5488-use_checkAccessAcl #1482
|
|
@ -0,0 +1,65 @@
|
||||||
|
DELETE FROM `salix`.`ACL` WHERE id=7;
|
||||||
|
|
||||||
|
INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
|
||||||
|
VALUES
|
||||||
|
('Client', 'setRating', 'READ', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'setRating', 'WRITE', 'ALLOW', 'ROLE', 'financial');
|
||||||
|
|
||||||
|
INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
|
||||||
|
VALUES
|
||||||
|
('Client', '*', 'READ', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'addressesPropagateRe', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'canBeInvoiced', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'canCreateTicket', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'consumption', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'createAddress', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'createWithUser', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'extendedListFilter', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'getAverageInvoiced', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'getCard', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'getDebt', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'getMana', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'transactions', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'hasCustomerRole', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'isValidClient', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'lastActiveTickets', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'sendSms', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'setPassword', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'summary', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'updateAddress', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'updateFiscalData', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'updateUser', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'uploadFile', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'campaignMetricsPdf', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'campaignMetricsEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'clientWelcomeHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'clientWelcomeEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'printerSetupHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'printerSetupEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'sepaCoreEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'letterDebtorPdf', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'letterDebtorStHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'letterDebtorStEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'letterDebtorNdHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'letterDebtorNdEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'clientDebtStatementPdf', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'clientDebtStatementHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'clientDebtStatementEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'creditRequestPdf', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'creditRequestHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'creditRequestEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'incotermsAuthorizationPdf', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'incotermsAuthorizationHtml', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'incotermsAuthorizationEmail', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'consumptionSendQueued', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'filter', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'getClientOrSupplierReference', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'upsert', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'create', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'replaceById', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'updateAttributes', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'updateAttributes', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'deleteById', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'replaceOrCreate', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'updateAll', '*', 'ALLOW', 'ROLE', 'employee'),
|
||||||
|
('Client', 'upsertWithWhere', '*', 'ALLOW', 'ROLE', 'employee');
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
create or replace definer = root@localhost view User as
|
create or replace definer = root@localhost view `salix`.`User` as
|
||||||
select `account`.`user`.`id` AS `id`,
|
select `account`.`user`.`id` AS `id`,
|
||||||
`account`.`user`.`realm` AS `realm`,
|
`account`.`user`.`realm` AS `realm`,
|
||||||
`account`.`user`.`name` AS `name`,
|
`account`.`user`.`name` AS `name`,
|
||||||
|
|
|
||||||
|
|
@ -20,3 +20,9 @@ INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `pri
|
||||||
FROM `hedera`.`imageCollection` i
|
FROM `hedera`.`imageCollection` i
|
||||||
JOIN `account`.`role` r ON r.id = i.readRoleFk;
|
JOIN `account`.`role` r ON r.id = i.readRoleFk;
|
||||||
|
|
||||||
|
-- ClaimState
|
||||||
|
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||||
|
SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||||
|
FROM `vn`.`claimState` c
|
||||||
|
JOIN `account`.`role` r ON r.id = c.roleFk;
|
||||||
|
|
||||||
|
|
@ -5,4 +5,5 @@ INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `pri
|
||||||
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'administrative'),
|
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'administrative'),
|
||||||
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'productionBoss'),
|
('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'productionBoss'),
|
||||||
('Claim', 'createAfterDeadline', 'WRITE', 'ALLOW', 'ROLE', 'claimManager'),
|
('Claim', 'createAfterDeadline', 'WRITE', 'ALLOW', 'ROLE', 'claimManager'),
|
||||||
|
('Client', 'editAddressLogifloraAllowed', 'WRITE', 'ALLOW', 'ROLE', 'salesAssistant'),
|
||||||
('Claim', 'editState', 'WRITE', 'ALLOW', 'ROLE', 'claimManager');
|
('Claim', 'editState', 'WRITE', 'ALLOW', 'ROLE', 'claimManager');
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,2 @@
|
||||||
|
DELETE FROM salix.ACL
|
||||||
|
WHERE id=101;
|
||||||
|
|
@ -1774,6 +1774,11 @@ INSERT INTO `vn`.`claimState`(`id`, `code`, `description`, `roleFk`, `priority`,
|
||||||
( 6, 'mana', 'Mana', 72, 4, 0),
|
( 6, 'mana', 'Mana', 72, 4, 0),
|
||||||
( 7, 'lack', 'Faltas', 72, 2, 0);
|
( 7, 'lack', 'Faltas', 72, 2, 0);
|
||||||
|
|
||||||
|
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||||
|
SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||||
|
FROM `vn`.`claimState` c
|
||||||
|
JOIN `account`.`role` r ON r.id = c.roleFk;
|
||||||
|
|
||||||
INSERT INTO `vn`.`claim`(`id`, `ticketCreated`, `claimStateFk`, `clientFk`, `workerFk`, `responsibility`, `isChargedToMana`, `created`, `packages`, `rma`, `ticketFk`)
|
INSERT INTO `vn`.`claim`(`id`, `ticketCreated`, `claimStateFk`, `clientFk`, `workerFk`, `responsibility`, `isChargedToMana`, `created`, `packages`, `rma`, `ticketFk`)
|
||||||
VALUES
|
VALUES
|
||||||
(1, util.VN_CURDATE(), 1, 1101, 18, 3, 0, util.VN_CURDATE(), 0, '02676A049183', 11),
|
(1, util.VN_CURDATE(), 1, 1101, 18, 3, 0, util.VN_CURDATE(), 0, '02676A049183', 11),
|
||||||
|
|
|
||||||
|
|
@ -20,19 +20,14 @@ module.exports = Self => {
|
||||||
});
|
});
|
||||||
|
|
||||||
Self.isEditable = async(ctx, id, options) => {
|
Self.isEditable = async(ctx, id, options) => {
|
||||||
const userId = ctx.req.accessToken.userId;
|
|
||||||
const models = Self.app.models;
|
const models = Self.app.models;
|
||||||
const myOptions = {};
|
const myOptions = {};
|
||||||
|
|
||||||
if (typeof options == 'object')
|
if (typeof options == 'object')
|
||||||
Object.assign(myOptions, options);
|
Object.assign(myOptions, options);
|
||||||
|
const state = await models.ClaimState.findById(id, {fields: ['code']}, myOptions);
|
||||||
|
if (!state) return false;
|
||||||
|
|
||||||
const state = await models.ClaimState.findById(id, {
|
return await models.ACL.checkAccessAcl(ctx, 'ClaimState', state.code);
|
||||||
include: {
|
|
||||||
relation: 'writeRole'
|
|
||||||
}
|
|
||||||
}, myOptions);
|
|
||||||
const roleWithGrants = state && state.writeRole().name;
|
|
||||||
return await models.VnUser.hasRole(userId, roleWithGrants, myOptions);
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -59,12 +59,14 @@ module.exports = Self => {
|
||||||
|
|
||||||
const landedPlusWeek = new Date(ticket.landed);
|
const landedPlusWeek = new Date(ticket.landed);
|
||||||
landedPlusWeek.setDate(landedPlusWeek.getDate() + 7);
|
landedPlusWeek.setDate(landedPlusWeek.getDate() + 7);
|
||||||
const hasClaimManagerRole = await models.VnUser.hasRole(userId, 'claimManager', myOptions);
|
|
||||||
const isClaimable = landedPlusWeek >= Date.vnNew();
|
const isClaimable = landedPlusWeek >= Date.vnNew();
|
||||||
|
|
||||||
|
const canCreateClaimAfterDeadline =
|
||||||
|
await models.ACL.checkAccessAcl(ctx, 'Claim', 'createAfterDeadline', 'WRITE');
|
||||||
|
|
||||||
if (ticket.isDeleted)
|
if (ticket.isDeleted)
|
||||||
throw new UserError(`You can't create a claim for a removed ticket`);
|
throw new UserError(`You can't create a claim for a removed ticket`);
|
||||||
if (!isClaimable && !hasClaimManagerRole)
|
if (!isClaimable && !canCreateClaimAfterDeadline)
|
||||||
throw new UserError(`You can't create a claim from a ticket delivered more than seven days ago`);
|
throw new UserError(`You can't create a claim from a ticket delivered more than seven days ago`);
|
||||||
|
|
||||||
const newClaim = await Self.create({
|
const newClaim = await Self.create({
|
||||||
|
|
|
||||||
|
|
@ -87,15 +87,15 @@ module.exports = function(Self) {
|
||||||
Self.updateAddress = async(ctx, clientId, addressId, options) => {
|
Self.updateAddress = async(ctx, clientId, addressId, options) => {
|
||||||
const models = Self.app.models;
|
const models = Self.app.models;
|
||||||
const args = ctx.args;
|
const args = ctx.args;
|
||||||
const userId = ctx.req.accessToken.userId;
|
|
||||||
const myOptions = {};
|
const myOptions = {};
|
||||||
|
|
||||||
if (typeof options == 'object')
|
if (typeof options == 'object')
|
||||||
Object.assign(myOptions, options);
|
Object.assign(myOptions, options);
|
||||||
|
|
||||||
const isSalesAssistant = await models.VnUser.hasRole(userId, 'salesAssistant', myOptions);
|
const canEditAddressLogifloraAllowed =
|
||||||
|
await models.ACL.checkAccessAcl(ctx, 'Client', 'editAddressLogifloraAllowed');
|
||||||
|
|
||||||
if (args.isLogifloraAllowed && !isSalesAssistant)
|
if (args.isLogifloraAllowed && !canEditAddressLogifloraAllowed)
|
||||||
throw new UserError(`You don't have enough privileges`);
|
throw new UserError(`You don't have enough privileges`);
|
||||||
|
|
||||||
const address = await models.Address.findOne({
|
const address = await models.Address.findOne({
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue