verdnatura/salix
verdnatura
/
salix
3
4
Fork 0
Code Issues Pull Requests 57 Releases Wiki Activity

5488-use_checkAccessAcl #1482

Merged
alexm merged 32 commits from 5488-use_checkAccessAcl into dev 2023-05-29 05:20:29 +00:00
Conversation 0 Commits 32 Files Changed 39 +223 -153
alexm commented 2023-04-25 12:18:25 +00:00
Member
Copy Link
No description provided.
alexm added 10 commits 2023-04-25 12:18:26 +00:00
gitea/salix/pipeline/head This commit looks good Details
db19f153fb refs #5488 removes 'role =='
gitea/salix/pipeline/head This commit looks good Details
c1d4281b1b refs #5488 replace hasWriteRole, hasReadRole
gitea/salix/pipeline/head There was a failure building this commit Details
39333a9119 refs #5488 replace hasRole for checkAccessAcl
gitea/salix/pipeline/head This commit looks good Details
8502b74dee feat(): replace hasRole to checkAccessAcl
gitea/salix/pipeline/head This commit looks good Details
4cb231759f feat(State/Supplier): replace hasRole to acls
alexm changed title from 5488-use_checkAccessAcl to WIP: 5488-use_checkAccessAcl 2023-04-25 12:18:29 +00:00
alexm reviewed 2023-04-25 12:20:12 +00:00
db/changes/231601/00-modelsAcls.sql Outdated
@ -0,0 +1,28 @@
-- DmsType model
alexm commented 2023-04-25 12:20:12 +00:00
Author
Member
Copy Link

Aqui combierto los writeRoles y readRoles en ACLs

Aqui combierto los writeRoles y readRoles en ACLs
alexm marked this conversation as resolved
alexm reviewed 2023-04-25 12:21:59 +00:00
db/changes/231601/00-useSpecificsAcls.sql Outdated
@ -0,0 +54,4 @@
AND property = '*'
AND accessType = 'READ';
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
alexm commented 2023-04-25 12:21:59 +00:00
Author
Member
Copy Link

He medio arreglado State, habria que hacer lo mismo con los otros y revisar todas sus rutas para que tenga el ACL ademas de que tambien se deben poner los ACLs para write si fuera el caso.

Al final de la pagina estan todos las predeterminadas de loopback: https://loopback.io/doc/en/lb2/Controlling-data-access.html

He medio arreglado State, habria que hacer lo mismo con los otros y revisar todas sus rutas para que tenga el ACL ademas de que tambien se deben poner los ACLs para write si fuera el caso. Al final de la pagina estan todos las predeterminadas de loopback: https://loopback.io/doc/en/lb2/Controlling-data-access.html
alexm reviewed 2023-04-25 12:23:36 +00:00
modules/client/back/methods/client/updateFiscalData.js
@ -133,2 +133,3 @@
try {
const isSalesAssistant = await models.VnUser.hasRole(userId, 'salesAssistant', myOptions);
const canEditNotTaxDataChecked =
await models.ACL.checkAccessAcl(ctx, 'Client', 'editFiscalDataWithoutTaxDataCheck', 'WRITE');
alexm commented 2023-04-25 12:23:36 +00:00
Author
Member
Copy Link

Igual es demasiado largo pero no sabia como ponerlo

Igual es demasiado largo pero no sabia como ponerlo
jgallego requested changes 2023-04-26 07:03:50 +00:00
back/methods/dms/updateFile.js Outdated
@ -72,3 +72,3 @@
try {
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId);
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE');
jgallego commented 2023-04-26 06:45:15 +00:00
Owner
Copy Link

este no es necesario

este no es necesario
alexm marked this conversation as resolved
back/methods/dms/uploadFile.js Outdated
@ -67,3 +67,3 @@
let srcFile;
try {
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId, myOptions);
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE');
jgallego commented 2023-04-26 06:48:38 +00:00
Owner
Copy Link

este també estaba be, no cal tocar estos arxius

este també estaba be, no cal tocar estos arxius
alexm marked this conversation as resolved
back/models/dms-type.js Outdated
@ -1,65 +1,18 @@
module.exports = Self => {
/**
jgallego commented 2023-04-26 06:47:46 +00:00
Owner
Copy Link

este archiu cal deixarlo com estaba perque DmsType ja te la seua gestio de rols concreta

este archiu cal deixarlo com estaba perque DmsType ja te la seua gestio de rols concreta
alexm marked this conversation as resolved
back/models/dms-type.json Outdated
@ -48,0 +47,4 @@
"permission": "ALLOW"
},
{
"property": "findById",
jgallego commented 2023-04-26 06:58:20 +00:00
Owner
Copy Link

per a que es necesari açò?

per a que es necesari açò?
alexm marked this conversation as resolved
db/changes/231601/00-modelsAcls.sql Outdated
@ -0,0 +10,4 @@
JOIN `account`.`role` r ON r.id = d.readRoleFk;
-- ImageCollection model
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
jgallego commented 2023-04-26 07:00:48 +00:00
Owner
Copy Link

el problema d'este enfoque es que no es igual.
imageCollection hi ha que deixarlo com estaba perque ara li dones permis a tota la taula a un rol.
Pero lo que es necesita es donar permisos a certs usuaris per a certs tipos de imatges

el problema d'este enfoque es que no es igual. imageCollection hi ha que deixarlo com estaba perque ara li dones permis a tota la taula a un rol. Pero lo que es necesita es donar permisos a certs usuaris per a certs tipos de imatges
alexm marked this conversation as resolved
alexm added 1 commit 2023-04-28 07:35:33 +00:00
gitea/salix/pipeline/head There was a failure building this commit Details
42e3c8f29d refs #5488 fix(): use hasWriteRole
alexm added 1 commit 2023-04-28 09:54:20 +00:00
gitea/salix/pipeline/head This commit looks good Details
c3038a4d61 fix(imageCollection):
alexm reviewed 2023-04-28 09:55:03 +00:00
back/methods/image/download.js
@ -68,3 +68,3 @@
if (!image) return false;
const hasReadRole = models.ImageCollection.hasReadRole(ctx, collection);
const hasReadRole = await models.ImageCollection.hasReadRole(ctx, collection);
alexm commented 2023-04-28 09:55:03 +00:00
Author
Member
Copy Link

Aço dua 3 anys mal (sempre era true)

Aço dua 3 anys mal (sempre era true)
alexm reviewed 2023-04-28 09:55:32 +00:00
back/models/image-collection.js
@ -9,10 +9,11 @@ module.exports = Self => {
* @return {boolean} True for user with read privileges
*/
Self.hasReadRole = async(ctx, name, options) => {
const collection = await Self.findOne({where: {name}}, {
alexm commented 2023-04-28 09:55:32 +00:00
Author
Member
Copy Link

Aço dua 3 anys mal, el objecte estava mal ficat i mai es fea la relacio

Aço dua 3 anys mal, el objecte estava mal ficat i mai es fea la relacio
alexm requested review from jgallego 2023-04-28 09:55:38 +00:00
alexm changed title from WIP: 5488-use_checkAccessAcl to 5488-use_checkAccessAcl 2023-05-02 07:36:00 +00:00
jgallego requested changes 2023-05-05 06:45:07 +00:00
modules/client/back/methods/client/updateUser.js
@ -48,3 +48,1 @@
const isSalesPerson = await models.VnUser.hasRole(userId, 'salesPerson', myOptions);
if (!isSalesPerson)
const canEdit = await models.ACL.checkAccessAcl(ctx, 'Client', 'updateUser', 'WRITE');
jgallego commented 2023-05-03 07:32:12 +00:00
Owner
Copy Link

quitar codigo y crear directamente un acl

quitar codigo y crear directamente un acl
alexm marked this conversation as resolved
modules/ticket/back/methods/ticket/isRoleAdvanced.js Outdated
@ -28,3 +15,1 @@
const isRoleAdvanced = isSalesAssistant || isDeliveryBoss || isBuyer || isClaimManager;
return isRoleAdvanced;
Self.isRoleAdvanced = async ctx => {
jgallego commented 2023-05-05 06:23:11 +00:00
Owner
Copy Link

com sols hi ha una linea, pots anar un pas mes, mira els lloc que criden a isRoleAdvanced que son un 3 o 4 y que criden al acl, així llevem una ruta de back

com sols hi ha una linea, pots anar un pas mes, mira els lloc que criden a isRoleAdvanced que son un 3 o 4 y que criden al acl, així llevem una ruta de back
alexm marked this conversation as resolved
alexm added 1 commit 2023-05-05 11:58:21 +00:00
alexm added 1 commit 2023-05-05 11:59:06 +00:00
gitea/salix/pipeline/head This commit looks good Details
6b4b8565f9 Merge branch 'dev' into 5488-use_checkAccessAcl
alexm added 2 commits 2023-05-05 12:13:45 +00:00
alexm added 1 commit 2023-05-08 08:56:11 +00:00
gitea/salix/pipeline/head This commit looks good Details
7273dd4f1e Merge branch 'dev' into 5488-use_checkAccessAcl
alexm added 3 commits 2023-05-08 11:44:02 +00:00
gitea/salix/pipeline/head This commit looks good Details
68b1b6c5bd refs #5517 E2E fixes
alexm added 1 commit 2023-05-09 12:04:49 +00:00
alexm added 2 commits 2023-05-10 12:09:15 +00:00
gitea/salix/pipeline/head This commit looks good Details
a345265a89 refs #5488 specifics acls
alexm reviewed 2023-05-10 12:11:47 +00:00
db/changes/232001/00-useSpecificsAcls.sql Outdated
@ -0,0 +29,4 @@
('Worker', 'forceIsSubordinate', 'READ', 'ALLOW', 'ROLE', 'hr'),
('Claim', 'editState', 'WRITE', 'ALLOW', 'ROLE', 'claimManager'),
('Claim', 'filter', 'READ', 'ALLOW', 'ROLE', 'employee');
alexm commented 2023-05-10 12:11:47 +00:00
Author
Member
Copy Link

De aci cap a baix estan els ACLs que he tingut que donar per a que funcione tot despres de llevar els ACLs de
He intententat ficarlos lo mes precis posible per sino ho he vist clar he dixat employee
Si vegeu alguno per a canviar poseumeu pls

De aci cap a baix estan els ACLs que he tingut que donar per a que funcione tot despres de llevar els ACLs de He intententat ficarlos lo mes precis posible per sino ho he vist clar he dixat employee Si vegeu alguno per a canviar poseumeu pls
alexm requested review from jgallego 2023-05-10 12:12:08 +00:00
alexm requested review from juan 2023-05-10 12:12:21 +00:00
jgallego requested changes 2023-05-10 13:41:26 +00:00
modules/worker/back/methods/worker/isSubordinate.js Outdated
@ -41,1 +38,3 @@
if (isHr || isSubordinate)
const forceIsSubordinate = await models.ACL.checkAccessAcl(ctx, 'Worker', 'forceIsSubordinate', 'READ');
if (forceIsSubordinate || isSubordinate)
jgallego commented 2023-05-10 13:41:16 +00:00
Owner
Copy Link

com a sugerencia, si lleves el if i poses lo del parentesis dins del return?

com a sugerencia, si lleves el if i poses lo del parentesis dins del return?
alexm marked this conversation as resolved
modules/zone/back/methods/zone/includingExpired.js Outdated
@ -40,3 +38,1 @@
const canSeeExpired = roles.filter(role =>
role == 'productionBoss' || role == 'administrative'
);
const canSeeExpired = await models.ACL.checkAccessAcl(ctx, 'Agency', 'editDiscount');
jgallego commented 2023-05-10 13:40:07 +00:00
Owner
Copy Link

açò es correcte? es diuen distint

açò es correcte? es diuen distint
alexm marked this conversation as resolved
alexm reviewed 2023-05-11 08:12:38 +00:00
db/changes/232001/00-useSpecificsAcls.sql Outdated
@ -0,0 +41,4 @@
('Claim', 'find', 'READ', 'ALLOW', 'ROLE', 'employee'),
('Claim', 'findById', 'READ', 'ALLOW', 'ROLE', 'employee'),
('Claim', 'findOne', 'READ', 'ALLOW', 'ROLE', 'employee'),
('Claim', 'getSummary', 'READ', 'ALLOW', 'ROLE', 'employee'),
alexm commented 2023-05-11 08:12:38 +00:00
Author
Member
Copy Link

SalesPerson

SalesPerson
alexm marked this conversation as resolved
alexm reviewed 2023-05-11 08:12:58 +00:00
db/changes/232001/00-useSpecificsAcls.sql Outdated
@ -0,0 +42,4 @@
('Claim', 'findById', 'READ', 'ALLOW', 'ROLE', 'employee'),
('Claim', 'findOne', 'READ', 'ALLOW', 'ROLE', 'employee'),
('Claim', 'getSummary', 'READ', 'ALLOW', 'ROLE', 'employee'),
('Claim', 'updateClaim', 'WRITE', 'ALLOW', 'ROLE', 'employee'),
alexm commented 2023-05-11 08:12:58 +00:00
Author
Member
Copy Link

SalesPerson

SalesPerson
alexm marked this conversation as resolved
alexm reviewed 2023-05-11 08:20:16 +00:00
db/changes/232001/00-useSpecificsAcls.sql Outdated
@ -0,0 +28,4 @@
('Worker', 'isTeamBoss', 'WRITE', 'ALLOW', 'ROLE', 'teamBoss'),
('Worker', 'forceIsSubordinate', 'READ', 'ALLOW', 'ROLE', 'hr'),
('Claim', 'editState', 'WRITE', 'ALLOW', 'ROLE', 'claimManager'),
('Claim', 'filter', 'READ', 'ALLOW', 'ROLE', 'employee');
alexm commented 2023-05-11 08:20:16 +00:00
Author
Member
Copy Link

SalesPerson

SalesPerson
alexm marked this conversation as resolved
alexm added 2 commits 2023-05-15 12:14:20 +00:00
gitea/salix/pipeline/head This commit looks good Details
08fcbebbaf refs #5488 polish specifics acls
alexm requested review from jgallego 2023-05-15 12:14:48 +00:00
jgallego approved these changes 2023-05-16 14:41:08 +00:00
db/changes/232001/00-useSpecificsAcls.sql Outdated
@ -0,0 +39,4 @@
VALUES
('Claim', 'find', 'READ', 'ALLOW', 'ROLE', 'salesPerson'),
('Claim', 'findById', 'READ', 'ALLOW', 'ROLE', 'salesPerson'),
('Claim', 'findOne', 'READ', 'ALLOW', 'ROLE', 'salesPerson'),
jgallego commented 2023-05-16 14:39:20 +00:00
Owner
Copy Link

Jo en el meu he posat el exists també, no se si cal posarlo ara o esperar a que es gaste

Jo en el meu he posat el exists també, no se si cal posarlo ara o esperar a que es gaste
alexm commented 2023-05-17 11:43:22 +00:00
Author
Member
Copy Link

/exists sols he vist q ho gaste el model account i workerDisableExcludeds. Si no es gasta no el donaria de moment

/exists sols he vist q ho gaste el model account i workerDisableExcludeds. Si no es gasta no el donaria de moment
alexm added 1 commit 2023-05-17 11:43:29 +00:00
gitea/salix/pipeline/head This commit looks good Details
6ddbd8b8ea Merge branch 'dev' into 5488-use_checkAccessAcl
alexm added 1 commit 2023-05-18 06:10:20 +00:00
alexm added 2 commits 2023-05-23 06:24:04 +00:00
gitea/salix/pipeline/head This commit looks good Details
dc244b5567 refs #5488 remove State_seeFilteredEditableStates
alexm added 1 commit 2023-05-24 05:40:15 +00:00
gitea/salix/pipeline/head This commit looks good Details
6a6d28efa0 Merge branch 'dev' into 5488-use_checkAccessAcl
alexm added 1 commit 2023-05-26 05:41:57 +00:00
juan approved these changes 2023-05-26 06:17:14 +00:00
alexm added 1 commit 2023-05-26 12:04:10 +00:00
gitea/salix/pipeline/head This commit looks good Details
f37d93b469 refs #5488 correct folder
alexm requested review from jgallego 2023-05-26 12:05:47 +00:00
jgallego approved these changes 2023-05-27 05:41:21 +00:00
alexm added 1 commit 2023-05-29 05:09:50 +00:00
gitea/salix/pipeline/head This commit looks good Details
ffbc39ca56 Merge branch 'dev' into 5488-use_checkAccessAcl
alexm merged commit a22ae3809e into dev 2023-05-29 05:20:29 +00:00
alexm deleted branch 5488-use_checkAccessAcl 2023-05-29 05:20:29 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
juan
jgallego
Labels
Clear labels   
CR / Tests passed

Unit tests and e2e passed

  
e2e

Implement e2e

  
Missing tests

Missing tests

  
Needs refactor

   
Simple

Simple check / No CR needed

No Label
CR / Tests passed
e2e
Missing tests
Needs refactor
Simple
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: verdnatura/salix#1482
No description provided.
Delete Branch "5488-use_checkAccessAcl"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?