5488-use_checkAccessAcl #1482
|
|
@ -2,10 +2,19 @@ INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `pri
|
|||
VALUES
|
||||
('Ticket', 'editDiscount', 'WRITE', 'ALLOW', 'ROLE', 'claimManager'),
|
||||
('Ticket', 'editDiscount', 'WRITE', 'ALLOW', 'ROLE', 'salesPerson'),
|
||||
('Ticket', 'hasRoleAdvanced', '*', 'ALLOW', 'ROLE', 'salesAssistant'),
|
||||
('Ticket', 'hasRoleAdvanced', '*', 'ALLOW', 'ROLE', 'deliveryBoss'),
|
||||
('Ticket', 'hasRoleAdvanced', '*', 'ALLOW', 'ROLE', 'buyer'),
|
||||
('Ticket', 'hasRoleAdvanced', '*', 'ALLOW', 'ROLE', 'claimManager'),
|
||||
('Ticket', 'deleteTicketWithPartPrepared', 'WRITE', 'ALLOW', 'ROLE', 'salesAssistant'),
|
||||
('Ticket', 'editZone', 'WRITE', 'ALLOW', 'ROLE', 'deliveryBoss'),
|
||||
('State', 'editableStates', 'READ', 'ALLOW', 'ROLE', 'employee'),
|
||||
('State', 'seeEditableStates', 'READ', 'ALLOW', 'ROLE', 'administrative'),
|
||||
('State', 'seeEditableStates', 'READ', 'ALLOW', 'ROLE', 'production'),
|
||||
('State', 'seeFilteredEditableStates', 'READ', 'ALLOW', 'ROLE', 'salesPerson'),
|
||||
('State', 'isSomeEditable', 'READ', 'ALLOW', 'ROLE', 'salesPerson'),
|
||||
('State', 'isAllEditable', 'READ', 'ALLOW', 'ROLE', 'production'),
|
||||
('State', 'isAllEditable', 'READ', 'ALLOW', 'ROLE', 'administrative'),
|
||||
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'administrative'),
|
||||
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'productionBoss'),
|
||||
('Claim', 'createAfterDeadline', 'WRITE', 'ALLOW', 'ROLE', 'claimManager'),
|
||||
|
|
@ -16,7 +25,10 @@ INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `pri
|
|||
('Client', 'isNotEditableCredit', 'WRITE', 'ALLOW', 'ROLE', 'financialBoss'),
|
||||
('InvoiceOut', 'canCreatePdf', 'WRITE', 'ALLOW', 'ROLE', 'invoicing'),
|
||||
('Supplier', 'editPayMethodCheck', 'WRITE', 'ALLOW', 'ROLE', 'financial'),
|
||||
('Claim', 'editState', 'WRITE', 'ALLOW', 'ROLE', 'claimManager');
|
||||
('Worker', 'isTeamBoss', 'WRITE', 'ALLOW', 'ROLE', 'teamBoss'),
|
||||
('Worker', 'forceIsSubordinate', 'READ', 'ALLOW', 'ROLE', 'hr'),
|
||||
('Claim', 'editState', 'WRITE', 'ALLOW', 'ROLE', 'claimManager'),
|
||||
('Claim', 'filter', 'READ', 'ALLOW', 'ROLE', 'employee');
|
||||
|
||||
DELETE FROM `salix`.`ACL`
|
||||
WHERE
|
||||
|
|
@ -24,8 +36,26 @@ DELETE FROM `salix`.`ACL`
|
|||
AND property = '*'
|
||||
AND accessType = '*';
|
||||
|
||||
DELETE FROM `salix`.`ACL`
|
||||
WHERE
|
||||
model = 'Ticket'
|
||||
AND property = '*'
|
||||
AND accessType = '*';
|
||||
|
||||
DELETE FROM `salix`.`ACL`
|
||||
WHERE
|
||||
model = 'State'
|
||||
AND property = '*'
|
||||
AND accessType = 'READ';
|
||||
|
||||
DELETE FROM `salix`.`ACL`
|
||||
WHERE
|
||||
model = 'Worker'
|
||||
AND property = '*'
|
||||
AND accessType = 'READ';
|
||||
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
|
|
||||
VALUES
|
||||
('State', 'find', 'READ', 'ALLOW', 'ROLE', 'employee'),
|
||||
('State', 'findById', 'READ', 'ALLOW', 'ROLE', 'employee'),
|
||||
('State', 'findOne', 'READ', 'ALLOW', 'ROLE', 'employee');
|
||||
|
|
|
|||
|
|
@ -19,25 +19,23 @@ module.exports = Self => {
|
|||
});
|
||||
|
||||
Self.isEditable = async(ctx, stateId, options) => {
|
||||
const accessToken = ctx.req.accessToken;
|
||||
const models = Self.app.models;
|
||||
const userId = accessToken.userId;
|
||||
const myOptions = {};
|
||||
|
||||
if (typeof options == 'object')
|
||||
Object.assign(myOptions, options);
|
||||
|
||||
const isProduction = await models.VnUser.hasRole(userId, 'production', myOptions);
|
||||
const isSalesPerson = await models.VnUser.hasRole(userId, 'salesPerson', myOptions);
|
||||
const isAdministrative = await models.VnUser.hasRole(userId, 'administrative', myOptions);
|
||||
// const isEditableAlertLevel =
|
||||
// await Self.app.models.ACL.checkAccessAcl(accessToken, 'Supplier', 'editPayMethodCheck', 'WRITE');
|
||||
const isAllEditable = await models.ACL.checkAccessAcl(ctx, 'State', 'isAllEditable', 'READ');
|
||||
|
||||
const state = await models.State.findById(stateId, null, myOptions);
|
||||
const isSomeEditable = (
|
||||
await models.ACL.checkAccessAcl(ctx, 'State', 'isSomeEditable', 'READ')
|
||||
&& (
|
||||
state.code == 'PICKER_DESIGNED' || state.code == 'PRINTED'
|
||||
)
|
||||
);
|
||||
|
||||
const salesPersonAllowed = (isSalesPerson && (state.code == 'PICKER_DESIGNED' || state.code == 'PRINTED'));
|
||||
|
||||
const isAllowed = isProduction || isAdministrative || salesPersonAllowed || state.alertLevel == 0;
|
||||
const isAllowed = isAllEditable || isSomeEditable || state.alertLevel == 0;
|
||||
return isAllowed;
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -121,8 +121,8 @@ module.exports = Self => {
|
|||
if (!isEditable)
|
||||
throw new UserError(`The sales of this ticket can't be modified`);
|
||||
|
||||
const isDeliveryBoss = await models.VnUser.hasRole(userId, 'deliveryBoss', myOptions);
|
||||
if (!isDeliveryBoss) {
|
||||
const editZone = await models.ACL.checkAccessAcl(ctx, 'Ticket', 'editZone', 'WRITE');
|
||||
if (!editZone) {
|
||||
const zoneShipped = await models.Agency.getShipped(
|
||||
args.landed,
|
||||
args.addressFk,
|
||||
|
|
|
|||
|
|
@ -12,21 +12,7 @@ module.exports = Self => {
|
|||
}
|
||||
});
|
||||
|
||||
Self.isRoleAdvanced = async(ctx, options) => {
|
||||
const models = Self.app.models;
|
||||
const userId = ctx.req.accessToken.userId;
|
||||
const myOptions = {};
|
||||
|
||||
if (typeof options == 'object')
|
||||
Object.assign(myOptions, options);
|
||||
|
||||
const isSalesAssistant = await models.VnUser.hasRole(userId, 'salesAssistant', myOptions);
|
||||
const isDeliveryBoss = await models.VnUser.hasRole(userId, 'deliveryBoss', myOptions);
|
||||
const isBuyer = await models.VnUser.hasRole(userId, 'buyer', myOptions);
|
||||
const isClaimManager = await models.VnUser.hasRole(userId, 'claimManager', myOptions);
|
||||
|
||||
const isRoleAdvanced = isSalesAssistant || isDeliveryBoss || isBuyer || isClaimManager;
|
||||
|
||||
return isRoleAdvanced;
|
||||
Self.isRoleAdvanced = async ctx => {
|
||||
|
alexm marked this conversation as resolved
Outdated
jgallego
commented
com sols hi ha una linea, pots anar un pas mes, mira els lloc que criden a isRoleAdvanced que son un 3 o 4 y que criden al acl, així llevem una ruta de back com sols hi ha una linea, pots anar un pas mes, mira els lloc que criden a isRoleAdvanced que son un 3 o 4 y que criden al acl, així llevem una ruta de back
|
||||
return Self.app.models.ACL.checkAccessAcl(ctx, 'Ticket', 'hasRoleAdvanced', '*');
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -60,7 +60,6 @@ module.exports = Self => {
|
|||
Self.priceDifference = async(ctx, options) => {
|
||||
const args = ctx.args;
|
||||
const models = Self.app.models;
|
||||
const userId = ctx.req.accessToken.userId;
|
||||
const myOptions = {};
|
||||
let tx;
|
||||
|
||||
|
|
@ -78,8 +77,8 @@ module.exports = Self => {
|
|||
if (!isEditable)
|
||||
throw new UserError(`The sales of this ticket can't be modified`);
|
||||
|
||||
const isDeliveryBoss = await models.VnUser.hasRole(userId, 'deliveryBoss', myOptions);
|
||||
if (!isDeliveryBoss) {
|
||||
const editZone = await models.ACL.checkAccessAcl(ctx, 'Ticket', 'editZone', 'WRITE');
|
||||
if (!editZone) {
|
||||
const zoneShipped = await models.Agency.getShipped(
|
||||
args.landed,
|
||||
args.addressId,
|
||||
|
|
|
|||
|
|
@ -36,7 +36,6 @@ module.exports = Self => {
|
|||
}
|
||||
|
||||
try {
|
||||
const userId = ctx.req.accessToken.userId;
|
||||
const isEditable = await Self.isEditable(ctx, id, myOptions);
|
||||
|
||||
if (!isEditable)
|
||||
|
|
@ -51,7 +50,8 @@ module.exports = Self => {
|
|||
throw new UserError($t('Tickets with associated refunds', {id: ticketRefunds[0].id}));
|
||||
|
||||
// Check if has sales with shelving
|
||||
const isSalesAssistant = await models.VnUser.hasRole(userId, 'salesAssistant', myOptions);
|
||||
const canDeleteTicketWithPartPrepared =
|
||||
await models.ACL.checkAccessAcl(ctx, 'Ticket', 'deleteTicketWithPartPrepared', 'WRITE');
|
||||
const sales = await models.Sale.find({
|
||||
include: {relation: 'itemShelvingSale'},
|
||||
where: {ticketFk: id}
|
||||
|
|
@ -60,7 +60,7 @@ module.exports = Self => {
|
|||
return sale.itemShelvingSale();
|
||||
});
|
||||
|
||||
if (hasItemShelvingSales && !isSalesAssistant)
|
||||
if (hasItemShelvingSales && !canDeleteTicketWithPartPrepared)
|
||||
throw new UserError(`You cannot delete a ticket that part of it is being prepared`);
|
||||
|
||||
// Check for existing claim
|
||||
|
|
|
|||
|
|
@ -40,10 +40,10 @@ module.exports = Self => {
|
|||
Object.assign(myOptions, options);
|
||||
|
||||
const isSubordinate = await models.Worker.isSubordinate(ctx, workerId, myOptions);
|
||||
const isTeamBoss = await models.VnUser.hasRole(currentUserId, 'teamBoss', myOptions);
|
||||
const isTeamBoss = await models.ACL.checkAccessAcl(ctx, 'Worker', 'isTeamBoss', 'WRITE');
|
||||
const isHimself = currentUserId == workerId;
|
||||
|
||||
if (isSubordinate === false || (isSubordinate && isHimself && !isTeamBoss))
|
||||
if (!isSubordinate || (isSubordinate && isHimself && !isTeamBoss))
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
query = `CALL vn.workerTimeControl_clockIn(?,?,?)`;
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ module.exports = Self => {
|
|||
|
||||
const targetTimeEntry = await Self.findById(id, null, myOptions);
|
||||
const isSubordinate = await models.Worker.isSubordinate(ctx, targetTimeEntry.userFk, myOptions);
|
||||
const isTeamBoss = await models.VnUser.hasRole(currentUserId, 'teamBoss', myOptions);
|
||||
const isTeamBoss = await models.ACL.checkAccessAcl(ctx, 'Worker', 'isTeamBoss', 'WRITE');
|
||||
const isHimself = currentUserId == targetTimeEntry.userFk;
|
||||
|
||||
if (isSubordinate === false || (isSubordinate && isHimself && !isTeamBoss))
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ module.exports = Self => {
|
|||
|
||||
const targetTimeEntry = await Self.findById(id, null, myOptions);
|
||||
const isSubordinate = await models.Worker.isSubordinate(ctx, targetTimeEntry.userFk, myOptions);
|
||||
const isTeamBoss = await models.VnUser.hasRole(currentUserId, 'teamBoss', myOptions);
|
||||
const isTeamBoss = await models.ACL.checkAccessAcl(ctx, 'Worker', 'isTeamBoss', 'WRITE');
|
||||
const isHimself = currentUserId == targetTimeEntry.userFk;
|
||||
|
||||
const notAllowed = isSubordinate === false || (isSubordinate && isHimself && !isTeamBoss);
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ module.exports = Self => {
|
|||
|
||||
try {
|
||||
const isSubordinate = await models.Worker.isSubordinate(ctx, id, myOptions);
|
||||
const isTeamBoss = await models.VnUser.hasRole(userId, 'teamBoss', myOptions);
|
||||
const isTeamBoss = await models.ACL.checkAccessAcl(ctx, 'Worker', 'isTeamBoss', 'WRITE');
|
||||
|
||||
if (!isSubordinate || (isSubordinate && userId == id && !isTeamBoss))
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ module.exports = Self => {
|
|||
|
||||
try {
|
||||
const isSubordinate = await models.Worker.isSubordinate(ctx, id, myOptions);
|
||||
const isTeamBoss = await models.VnUser.hasRole(userId, 'teamBoss', myOptions);
|
||||
const isTeamBoss = await models.ACL.checkAccessAcl(ctx, 'Worker', 'isTeamBoss', 'WRITE');
|
||||
|
||||
if (!isSubordinate || (isSubordinate && userId == id && !isTeamBoss))
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
|
|
|||
|
|
@ -25,8 +25,6 @@ module.exports = Self => {
|
|||
|
||||
Self.isSubordinate = async(ctx, id, options) => {
|
||||
const models = Self.app.models;
|
||||
const myUserId = ctx.req.accessToken.userId;
|
||||
|
||||
const myOptions = {};
|
||||
|
||||
if (typeof options == 'object')
|
||||
|
|
@ -37,8 +35,9 @@ module.exports = Self => {
|
|||
return subordinate.workerFk == id;
|
||||
});
|
||||
|
||||
const isHr = await models.VnUser.hasRole(myUserId, 'hr', myOptions);
|
||||
if (isHr || isSubordinate)
|
||||
const forceIsSubordinate = await models.ACL.checkAccessAcl(ctx, 'Worker', 'forceIsSubordinate', 'READ');
|
||||
|
||||
if (forceIsSubordinate || isSubordinate)
|
||||
|
alexm marked this conversation as resolved
Outdated
jgallego
commented
com a sugerencia, si lleves el if i poses lo del parentesis dins del return? com a sugerencia, si lleves el if i poses lo del parentesis dins del return?
|
||||
return true;
|
||||
|
||||
return false;
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ module.exports = Self => {
|
|||
const models = Self.app.models;
|
||||
const userId = ctx.req.accessToken.userId;
|
||||
const isSubordinate = await models.Worker.isSubordinate(ctx, id);
|
||||
const isTeamBoss = await models.VnUser.hasRole(userId, 'teamBoss');
|
||||
const isTeamBoss = await models.ACL.checkAccessAcl(ctx, 'Worker', 'isTeamBoss', 'WRITE');
|
||||
|
||||
if (!isSubordinate || (isSubordinate && userId == id && !isTeamBoss))
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
|
|
|||
Loading…
Reference in New Issue
He medio arreglado State, habria que hacer lo mismo con los otros y revisar todas sus rutas para que tenga el ACL ademas de que tambien se deben poner los ACLs para write si fuera el caso.
Al final de la pagina estan todos las predeterminadas de loopback: https://loopback.io/doc/en/lb2/Controlling-data-access.html