diff --git a/db/dump/fixtures.before.sql b/db/dump/fixtures.before.sql index 61d46d133..783feaca0 100644 --- a/db/dump/fixtures.before.sql +++ b/db/dump/fixtures.before.sql @@ -3911,4 +3911,3 @@ VALUES(1, ''); INSERT INTO dipole.expedition_PrintOut (expeditionFk, ticketFk, addressFk, street, postalCode, city, shopName, isPrinted, created, printerFk, routeFk, parkingCode, truckName, clientFk, phone, province, agency, m3, workerCode, itemFk, quantity, longName, shelvingFk, comments) VALUES(1, 1, 0, ' ', ' ', ' ', ' ', 0, '2001-01-01 00:00:00', 1, 0, ' ', ' ', 0, NULL, '', NULL, 0.000, NULL, 10, NULL, NULL, 'NCC', NULL); - diff --git a/db/versions/11118-limeCymbidium/00-firstScript.sql b/db/versions/11118-limeCymbidium/00-firstScript.sql new file mode 100644 index 000000000..3921a8a13 --- /dev/null +++ b/db/versions/11118-limeCymbidium/00-firstScript.sql @@ -0,0 +1,21 @@ + +INSERT IGNORE INTO salix.ACL (`model`,`property`,`accessType`,`permission`,`principalType`,`principalId`) + VALUES ('Entry','filter','READ','ALLOW','ROLE','supplier'); + +INSERT IGNORE INTO salix.ACL (`model`,`property`,`accessType`,`permission`,`principalType`,`principalId`) + VALUES ('Entry','getBuys','READ','ALLOW','ROLE','supplier'); + +INSERT IGNORE INTO salix.ACL (`model`,`property`,`accessType`,`permission`,`principalType`,`principalId`) + VALUES ('Entry','buyLabel','READ','ALLOW','ROLE','supplier'); + +INSERT IGNORE INTO `account`.`role` (`name`,`description`,`hasLogin`,`created`,`modified`) + VALUES ('supplier','Proveedores',1,'2017-10-10 14:58:58.000','2017-10-10 14:59:20.000'); +SET @supplierFk =LAST_INSERT_ID(); +INSERT IGNORE INTO account.roleInherit (`role`,`inheritsFrom`) + VALUES (@supplierFk,2); + +UPDATE salix.ACL + SET principalId='$authenticated' + WHERE id=264; + + diff --git a/loopback/common/methods/schema/model-info.js b/loopback/common/methods/schema/model-info.js index 0648deb80..74d764475 100644 --- a/loopback/common/methods/schema/model-info.js +++ b/loopback/common/methods/schema/model-info.js @@ -92,6 +92,7 @@ module.exports = Self => { const locale = modelLocale && modelLocale.get(lang); json[modelName] = { + http: model.sharedClass.http.path, properties: model.definition.rawProperties, validations: jsonValidations, locale diff --git a/modules/entry/back/methods/entry/buyLabel.js b/modules/entry/back/methods/entry/buyLabel.js index 650b05c97..d9b0ebf1d 100644 --- a/modules/entry/back/methods/entry/buyLabel.js +++ b/modules/entry/back/methods/entry/buyLabel.js @@ -29,7 +29,8 @@ module.exports = Self => { http: { path: '/:id/buy-label', verb: 'GET' - } + }, + accessScopes: ['DEFAULT', 'read:multimedia'] }); Self.buyLabel = (ctx, id) => Self.printReport(ctx, id, 'buy-label'); diff --git a/modules/entry/back/methods/entry/filter.js b/modules/entry/back/methods/entry/filter.js index 1cd12b737..9bbce1c95 100644 --- a/modules/entry/back/methods/entry/filter.js +++ b/modules/entry/back/methods/entry/filter.js @@ -112,7 +112,6 @@ module.exports = Self => { if (typeof options == 'object') Object.assign(myOptions, options); - const conn = Self.dataSource.connector; const where = buildFilter(ctx.args, (param, value) => { switch (param) { @@ -146,7 +145,12 @@ module.exports = Self => { } }); filter = mergeFilters(ctx.args.filter, {where}); - + const userId = ctx.req.accessToken.userId; + const isSupplier = await Self.app.models.Supplier.findById(userId, options); + if (isSupplier) { + if (!filter.where) filter.where = {}; + filter.where[`e.supplierFk`] = ctx.req.accessToken.userId; + } const stmts = []; let stmt; stmt = new ParameterizedSQL( @@ -158,7 +162,7 @@ module.exports = Self => { e.invoiceNumber, e.isBooked, e.isExcludedFromAvailable, - e.evaNotes AS observation, + e.evaNotes observation, e.isConfirmed, e.isOrdered, e.isRaid, @@ -170,13 +174,18 @@ module.exports = Self => { e.gestDocFk, e.invoiceInFk, t.landed, - s.name AS supplierName, - s.nickname AS supplierAlias, - co.code AS companyCode, - cu.code AS currencyCode + s.name supplierName, + s.nickname supplierAlias, + co.code companyCode, + cu.code currencyCode, + t.shipped, + t.landed, + t.warehouseInFk, + w.name warehouseInName FROM vn.entry e JOIN vn.supplier s ON s.id = e.supplierFk JOIN vn.travel t ON t.id = e.travelFk + JOIN vn.warehouse w ON w.id = t.warehouseInFk JOIN vn.company co ON co.id = e.companyFk JOIN vn.currency cu ON cu.id = e.currencyFk` ); diff --git a/modules/entry/back/methods/entry/getBuys.js b/modules/entry/back/methods/entry/getBuys.js index 0ed77e8d1..444e6cb14 100644 --- a/modules/entry/back/methods/entry/getBuys.js +++ b/modules/entry/back/methods/entry/getBuys.js @@ -1,7 +1,9 @@ +const UserError = require('vn-loopback/util/user-error'); + const mergeFilters = require('vn-loopback/util/filter').mergeFilters; module.exports = Self => { - Self.remoteMethod('getBuys', { + Self.remoteMethodCtx('getBuys', { description: 'Returns buys for one entry', accessType: 'READ', accepts: [{ @@ -27,13 +29,19 @@ module.exports = Self => { } }); - Self.getBuys = async(id, filter, options) => { + Self.getBuys = async(ctx, id, filter, options) => { + const userId = ctx.req.accessToken.userId; const models = Self.app.models; const myOptions = {}; if (typeof options == 'object') Object.assign(myOptions, options); + const isSupplier = await Self.app.models.Supplier.findById(userId, myOptions); + if (isSupplier) { + const isEntryOwner = (await Self.findById(id)).supplierFk === userId; + if (!isEntryOwner) throw new UserError('Access Denied'); + } let defaultFilter = { where: {entryFk: id}, fields: [ @@ -49,9 +57,23 @@ module.exports = Self => { 'buyingValue', 'price2', 'price3', - 'printedStickers' + 'printedStickers', + 'entryFk' ], - include: { + include: [{ + relation: 'entry', + scope: { + fields: [ + 'id', 'supplierFk' + ], + include: { + relation: 'supplier', scope: { + fields: ['id'] + } + } + } + }, + { relation: 'item', scope: { fields: [ @@ -82,9 +104,8 @@ module.exports = Self => { } } } - } + }] }; - defaultFilter = mergeFilters(defaultFilter, filter); return models.Buy.find(defaultFilter, myOptions); diff --git a/modules/entry/back/methods/entry/specs/filter.spec.js b/modules/entry/back/methods/entry/specs/filter.spec.js index 28763bc81..9d954cdc4 100644 --- a/modules/entry/back/methods/entry/specs/filter.spec.js +++ b/modules/entry/back/methods/entry/specs/filter.spec.js @@ -9,7 +9,8 @@ describe('Entry filter()', () => { const ctx = { args: { search: 1 - } + }, + req: {accessToken: {userId: 9}} }; const result = await models.Entry.filter(ctx, options); @@ -32,7 +33,8 @@ describe('Entry filter()', () => { const ctx = { args: { currencyFk: 1 - } + }, + req: {accessToken: {userId: 9}} }; const result = await models.Entry.filter(ctx, options); @@ -46,26 +48,73 @@ describe('Entry filter()', () => { } }); - it('should return the entry matching the supplier', async() => { - const tx = await models.Entry.beginTransaction({}); - const options = {transaction: tx}; + describe('should return the entry matching the supplier', () => { + it('when userId is supplier ', async() => { + const tx = await models.Entry.beginTransaction({}); + const options = {transaction: tx}; - try { - const ctx = { - args: { - supplierFk: 2 - } - }; + try { + const ctx = { + args: {}, + req: {accessToken: {userId: 2}} + }; - const result = await models.Entry.filter(ctx, options); + const result = await models.Entry.filter(ctx, options); - expect(result.length).toEqual(6); + expect(result.length).toEqual(6); - await tx.rollback(); - } catch (e) { - await tx.rollback(); - throw e; - } + await tx.rollback(); + } catch (e) { + await tx.rollback(); + throw e; + } + }); + + it('when userId is supplier fetching other supplier', async() => { + const tx = await models.Entry.beginTransaction({}); + const options = {transaction: tx}; + + try { + const ctx = { + args: { + supplierFk: 1 + }, + req: {accessToken: {userId: 2}} + }; + + const result = await models.Entry.filter(ctx, options); + + expect(result.length).toEqual(6); + + await tx.rollback(); + } catch (e) { + await tx.rollback(); + throw e; + } + }); + + it('when userId is not supplier', async() => { + const tx = await models.Entry.beginTransaction({}); + const options = {transaction: tx}; + + try { + const ctx = { + args: { + supplierFk: 2 + }, + req: {accessToken: {userId: 9}} + }; + + const result = await models.Entry.filter(ctx, options); + + expect(result.length).toEqual(6); + + await tx.rollback(); + } catch (e) { + await tx.rollback(); + throw e; + } + }); }); it('should return the entry matching the company', async() => { @@ -76,7 +125,8 @@ describe('Entry filter()', () => { const ctx = { args: { companyFk: 442 - } + }, + req: {accessToken: {userId: 9}} }; const result = await models.Entry.filter(ctx, options); @@ -98,7 +148,8 @@ describe('Entry filter()', () => { const ctx = { args: { isBooked: true, - } + }, + req: {accessToken: {userId: 9}} }; const result = await models.Entry.filter(ctx, options); @@ -121,7 +172,8 @@ describe('Entry filter()', () => { args: { reference: 'movement', travelFk: '2' - } + }, + req: {accessToken: {userId: 9}} }; const result = await models.Entry.filter(ctx, options); diff --git a/modules/entry/back/methods/entry/specs/getBuys.spec.js b/modules/entry/back/methods/entry/specs/getBuys.spec.js index cf4462e48..cb7f7cb80 100644 --- a/modules/entry/back/methods/entry/specs/getBuys.spec.js +++ b/modules/entry/back/methods/entry/specs/getBuys.spec.js @@ -1,24 +1,82 @@ +const UserError = require('vn-loopback/util/user-error'); const models = require('vn-loopback/server/server').models; describe('entry getBuys()', () => { const entryId = 4; - it('should get the buys and items of an entry', async() => { - const tx = await models.Entry.beginTransaction({}); - const options = {transaction: tx}; + describe('should get the buys and items of an entry ', () => { + it('when is supplier and entry owner', async() => { + const tx = await models.Entry.beginTransaction({}); + const options = {transaction: tx}; - try { - const result = await models.Entry.getBuys(entryId, options); + try { + const ctx = { + args: { + search: 1 + }, + req: {accessToken: {userId: 2}} + }; - const length = result.length; - const anyResult = result[Math.floor(Math.random() * Math.floor(length))]; + const result = await models.Entry.getBuys(ctx, entryId, options); - expect(result.length).toEqual(4); - expect(anyResult.item).toBeDefined(); + const length = result.length; + const anyResult = result[Math.floor(Math.random() * Math.floor(length))]; - await tx.rollback(); - } catch (e) { - await tx.rollback(); - throw e; - } + expect(result.length).toEqual(4); + expect(anyResult.item).toBeDefined(); + + await tx.rollback(); + } catch (e) { + await tx.rollback(); + throw e; + } + }); + + it('when is supplier but not entry owner', async() => { + const tx = await models.Entry.beginTransaction({}); + const options = {transaction: tx}; + const entryId = 1; + try { + const ctx = { + args: { + search: 1 + }, + req: {accessToken: {userId: 2}} + }; + + const result = await models.Entry.getBuys(ctx, entryId, options); + + expect(result).toBeUndefined(); + } catch (error) { + expect(error).toBeInstanceOf(UserError); + expect(error.message).toBe('Access Denied'); + } + }); + + it('when is not supplier', async() => { + const tx = await models.Entry.beginTransaction({}); + const options = {transaction: tx}; + + try { + const ctx = { + args: { + search: 1 + }, + req: {accessToken: {userId: 9}} + }; + + const result = await models.Entry.getBuys(ctx, entryId, options); + + const length = result.length; + const anyResult = result[Math.floor(Math.random() * Math.floor(length))]; + + expect(result.length).toEqual(4); + expect(anyResult.item).toBeDefined(); + + await tx.rollback(); + } catch (e) { + await tx.rollback(); + throw e; + } + }); }); });