diff --git a/db/versions/11118-limeCymbidium/00-firstScript.sql b/db/versions/11118-limeCymbidium/00-firstScript.sql new file mode 100644 index 0000000000..52ab2acbd8 --- /dev/null +++ b/db/versions/11118-limeCymbidium/00-firstScript.sql @@ -0,0 +1,10 @@ +-- Place your SQL code here +-- Auto-generated SQL script #202406281423 +INSERT INTO salix.ACL (model,property,accessType,permission,principalType,principalId) + VALUES ('Entry','filter','READ','ALLOW','ROLE','$authenticated'); + +-- Auto-generated SQL script #202406281452 +INSERT INTO salix.ACL (model,property,accessType,permission,principalType,principalId) + VALUES ('Entry','getBuys','READ','ALLOW','ROLE','$authenticated'); +INSERT INTO salix.ACL (model,property,accessType,permission,principalType,principalId) + VALUES ('Entry','buyLabel','READ','ALLOW','ROLE','$authenticated'); diff --git a/modules/entry/back/methods/entry/buyLabel.js b/modules/entry/back/methods/entry/buyLabel.js index 650b05c978..d9b0ebf1d7 100644 --- a/modules/entry/back/methods/entry/buyLabel.js +++ b/modules/entry/back/methods/entry/buyLabel.js @@ -29,7 +29,8 @@ module.exports = Self => { http: { path: '/:id/buy-label', verb: 'GET' - } + }, + accessScopes: ['DEFAULT', 'read:multimedia'] }); Self.buyLabel = (ctx, id) => Self.printReport(ctx, id, 'buy-label'); diff --git a/modules/entry/back/methods/entry/filter.js b/modules/entry/back/methods/entry/filter.js index 1cd12b737d..7d287b842a 100644 --- a/modules/entry/back/methods/entry/filter.js +++ b/modules/entry/back/methods/entry/filter.js @@ -112,7 +112,7 @@ module.exports = Self => { if (typeof options == 'object') Object.assign(myOptions, options); - + const isSupplier = await Self.app.models.Supplier.isSupplier(ctx, options); const conn = Self.dataSource.connector; const where = buildFilter(ctx.args, (param, value) => { switch (param) { @@ -146,7 +146,11 @@ module.exports = Self => { } }); filter = mergeFilters(ctx.args.filter, {where}); - + delete filter.order; + if (isSupplier) { + if (!filter.where) filter.where = {}; + filter.where.supplierFk = ctx.req.accessToken.userId; + } const stmts = []; let stmt; stmt = new ParameterizedSQL( diff --git a/modules/entry/back/methods/entry/getBuys.js b/modules/entry/back/methods/entry/getBuys.js index 0ed77e8d14..cfb065b83f 100644 --- a/modules/entry/back/methods/entry/getBuys.js +++ b/modules/entry/back/methods/entry/getBuys.js @@ -1,7 +1,10 @@ +const ForbiddenError = require('vn-loopback/util/forbiddenError'); +const UserError = require('vn-loopback/util/user-error'); + const mergeFilters = require('vn-loopback/util/filter').mergeFilters; module.exports = Self => { - Self.remoteMethod('getBuys', { + Self.remoteMethodCtx('getBuys', { description: 'Returns buys for one entry', accessType: 'READ', accepts: [{ @@ -27,13 +30,18 @@ module.exports = Self => { } }); - Self.getBuys = async(id, filter, options) => { + Self.getBuys = async(ctx, id, filter, options) => { const models = Self.app.models; const myOptions = {}; if (typeof options == 'object') Object.assign(myOptions, options); + const isSupplier = await Self.app.models.Supplier.isSupplier(ctx, options); + if (isSupplier) { + const isEntryOwner = (await Self.findById(id)).supplierFk === ctx.req.accessToken.userId; + if (! isEntryOwner) throw new UserError('Access Denied'); + } let defaultFilter = { where: {entryFk: id}, fields: [ @@ -49,9 +57,23 @@ module.exports = Self => { 'buyingValue', 'price2', 'price3', - 'printedStickers' + 'printedStickers', + 'entryFk' ], - include: { + include: [{ + relation: 'entry', + scope: { + fields: [ + 'id', 'supplierFk' + ], + include: { + relation: 'supplier', scope: { + fields: ['id'] + } + } + } + }, + { relation: 'item', scope: { fields: [ @@ -82,9 +104,9 @@ module.exports = Self => { } } } - } + }] }; - + delete filter.order; defaultFilter = mergeFilters(defaultFilter, filter); return models.Buy.find(defaultFilter, myOptions); diff --git a/modules/entry/back/methods/entry/specs/filter.spec.js b/modules/entry/back/methods/entry/specs/filter.spec.js index 28763bc810..e116d1c5f1 100644 --- a/modules/entry/back/methods/entry/specs/filter.spec.js +++ b/modules/entry/back/methods/entry/specs/filter.spec.js @@ -9,7 +9,8 @@ describe('Entry filter()', () => { const ctx = { args: { search: 1 - } + }, + req: {accessToken: {userId: 9}} }; const result = await models.Entry.filter(ctx, options); @@ -32,7 +33,8 @@ describe('Entry filter()', () => { const ctx = { args: { currencyFk: 1 - } + }, + req: {accessToken: {userId: 9}} }; const result = await models.Entry.filter(ctx, options); @@ -54,7 +56,8 @@ describe('Entry filter()', () => { const ctx = { args: { supplierFk: 2 - } + }, + req: {accessToken: {userId: 9}} }; const result = await models.Entry.filter(ctx, options); @@ -76,7 +79,8 @@ describe('Entry filter()', () => { const ctx = { args: { companyFk: 442 - } + }, + req: {accessToken: {userId: 9}} }; const result = await models.Entry.filter(ctx, options); @@ -98,7 +102,8 @@ describe('Entry filter()', () => { const ctx = { args: { isBooked: true, - } + }, + req: {accessToken: {userId: 9}} }; const result = await models.Entry.filter(ctx, options); @@ -121,7 +126,8 @@ describe('Entry filter()', () => { args: { reference: 'movement', travelFk: '2' - } + }, + req: {accessToken: {userId: 9}} }; const result = await models.Entry.filter(ctx, options); diff --git a/modules/entry/back/methods/entry/specs/getBuys.spec.js b/modules/entry/back/methods/entry/specs/getBuys.spec.js index cf4462e480..44b2ff5bc4 100644 --- a/modules/entry/back/methods/entry/specs/getBuys.spec.js +++ b/modules/entry/back/methods/entry/specs/getBuys.spec.js @@ -7,7 +7,14 @@ describe('entry getBuys()', () => { const options = {transaction: tx}; try { - const result = await models.Entry.getBuys(entryId, options); + const ctx = { + args: { + search: 1 + }, + req: {accessToken: {userId: 2}} + }; + + const result = await models.Entry.getBuys(ctx, entryId, options); const length = result.length; const anyResult = result[Math.floor(Math.random() * Math.floor(length))]; diff --git a/modules/supplier/back/methods/supplier/isSupplier.js b/modules/supplier/back/methods/supplier/isSupplier.js new file mode 100644 index 0000000000..d13f304a84 --- /dev/null +++ b/modules/supplier/back/methods/supplier/isSupplier.js @@ -0,0 +1,28 @@ +const UserError = require('vn-loopback/util/user-error'); + +module.exports = Self => { + Self.remoteMethodCtx('isSupplier', { + description: 'Check is supplierFk exists as supplier', + accessType: 'READ', + returns: { + type: 'boolean', + root: true + }, + http: { + path: `/isSupplier`, + verb: 'GET' + } + }); + + Self.isSupplier = async(ctx, options) => { + const myOptions = {validate: false}; + + if (typeof options == 'object') + Object.assign(myOptions, options); + + const userId = ctx.req.accessToken.userId; + const exists = await Self.findById(userId); + + return !!exists; + }; +}; diff --git a/modules/supplier/back/models/supplier.js b/modules/supplier/back/models/supplier.js index 2d3ffef3e5..6094602b6d 100644 --- a/modules/supplier/back/models/supplier.js +++ b/modules/supplier/back/models/supplier.js @@ -12,6 +12,7 @@ module.exports = Self => { require('../methods/supplier/campaignMetricsEmail')(Self); require('../methods/supplier/newSupplier')(Self); require('../methods/supplier/getItemsPackaging')(Self); + require('../methods/supplier/isSupplier')(Self); Self.validatesPresenceOf('name', { message: 'The social name cannot be empty'