diff --git a/back/methods/notification/deleteSubcription.js b/back/methods/notification/deleteSubcription.js deleted file mode 100644 index 9095613fe..000000000 --- a/back/methods/notification/deleteSubcription.js +++ /dev/null @@ -1,56 +0,0 @@ -module.exports = Self => { - Self.remoteMethod('deleteSubscription', { - description: 'delete a notification subscription', - accessType: 'WRITE', - accepts: [ - { - arg: 'notificationId', - type: 'string', - required: true - }, - { - arg: 'userId', - type: 'string', - required: true - } - ], - returns: { - type: 'object', - root: true - }, - http: { - path: `/deleteSubscription`, - verb: 'POST' - } - }); - - Self.deleteSubscription = async(notificationId, userId, options) => { - const myOptions = {}; - let tx; - - if (typeof options == 'object') - - Object.assign(myOptions, options); - - if (!myOptions.transaction) { - tx = await Self.beginTransaction({}); - - myOptions.transaction = tx; - } - - try { - const query = `DELETE FROM util.notificationSubscription - WHERE notificationFk = ? AND userFk = ?`; - - await Self.rawSql(query, [notificationId, userId], myOptions); - - if (tx) await tx.commit(); - - return {success: true}; - } catch (error) { - if (tx) await tx.rollback(); - - throw error; - } - }; -}; diff --git a/back/models/notificationSubscription.js b/back/models/notificationSubscription.js index ce5d89e8b..83f52047b 100644 --- a/back/models/notificationSubscription.js +++ b/back/models/notificationSubscription.js @@ -1,3 +1,73 @@ +const UserError = require('vn-loopback/util/user-error'); + module.exports = Self => { - require('../methods/notification/deleteSubcription')(Self); + Self.observe('before save', async function(ctx) { + let models = Self.app.models; + let userId = ctx.options.accessToken.userId; + let modifiedUser = await models.Worker.findOne({ + fields: ['id', 'bossFk'], + where: { + id: ctx.instance.userFk + } + }); + + if (userId == modifiedUser.id || userId == modifiedUser.bossFk) + return; + else + throw new UserError('You dont have permission to modify this user'); + }); + + Self.remoteMethod('deleteNotification', { + description: 'Gets the current user data', + accepts: [ + { + arg: 'ctx', + type: 'object', + http: {source: 'context'} + }, + { + arg: 'userId', + type: 'string' + }, + { + arg: 'notificationId', + type: 'number' + }, + { + arg: 'authorId', + type: 'number' + } + ], + returns: { + type: 'object', + root: true + }, + http: { + verb: 'POST', + path: '/deleteNotification' + } + }); + + Self.deleteNotification = async function(ctx) { + let models = Self.app.models; + let user = await ctx.args.authorId; + let notificationId = await ctx.args.notificationId; + let userId = await ctx.args.userId; + let modifiedUser = await models.Worker.findOne({ + fields: ['id', 'bossFk'], + where: { + id: ctx.args.userId + } + }); + + if (user == modifiedUser.id || modifiedUser.bossFk == user) { + const query = `DELETE FROM util.notificationSubscription + WHERE notificationFk = ? AND userFk = ?`; + + await Self.rawSql(query, [notificationId, userId]); + + return; + } else + throw new UserError('You dont have permission to modify this user'); + }; }; diff --git a/back/models/notificationSubscription.json b/back/models/notificationSubscription.json index 11dbde6fb..43fa6db27 100644 --- a/back/models/notificationSubscription.json +++ b/back/models/notificationSubscription.json @@ -9,6 +9,7 @@ "properties": { "notificationFk": { "type": "number", + "id": true, "description": "Identifier" }, "userFk": { diff --git a/db/changes/230201/00-acl_notifications.sql b/db/changes/230201/00-acl_notifications.sql index ef710aca6..c206dd27f 100644 --- a/db/changes/230201/00-acl_notifications.sql +++ b/db/changes/230201/00-acl_notifications.sql @@ -1,3 +1,11 @@ - VALUES - ('NotificationSubscription','*','*','employee'), - ('NotificationAcl','*','*','employee'); \ No newline at end of file +INSERT INTO + `salix`.`ACL` ( + `model`, + `property`, + `accessType`, + `permission`, + `principalId` + ) +VALUES + ('NotificationSubscription', '*', '*', 'employee'), + ('NotificationAcl', '*', '*', 'employee'); \ No newline at end of file