5488-use_checkAccessAcl #1482
|
|
@ -35,14 +35,14 @@ module.exports = Self => {
|
|||
|
||||
try {
|
||||
const dms = await models.Dms.findById(id, null, myOptions);
|
||||
|
||||
const hasWriteRole = await models.DmsType.checkRole(ctx, dms.dmsTypeFk, 'WRITE', myOptions);
|
||||
if (!hasWriteRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
const trashDmsType = await models.DmsType.findOne({
|
||||
where: {code: 'trash'}
|
||||
}, myOptions);
|
||||
|
||||
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, dms.dmsTypeFk, myOptions);
|
||||
if (!hasWriteRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
await dms.updateAttribute('dmsTypeFk', trashDmsType.id, myOptions);
|
||||
|
||||
if (tx) await tx.commit();
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ module.exports = Self => {
|
|||
}
|
||||
|
||||
try {
|
||||
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE');
|
||||
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId);
|
||||
|
alexm marked this conversation as resolved
Outdated
|
||||
if (!hasWriteRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
|
|
|
|||
|
|
@ -66,7 +66,7 @@ module.exports = Self => {
|
|||
|
||||
let srcFile;
|
||||
try {
|
||||
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE');
|
||||
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId, myOptions);
|
||||
|
alexm marked this conversation as resolved
Outdated
jgallego
commented
este també estaba be, no cal tocar estos arxius este també estaba be, no cal tocar estos arxius
|
||||
if (!hasWriteRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ module.exports = Self => {
|
|||
|
||||
if (!image) return false;
|
||||
|
||||
const hasReadRole = await models.ACL.checkAccessAcl(ctx, 'ImageCollection', collection, 'READ');
|
||||
const hasReadRole = await models.ImageCollection.hasReadRole(ctx, collection);
|
||||
alexm
commented
Aço dua 3 anys mal (sempre era true) Aço dua 3 anys mal (sempre era true)
|
||||
if (!hasReadRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ module.exports = Self => {
|
|||
|
||||
let tempFilePath;
|
||||
try {
|
||||
const hasWriteRole = await models.ACL.checkAccessAcl(ctx, 'ImageCollection', args.collection, 'WRITE');
|
||||
const hasWriteRole = await models.ImageCollection.hasWriteRole(ctx, args.collection);
|
||||
if (!hasWriteRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
|
|
|
|||
|
|
@ -1,18 +1,65 @@
|
|||
module.exports = Self => {
|
||||
/**
|
||||
* Checks if current user has
|
||||
* read privileges over a dms
|
||||
*
|
||||
* @param {Object} ctx - Request context
|
||||
* @param {Interger} id - DmsType id
|
||||
* @param {Object} options - Query options
|
||||
* @return {Boolean} True for user with read privileges
|
||||
*/
|
||||
Self.hasReadRole = async(ctx, id, options) => {
|
||||
const models = Self.app.models;
|
||||
const dmsType = await models.DmsType.findById(id, {
|
||||
include: {
|
||||
relation: 'readRole'
|
||||
}
|
||||
}, options);
|
||||
|
||||
return await hasRole(ctx, dmsType, options);
|
||||
};
|
||||
|
||||
/**
|
||||
|
alexm marked this conversation as resolved
Outdated
jgallego
commented
este archiu cal deixarlo com estaba perque DmsType ja te la seua gestio de rols concreta este archiu cal deixarlo com estaba perque DmsType ja te la seua gestio de rols concreta
|
||||
* Checks if current user has
|
||||
* write privileges over a dms
|
||||
*
|
||||
* @param {Object} ctx - Request context
|
||||
* @param {Interger} id - DmsType id
|
||||
* @param {String} type - Acl accessType
|
||||
* @param {Object} options - Query options
|
||||
* @return {Boolean} True for user with write privileges
|
||||
*/
|
||||
Self.checkRole = async(ctx, id, type, options) => {
|
||||
Self.hasWriteRole = async(ctx, id, options) => {
|
||||
const models = Self.app.models;
|
||||
const dmsType = await models.DmsType.findById(id, {fields: ['code']}, options);
|
||||
const dmsType = await models.DmsType.findById(id, {
|
||||
include: {
|
||||
relation: 'writeRole'
|
||||
}
|
||||
}, options);
|
||||
|
||||
return await models.ACL.checkAccessAcl(ctx, 'DmsType', dmsType.code, type);
|
||||
return await hasRole(ctx, dmsType, options);
|
||||
};
|
||||
|
||||
/**
|
||||
* Checks if current user has
|
||||
* read or write privileges
|
||||
* @param {Object} ctx - Context
|
||||
* @param {Object} dmsType - Dms type [read/write]
|
||||
* @param {Object} options - Query options
|
||||
*/
|
||||
async function hasRole(ctx, dmsType, options) {
|
||||
const models = Self.app.models;
|
||||
const myUserId = ctx.req.accessToken.userId;
|
||||
|
||||
const readRole = dmsType.readRole() && dmsType.readRole().name;
|
||||
const writeRole = dmsType.writeRole() && dmsType.writeRole().name;
|
||||
const requiredRole = readRole || writeRole;
|
||||
|
||||
const hasRequiredRole = await models.VnUser.hasRole(myUserId, requiredRole, options);
|
||||
const isRoot = await models.VnUser.hasRole(myUserId, 'root', options);
|
||||
|
||||
if (isRoot || hasRequiredRole)
|
||||
return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
};
|
||||
|
|
|
|||
|
|
@ -38,27 +38,10 @@
|
|||
"foreignKey": "writeRoleFk"
|
||||
}
|
||||
},
|
||||
"acls": [
|
||||
{
|
||||
"property": "find",
|
||||
"accessType": "READ",
|
||||
"principalType": "ROLE",
|
||||
"principalId": "$everyone",
|
||||
"permission": "ALLOW"
|
||||
},
|
||||
{
|
||||
"property": "findById",
|
||||
"accessType": "READ",
|
||||
"principalType": "ROLE",
|
||||
"principalId": "$everyone",
|
||||
"permission": "ALLOW"
|
||||
},
|
||||
{
|
||||
"property": "findOne",
|
||||
"accessType": "READ",
|
||||
"principalType": "ROLE",
|
||||
"principalId": "$everyone",
|
||||
"permission": "ALLOW"
|
||||
}
|
||||
]
|
||||
"acls": [{
|
||||
"accessType": "READ",
|
||||
"principalType": "ROLE",
|
||||
"principalId": "$everyone",
|
||||
"permission": "ALLOW"
|
||||
}]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,11 +7,11 @@ module.exports = Self => {
|
|||
require('../methods/dms/updateFile')(Self);
|
||||
require('../methods/dms/deleteTrashFiles')(Self);
|
||||
|
||||
Self.checkRole = async function(ctx, id, type) {
|
||||
Self.checkRole = async function(ctx, id) {
|
||||
const models = Self.app.models;
|
||||
const dms = await Self.findById(id);
|
||||
|
||||
return await models.DmsType.checkRole(ctx, dms.dmsTypeFk, type);
|
||||
return await models.DmsType.hasReadRole(ctx, dms.dmsTypeFk);
|
||||
};
|
||||
|
||||
Self.getFile = async function(id) {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,64 @@
|
|||
module.exports = Self => {
|
||||
/**
|
||||
* Checks if current user has
|
||||
* read privileges over a collection
|
||||
*
|
||||
* @param {object} ctx - Request context
|
||||
* @param {interger} name - Collection name
|
||||
* @param {object} options - Query options
|
||||
* @return {boolean} True for user with read privileges
|
||||
*/
|
||||
Self.hasReadRole = async(ctx, name, options) => {
|
||||
const collection = await Self.findOne({where: {name}}, {
|
||||
include: {
|
||||
relation: 'readRole'
|
||||
}
|
||||
}, options);
|
||||
|
||||
return await hasRole(ctx, collection, options);
|
||||
};
|
||||
|
||||
/**
|
||||
* Checks if current user has
|
||||
* write privileges over a collection
|
||||
*
|
||||
* @param {object} ctx - Request context
|
||||
* @param {string} name - Collection name
|
||||
* @param {object} options - Query options
|
||||
* @return {boolean} True for user with write privileges
|
||||
*/
|
||||
Self.hasWriteRole = async(ctx, name, options) => {
|
||||
const collection = await Self.findOne({
|
||||
include: {
|
||||
relation: 'writeRole'
|
||||
},
|
||||
where: {name}
|
||||
}, options);
|
||||
|
||||
return await hasRole(ctx, collection, options);
|
||||
};
|
||||
|
||||
/**
|
||||
* Checks if current user has
|
||||
* read or write privileges
|
||||
* @param {Object} ctx - Context
|
||||
* @param {Object} collection - Collection [read/write]
|
||||
* @param {Object} options - Query options
|
||||
*/
|
||||
async function hasRole(ctx, collection, options) {
|
||||
const models = Self.app.models;
|
||||
const myUserId = ctx.req.accessToken.userId;
|
||||
|
||||
const readRole = collection.readRole() && collection.readRole().name;
|
||||
const writeRole = collection.writeRole() && collection.writeRole().name;
|
||||
const requiredRole = readRole || writeRole;
|
||||
|
||||
const hasRequiredRole = await models.VnUser.hasRole(myUserId, requiredRole, options);
|
||||
const isRoot = await models.VnUser.hasRole(myUserId, 'root', options);
|
||||
|
||||
if (isRoot || hasRequiredRole)
|
||||
return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
};
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
-- DmsType model
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'DmsType', d.code, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`dmsType` d
|
||||
JOIN `account`.`role` r ON r.id = d.writeRoleFk;
|
||||
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'DmsType', d.code, 'READ', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`dmsType` d
|
||||
JOIN `account`.`role` r ON r.id = d.readRoleFk;
|
||||
|
||||
-- ImageCollection model
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'ImageCollection', i.name, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||
FROM `hedera`.`imageCollection` i
|
||||
JOIN `account`.`role` r ON r.id = i.writeRoleFk;
|
||||
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'ImageCollection', i.name, 'READ', 'ALLOW', 'ROLE', r.name
|
||||
FROM `hedera`.`imageCollection` i
|
||||
JOIN `account`.`role` r ON r.id = i.readRoleFk;
|
||||
|
||||
-- ClaimState
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`claimState` c
|
||||
JOIN `account`.`role` r ON r.id = c.roleFk;
|
||||
|
||||
|
|
@ -1775,11 +1775,6 @@ INSERT INTO `vn`.`claimState`(`id`, `code`, `description`, `roleFk`, `priority`,
|
|||
( 6, 'mana', 'Mana', 72, 4, 0),
|
||||
( 7, 'lack', 'Faltas', 72, 2, 0);
|
||||
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'ClaimState', c.code, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`claimState` c
|
||||
JOIN `account`.`role` r ON r.id = c.roleFk;
|
||||
|
||||
INSERT INTO `vn`.`claim`(`id`, `ticketCreated`, `claimStateFk`, `clientFk`, `workerFk`, `responsibility`, `isChargedToMana`, `created`, `packages`, `rma`, `ticketFk`)
|
||||
VALUES
|
||||
(1, util.VN_CURDATE(), 1, 1101, 18, 3, 0, util.VN_CURDATE(), 0, '02676A049183', 11),
|
||||
|
|
@ -2326,36 +2321,26 @@ INSERT INTO `vn`.`workerTimeControl`(`userFk`, `timed`, `manual`, `direction`, `
|
|||
|
||||
INSERT INTO `vn`.`dmsType`(`id`, `name`, `path`, `readRoleFk`, `writeRoleFk`, `code`)
|
||||
VALUES
|
||||
(1, 'Facturas Recibidas', 'recibidas', 1, 1, 'invoiceIn'),
|
||||
(2, 'Doc oficial', 'oficial', 1, 1, 'officialDoc'),
|
||||
(3, 'Laboral', 'laboral', 37, 37, 'hhrrData'),
|
||||
(4, 'Albaranes recibidos', 'entradas', 1, 1, 'deliveryNote'),
|
||||
(5, 'Otros', 'otros', 1, 1, 'miscellaneous'),
|
||||
(6, 'Pruebas', 'pruebas', 1, 1, 'tests'),
|
||||
(7, 'IAE Clientes', 'IAE_Clientes', 1, 1, 'economicActivitiesTax'),
|
||||
(8, 'Fiscal', 'fiscal', 1, 1, 'fiscal'),
|
||||
(9, 'Vehiculos', 'vehiculos', 1, 1, 'vehicles'),
|
||||
(10, 'Plantillas', 'plantillas', 1, 1, 'templates'),
|
||||
(11, 'Contratos', 'contratos', 1, 1, 'contracts'),
|
||||
(12, 'ley de pagos', 'ley pagos', 1, 1, 'paymentsLaw'),
|
||||
(13, 'Basura', 'basura', 1, 1, 'trash'),
|
||||
(14, 'Ticket', 'tickets', 1, 1, 'ticket'),
|
||||
(15, 'Presupuestos', 'Presupuestos', 1, 1, 'budgets'),
|
||||
(16, 'Logistica', 'logistica', 1, 1, 'logistics'),
|
||||
(17, 'cmr', 'cmr', 1, 1, 'cmr'),
|
||||
(18, 'dua', 'dua', 1, 1, 'dua'),
|
||||
(19, 'inmovilizado', 'inmovilizado', 1, 1, 'fixedAssets'),
|
||||
(20, 'Reclamación', 'reclamacion', 1, 1, 'claim');
|
||||
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'DmsType', d.code, 'WRITE', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`dmsType` d
|
||||
JOIN `account`.`role` r ON r.id = d.writeRoleFk;
|
||||
|
||||
INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
|
||||
SELECT 'DmsType', d.code, 'READ', 'ALLOW', 'ROLE', r.name
|
||||
FROM `vn`.`dmsType` d
|
||||
JOIN `account`.`role` r ON r.id = d.readRoleFk;
|
||||
(1, 'Facturas Recibidas', 'recibidas', NULL, NULL, 'invoiceIn'),
|
||||
(2, 'Doc oficial', 'oficial', NULL, NULL, 'officialDoc'),
|
||||
(3, 'Laboral', 'laboral', 37, 37, 'hhrrData'),
|
||||
(4, 'Albaranes recibidos', 'entradas', NULL, NULL, 'deliveryNote'),
|
||||
(5, 'Otros', 'otros', 1, 1, 'miscellaneous'),
|
||||
(6, 'Pruebas', 'pruebas', NULL, NULL, 'tests'),
|
||||
(7, 'IAE Clientes', 'IAE_Clientes', 1, 1, 'economicActivitiesTax'),
|
||||
(8, 'Fiscal', 'fiscal', NULL, NULL, 'fiscal'),
|
||||
(9, 'Vehiculos', 'vehiculos', NULL, NULL, 'vehicles'),
|
||||
(10, 'Plantillas', 'plantillas', NULL, NULL, 'templates'),
|
||||
(11, 'Contratos', 'contratos', NULL, NULL, 'contracts'),
|
||||
(12, 'ley de pagos', 'ley pagos', 1, 1, 'paymentsLaw'),
|
||||
(13, 'Basura', 'basura', 1, 1, 'trash'),
|
||||
(14, 'Ticket', 'tickets', 1, 1, 'ticket'),
|
||||
(15, 'Presupuestos', 'Presupuestos', NULL, NULL, 'budgets'),
|
||||
(16, 'Logistica', 'logistica', NULL, NULL, 'logistics'),
|
||||
(17, 'cmr', 'cmr', NULL, NULL, 'cmr'),
|
||||
(18, 'dua', 'dua', NULL, NULL, 'dua'),
|
||||
(19, 'inmovilizado', 'inmovilizado', NULL, NULL, 'fixedAssets'),
|
||||
(20, 'Reclamación', 'reclamacion', 1, 1, 'claim');
|
||||
|
||||
INSERT INTO `vn`.`dms`(`id`, `dmsTypeFk`, `file`, `contentType`, `workerFk`, `warehouseFk`, `companyFk`, `hardCopyNumber`, `hasFile`, `reference`, `description`, `created`)
|
||||
VALUES
|
||||
|
|
|
|||
|
|
@ -20,14 +20,19 @@ module.exports = Self => {
|
|||
});
|
||||
|
||||
Self.isEditable = async(ctx, id, options) => {
|
||||
const userId = ctx.req.accessToken.userId;
|
||||
const models = Self.app.models;
|
||||
const myOptions = {};
|
||||
|
||||
if (typeof options == 'object')
|
||||
Object.assign(myOptions, options);
|
||||
const state = await models.ClaimState.findById(id, {fields: ['code']}, myOptions);
|
||||
if (!state) return false;
|
||||
|
||||
return await models.ACL.checkAccessAcl(ctx, 'ClaimState', state.code);
|
||||
const state = await models.ClaimState.findById(id, {
|
||||
include: {
|
||||
relation: 'writeRole'
|
||||
}
|
||||
}, myOptions);
|
||||
const roleWithGrants = state && state.writeRole().name;
|
||||
return await models.VnUser.hasRole(userId, roleWithGrants, myOptions);
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ module.exports = Self => {
|
|||
|
||||
let srcFile;
|
||||
try {
|
||||
const hasWriteRole = await models.DmsType.checkRole(ctx, args.dmsTypeId, 'WRITE', myOptions);
|
||||
const hasWriteRole = await models.DmsType.hasWriteRole(ctx, args.dmsTypeId, myOptions);
|
||||
if (!hasWriteRole)
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ module.exports = Self => {
|
|||
});
|
||||
|
||||
Self.downloadFile = async function(ctx, id) {
|
||||
if (!await Self.app.models.Dms.checkRole(ctx, id, 'READ') && !await Self.isMine(ctx, id))
|
||||
if (!await Self.app.models.Dms.checkRole(ctx, id) && !await Self.isMine(ctx, id))
|
||||
throw new UserError(`You don't have enough privileges`);
|
||||
return await Self.app.models.Dms.getFile(id);
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in New Issue
este no es necesario