db/changes/231601/00-DROP_BEFORE_MERGE.sql

@@ -0,0 +1,65 @@
+DELETE FROM `salix`.`ACL` WHERE id=7;
+
+INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
+    VALUES
+        ('Client', 'setRating', 'READ', 'ALLOW', 'ROLE', 'employee'),
+        ('Client', 'setRating', 'WRITE', 'ALLOW', 'ROLE', 'financial');
+
+INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
+	VALUES
+        ('Client', '*', 'READ', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'addressesPropagateRe', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'canBeInvoiced', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'canCreateTicket', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'consumption', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'createAddress', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'createWithUser', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'extendedListFilter', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'getAverageInvoiced', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'getCard', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'getDebt', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'getMana', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'transactions', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'hasCustomerRole', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'isValidClient', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'lastActiveTickets', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'sendSms', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'setPassword', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'summary', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'updateAddress', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'updateFiscalData', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'updateUser', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'uploadFile', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'campaignMetricsPdf', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'campaignMetricsEmail', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'clientWelcomeHtml', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'clientWelcomeEmail', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'printerSetupHtml', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'printerSetupEmail', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'sepaCoreEmail', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'letterDebtorPdf', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'letterDebtorStHtml', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'letterDebtorStEmail', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'letterDebtorNdHtml', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'letterDebtorNdEmail', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'clientDebtStatementPdf', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'clientDebtStatementHtml', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'clientDebtStatementEmail', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'creditRequestPdf', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'creditRequestHtml', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'creditRequestEmail', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'incotermsAuthorizationPdf', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'incotermsAuthorizationHtml', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'incotermsAuthorizationEmail', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'consumptionSendQueued', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'filter', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'getClientOrSupplierReference', '*', 'ALLOW', 'ROLE', 'employee'),
+        ('Client', 'upsert', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'create', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'replaceById', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'updateAttributes', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'updateAttributes', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'deleteById', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'replaceOrCreate', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'updateAll', '*', 'ALLOW', 'ROLE', 'employee'),
+		('Client', 'upsertWithWhere', '*', 'ALLOW', 'ROLE', 'employee');

db/changes/231601/00-User.sql

@@ -1,4 +1,4 @@
-create or replace definer = root@localhost view User as
+create or replace definer = root@localhost view `salix`.`User` as
 select `account`.`user`.`id`                AS `id`,
        `account`.`user`.`realm`             AS `realm`,
        `account`.`user`.`name`              AS `name`,

db/changes/231601/00-modelsAcls.sql

@@ -20,3 +20,9 @@ INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `pri
         FROM `hedera`.`imageCollection` i
             JOIN `account`.`role` r ON r.id = i.readRoleFk;
 
+-- ClaimState
+INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
+    SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
+        FROM `vn`.`claimState` c
+            JOIN `account`.`role` r ON r.id = c.roleFk;
+

db/changes/231601/00-useSpecificsAcls.sql

@@ -5,4 +5,5 @@ INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `pri
         ('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'administrative'),
         ('Agency', 'seeExpired', 'READ', 'ALLOW', 'ROLE', 'productionBoss'),
         ('Claim', 'createAfterDeadline', 'WRITE', 'ALLOW', 'ROLE', 'claimManager'),
+        ('Client', 'editAddressLogifloraAllowed', 'WRITE', 'ALLOW', 'ROLE', 'salesAssistant'),
         ('Claim', 'editState', 'WRITE', 'ALLOW', 'ROLE', 'claimManager');

db/changes/231601/01-ClaimReAcl.sql

@@ -0,0 +1,2 @@
+DELETE FROM salix.ACL
+WHERE id=101;

db/dump/fixtures.sql

@@ -1774,6 +1774,11 @@ INSERT INTO `vn`.`claimState`(`id`, `code`, `description`, `roleFk`, `priority`,
         ( 6, 'mana',        'Mana',        72,  4,  0),
         ( 7, 'lack',        'Faltas',      72,  2,  0);
 
+INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
+    SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
+        FROM `vn`.`claimState` c
+            JOIN `account`.`role` r ON r.id = c.roleFk;
+
 INSERT INTO `vn`.`claim`(`id`, `ticketCreated`, `claimStateFk`, `clientFk`, `workerFk`, `responsibility`, `isChargedToMana`, `created`, `packages`, `rma`, `ticketFk`)
     VALUES
         (1, util.VN_CURDATE(), 1,   1101, 18, 3, 0, util.VN_CURDATE(), 0, '02676A049183', 11),

modules/claim/back/methods/claim-state/isEditable.js

@@ -20,19 +20,14 @@ module.exports = Self => {
     });
 
     Self.isEditable = async(ctx, id, options) => {
-        const userId = ctx.req.accessToken.userId;
         const models = Self.app.models;
         const myOptions = {};
 
         if (typeof options == 'object')
             Object.assign(myOptions, options);
+        const state = await models.ClaimState.findById(id, {fields: ['code']}, myOptions);
+        if (!state) return false;
 
-        const state = await models.ClaimState.findById(id, {
+        return await models.ACL.checkAccessAcl(ctx, 'ClaimState', state.code);
-            include: {
-                relation: 'writeRole'
-            }
-        }, myOptions);
-        const roleWithGrants = state && state.writeRole().name;
-        return await models.VnUser.hasRole(userId, roleWithGrants, myOptions);
     };
 };

modules/claim/back/methods/claim/createFromSales.js

@@ -59,12 +59,14 @@ module.exports = Self => {
 
             const landedPlusWeek = new Date(ticket.landed);
             landedPlusWeek.setDate(landedPlusWeek.getDate() + 7);
-            const hasClaimManagerRole = await models.VnUser.hasRole(userId, 'claimManager', myOptions);
             const isClaimable = landedPlusWeek >= Date.vnNew();
 
+            const canCreateClaimAfterDeadline =
+                await models.ACL.checkAccessAcl(ctx, 'Claim', 'createAfterDeadline', 'WRITE');
+
             if (ticket.isDeleted)
                 throw new UserError(`You can't create a claim for a removed ticket`);
-            if (!isClaimable && !hasClaimManagerRole)
+            if (!isClaimable && !canCreateClaimAfterDeadline)
                 throw new UserError(`You can't create a claim from a ticket delivered more than seven days ago`);
 
             const newClaim = await Self.create({

modules/client/back/methods/client/updateAddress.js

@@ -87,15 +87,15 @@ module.exports = function(Self) {
     Self.updateAddress = async(ctx, clientId, addressId, options) => {
         const models = Self.app.models;
         const args = ctx.args;
-        const userId = ctx.req.accessToken.userId;
         const myOptions = {};
 
         if (typeof options == 'object')
             Object.assign(myOptions, options);
 
-        const isSalesAssistant = await models.VnUser.hasRole(userId, 'salesAssistant', myOptions);
+        const canEditAddressLogifloraAllowed =
+            await models.ACL.checkAccessAcl(ctx, 'Client', 'editAddressLogifloraAllowed');
 
-        if (args.isLogifloraAllowed && !isSalesAssistant)
+        if (args.isLogifloraAllowed && !canEditAddressLogifloraAllowed)
             throw new UserError(`You don't have enough privileges`);
 
         const address = await models.Address.findOne({