
},
|
||||
{
|
||||
"property": "findById",
|
||||
"accessType": "READ",
|
||||
"principalType": "ROLE",
|
||||
"principalId": "$everyone",
|
||||
"permission": "ALLOW"
|
||||
},
|
||||
{
|
||||
"property": "findOne",
|
||||
"accessType": "READ",
|
||||
"principalType": "ROLE",
|
||||
"principalId": "$everyone",
|
||||
"permission": "ALLOW"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,11 +7,11 @@ module.exports = Self => {
|
|||
require('../methods/dms/updateFile')(Self);
|
||||
require('../methods/dms/deleteTrashFiles')(Self);
|
||||
|
||||
Self.checkRole = async function(ctx, id) {
|
||||
Self.checkRole = async function(ctx, id, type) {
|
||||
const models = Self.app.models;
|
||||
const dms = await Self.findById(id);
|
||||
|
||||
return await models.DmsType.hasReadRole(ctx, dms.dmsTypeFk);
|
||||
return await models.DmsType.checkRole(ctx, dms.dmsTypeFk, type);
|
||||
};
|
||||
|
||||
Self.getFile = async function(id) {
|
||||
|
|
|
|||
|
|
@ -1,64 +0,0 @@
|
|||
module.exports = Self => {
|
||||
/**
|
||||
* Checks if current user has
|
||||
* read privileges over a collection
|
||||
*
|
||||
* @param {object} ctx - Request context
|
||||
* @param {interger} name - Collection name
|
||||
* @param {object} options - Query options
|
||||
* @return {boolean} True for user with read privileges
|
||||
*/
|
||||
Self.hasReadRole = async(ctx, name, options) => {
|
||||
const collection = await Self.findOne({where: {name}}, {
|
||||
include: {
|
||||
relation: 'readRole'
|
||||
}
|
||||
}, options);
|
||||
|
||||
return await hasRole(ctx, collection, options);
|
||||
};
|
||||
|
||||
/**
|
||||
* Checks if current user has
|
||||
* write privileges over a collection
|
||||
*
|
||||
* @param {object} ctx - Request context
|
||||
* @param {string} name - Collection name
|
||||
* @param {object} options - Query options
|
||||
* @return {boolean} True for user with write privileges
|
||||
*/
|
||||
Self.hasWriteRole = async(ctx, name, options) => {
|
||||
const collection = await Self.findOne({
|
||||
include: {
|
||||
relation: 'writeRole'
|
||||
},
|
||||
where: {name}
|
||||
}, options);
|
||||
|
||||
return await hasRole(ctx, collection, options);
|
||||
};
|
||||
|
||||
/**
|
||||
* Checks if current user has
|
||||
* read or write privileges
|
||||
* @param {Object} ctx - Context
|
||||
* @param {Object} collection - Collection [read/write]
|
||||
* @param {Object} options - Query options
|
||||
*/
|
||||
async function hasRole(ctx, collection, options) {
|
||||
const models = Self.app.models;
|
||||
const myUserId = ctx.req.accessToken.userId;
|
||||
|
||||
const readRole = collection.readRole() && collection.readRole().name;
|
||||
const writeRole = collection.writeRole() && collection.writeRole().name;
|
||||
const requiredRole = readRole || writeRole;
|
||||
|
||||
const hasRequiredRole = await models.VnUser.hasRole(myUserId, requiredRole, options);
|
||||
const isRoot = await models.VnUser.hasRole(myUserId, 'root', options);
|
||||
|
||||
if (isRoot || hasRequiredRole)
|
||||
return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
};
|
||||
|
|
@ -37,14 +37,14 @@ describe('Dms', () => {
|
|||
const dmsId = 1;
|
||||
it('should return a true for an employee with permission', async() => {
|
||||
let ctx = {req: {accessToken: {userId: 1107}}};
|
||||
const result = await Dms.checkRole(ctx, dmsId);
|
||||
const result = await Dms.checkRole(ctx, dmsId, 'READ');
|
||||
|
||||
expect(result).toBeTruthy();
|
||||
});
|
||||
|
||||
it('should return false for an employee without permission', async() => {
|
||||
let ctx = {req: {accessToken: {userId: 1101}}};
|
||||
const result = await Dms.checkRole(ctx, dmsId);
|
||||
const result = await Dms.checkRole(ctx, dmsId, 'READ');
|
||||
|
||||
expect(result).toBeFalsy();
|
||||
});
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
VALUES
|
||||
('Ticket', 'editDiscount', 'WRITE', 'ALLOW', 'ROLE', 'claimManager'),
|
||||
('Ticket', 'editDiscount', 'WRITE', 'ALLOW', 'ROLE', 'salesPerson');
|
||||
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'administrative');
|
||||
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'productionBoss');
|
||||
('Ticket', 'editDiscount', 'WRITE', 'ALLOW', 'ROLE', 'salesPerson'),
|
||||
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'administrative'),
|
||||
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'productionBoss'),
|
||||
('Claim', 'createAfterDeadline', 'WRITE', 'ALLOW', 'ROLE', 'claimManager'),
|
||||
('Claim', 'editState', 'WRITE', 'ALLOW', 'ROLE', 'claimManager');
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
-- DmsType model
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'DmsType', d.code, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`dmsType` d
|
||||
JOIN `account`.`role` r ON r.id = d.writeRoleFk;
|
||||
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'DmsType', d.code, 'READ', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`dmsType` d
|
||||
JOIN `account`.`role` r ON r.id = d.readRoleFk;
|
||||
|
||||
-- ImageCollection model
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'ImageCollection', i.name, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||
FROM `hedera`.`imageCollection` i
|
||||
JOIN `account`.`role` r ON r.id = i.writeRoleFk;
|
||||
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'ImageCollection', i.name, 'READ', 'ALLOW', 'ROLE', r.name
|
||||
FROM `hedera`.`imageCollection` i
|
||||
JOIN `account`.`role` r ON r.id = i.readRoleFk;
|
||||
|
||||
|
|
@ -2320,26 +2320,36 @@ INSERT INTO `vn`.`workerTimeControl`(`userFk`, `timed`, `manual`, `direction`, `
|
|||
|
||||
INSERT INTO `vn`.`dmsType`(`id`, `name`, `path`, `readRoleFk`, `writeRoleFk`, `code`)
|
||||
VALUES
|
||||
(1, 'Facturas Recibidas', 'recibidas', NULL, NULL, 'invoiceIn'),
|
||||
(2, 'Doc oficial', 'oficial', NULL, NULL, 'officialDoc'),
|
||||
(3, 'Laboral', 'laboral', 37, 37, 'hhrrData'),
|
||||
(4, 'Albaranes recibidos', 'entradas', NULL, NULL, 'deliveryNote'),
|
||||
(5, 'Otros', 'otros', 1, 1, 'miscellaneous'),
|
||||
(6, 'Pruebas', 'pruebas', NULL, NULL, 'tests'),
|
||||
(7, 'IAE Clientes', 'IAE_Clientes', 1, 1, 'economicActivitiesTax'),
|
||||
(8, 'Fiscal', 'fiscal', NULL, NULL, 'fiscal'),
|
||||
(9, 'Vehiculos', 'vehiculos', NULL, NULL, 'vehicles'),
|
||||
(10, 'Plantillas', 'plantillas', NULL, NULL, 'templates'),
|
||||
(11, 'Contratos', 'contratos', NULL, NULL, 'contracts'),
|
||||
(12, 'ley de pagos', 'ley pagos', 1, 1, 'paymentsLaw'),
|
||||
(13, 'Basura', 'basura', 1, 1, 'trash'),
|
||||
(14, 'Ticket', 'tickets', 1, 1, 'ticket'),
|
||||
(15, 'Presupuestos', 'Presupuestos', NULL, NULL, 'budgets'),
|
||||
(16, 'Logistica', 'logistica', NULL, NULL, 'logistics'),
|
||||
(17, 'cmr', 'cmr', NULL, NULL, 'cmr'),
|
||||
(18, 'dua', 'dua', NULL, NULL, 'dua'),
|
||||
(19, 'inmovilizado', 'inmovilizado', NULL, NULL, 'fixedAssets'),
|
||||
(20, 'Reclamación', 'reclamacion', 1, 1, 'claim');
|
||||
(1, 'Facturas Recibidas', 'recibidas', 1, 1, 'invoiceIn'),
|
||||
(2, 'Doc oficial', 'oficial', 1, 1, 'officialDoc'),
|
||||
(3, 'Laboral', 'laboral', 37, 37, 'hhrrData'),
|
||||
(4, 'Albaranes recibidos', 'entradas', 1, 1, 'deliveryNote'),
|
||||
(5, 'Otros', 'otros', 1, 1, 'miscellaneous'),
|
||||
(6, 'Pruebas', 'pruebas', 1, 1, 'tests'),
|
||||
(7, 'IAE Clientes', 'IAE_Clientes', 1, 1, 'economicActivitiesTax'),
|
||||
(8, 'Fiscal', 'fiscal', 1, 1, 'fiscal'),
|
||||
(9, 'Vehiculos', 'vehiculos', 1, 1, 'vehicles'),
|
||||
(10, 'Plantillas', 'plantillas', 1, 1, 'templates'),
|
||||
(11, 'Contratos', 'contratos', 1, 1, 'contracts'),
|
||||
(12, 'ley de pagos', 'ley pagos', 1, 1, 'paymentsLaw'),
|
||||
(13, 'Basura', 'basura', 1, 1, 'trash'),
|
||||
(14, 'Ticket', 'tickets', 1, 1, 'ticket'),
|
||||
(15, 'Presupuestos', 'Presupuestos', 1, 1, 'budgets'),
|
||||
(16, 'Logistica', 'logistica', 1, 1, 'logistics'),
|
||||
(17, 'cmr', 'cmr', 1, 1, 'cmr'),
|
||||
(18, 'dua', 'dua', 1, 1, 'dua'),
|
||||
(19, 'inmovilizado', 'inmovilizado', 1, 1, 'fixedAssets'),
|
||||
(20, 'Reclamación', 'reclamacion', 1, 1, 'claim');
|
||||
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'DmsType', d.code, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`dmsType` d
|
||||
JOIN `account`.`role` r ON r.id = d.writeRoleFk;
|
||||
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'DmsType', d.code, 'READ', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`dmsType` d
|
||||
JOIN `account`.`role` r ON r.id = d.readRoleFk;
|
||||
|
||||
INSERT INTO `vn`.`dms`(`id`, `dmsTypeFk`, `file`, `contentType`, `workerFk`, `warehouseFk`, `companyFk`, `hardCopyNumber`, `hasFile`, `reference`, `description`, `created`)
|
||||
VALUES
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ module.exports = Self => {
|
|||
|
||||
let srcFile;
|
||||
try {
|
||||
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId, myOptions);
|
||||
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE', myOptions);
|
||||
if (!hasWriteRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ describe('Item editFixedPrice()', () => {
|
|||
const options = {transaction: tx};
|
||||
|
||||
try {
|
||||
const filter = {'it.categoryFk': 1};
|
||||
const filter = {where: {'it.categoryFk': 1}};
|
||||
const ctx = {
|
||||
args: {
|
||||
filter: filter
|
||||
|
|
@ -48,7 +48,7 @@ describe('Item editFixedPrice()', () => {
|
|||
const field = 'rate2';
|
||||
const newValue = 88;
|
||||
|
||||
await models.FixedPrice.editFixedPrice(ctx, field, newValue, null, filter, options);
|
||||
await models.FixedPrice.editFixedPrice(ctx, field, newValue, null, filter.where, options);
|
||||
|
||||
const [result] = await models.FixedPrice.filter(ctx, filter, options);
|
||||
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ module.exports = Self => {
|
|||
});
|
||||
|
||||
Self.downloadFile = async function(ctx, id) {
|
||||
if (!await Self.app.models.Dms.checkRole(ctx, id) && !await Self.isMine(ctx, id))
|
||||
if (!await Self.app.models.Dms.checkRole(ctx, id, 'READ') && !await Self.isMine(ctx, id))
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
return await Self.app.models.Dms.getFile(id);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
const app = require('vn-loopback/server/server');
|
||||
const models = require('vn-loopback/server/server').models;
|
||||
|
||||
describe('worker-dms downloadFile()', () => {
|
||||
let dmsId = 4;
|
||||
|
|
@ -6,7 +6,7 @@ describe('worker-dms downloadFile()', () => {
|
|||
it('should return a response for an employee with text content-type', async() => {
|
||||
let workerId = 1106;
|
||||
let ctx = {req: {accessToken: {userId: workerId}}};
|
||||
const result = await app.models.WorkerDms.downloadFile(ctx, dmsId);
|
||||
const result = await models.WorkerDms.downloadFile(ctx, dmsId);
|
||||
|
||||
expect(result[1]).toEqual('text/plain');
|
||||
});
|
||||
|
|
@ -17,7 +17,7 @@ describe('worker-dms downloadFile()', () => {
|
|||
|
||||
let error;
|
||||
try {
|
||||
await app.models.WorkerDms.downloadFile(ctx, dmsId);
|
||||
await models.WorkerDms.downloadFile(ctx, dmsId);
|
||||
} catch (e) {
|
||||
error = e;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41,10 +41,7 @@ module.exports = Self => {
|
|||
if (typeof options == 'object')
|
||||
Object.assign(myOptions, options);
|
||||
|
||||
const canSeeExpired = await models.ACL.checkAccessAcl(ctx, 'Agency', 'editDiscount');
|
||||
|
||||
let showExpired = false;
|
||||
if (canSeeExpired.length) showExpired = true;
|
||||
const canSeeExpired = await models.ACL.checkAccessAcl(ctx, 'Agency', 'seeExpired', 'READ');
|
||||
|
||||
const stmts = [];
|
||||
stmts.push(new ParameterizedSQL(
|
||||
|
|
@ -53,7 +50,7 @@ module.exports = Self => {
|
|||
addressFk,
|
||||
agencyModeFk,
|
||||
warehouseFk,
|
||||
showExpired
|
||||
canSeeExpired
|
||||
]
|
||||
));
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue