diff --git a/back/models/specs/mailAliasAccount.spec.js b/back/models/specs/mailAliasAccount.spec.js index 8f0278a50..77def61f6 100644 --- a/back/models/specs/mailAliasAccount.spec.js +++ b/back/models/specs/mailAliasAccount.spec.js @@ -1,56 +1,108 @@ -const models = require('vn-loopback/server/server').models; +const {models} = require('vn-loopback/server/server'); +const LoopBackContext = require('loopback-context'); describe('loopback model MailAliasAccount', () => { - it('should add a mail Alias', async() => { - const tx = await models.MailAliasAccount.beginTransaction({}); - let error; + const employee = 1; + const administrative = 5; + const developer = 9; + const salesBoss = 19; + const developerBoss = 120; - try { - const options = {transaction: tx, accessToken: {userId: 9}}; - await models.MailAliasAccount.create({mailAlias: 2, account: 5}, options); + const salesAlias = 3; + const itAlias = 2; - await tx.rollback(); - } catch (e) { - await tx.rollback(); - error = e; - } + let ctx; + let options; + let tx; - expect(error).toBeUndefined(); + beforeEach(async() => { + ctx = { + req: { + accessToken: {}, + headers: {origin: 'http://localhost'} + }, + args: {} + }; + + spyOn(LoopBackContext, 'getCurrentContext').and.returnValue({ + active: ctx.req + }); + + options = {transaction: tx}; + tx = await models.MailAliasAccount.beginTransaction({}); + options.transaction = tx; + }); + + afterEach(async() => { + await tx.rollback(); + }); + + it('should add a mail alias if they are developerBoss', async() => { + ctx.req.accessToken.userId = developerBoss; + + const {mailAlias, account} = await models.MailAliasAccount.create({ + account: employee, + mailAlias: salesAlias + }, options); + + expect(mailAlias).toEqual(salesAlias); + expect(account).toEqual(employee); }); it('should add a mail Alias of an inherit role', async() => { - const tx = await models.MailAliasAccount.beginTransaction({}); let error; try { - const options = {transaction: tx, accessToken: {userId: 9}}; - await models.MailAliasAccount.create({mailAlias: 3, account: 5}, options); - - await tx.rollback(); + ctx.req.accessToken.userId = developer; + await models.MailAliasAccount.create({mailAlias: salesAlias, account: administrative}, options); } catch (e) { - await tx.rollback(); error = e; } expect(error).toBeUndefined(); }); + it('should add the sales alias if they are teamBoss and have it', async() => { + ctx.req.accessToken.userId = salesBoss; + const {mailAlias, account} = await models.MailAliasAccount.create({ + mailAlias: salesAlias, + account: employee + }, options); + + expect(mailAlias).toEqual(salesAlias); + expect(account).toEqual(employee); + }); + it('should delete a mail Alias', async() => { - const tx = await models.MailAliasAccount.beginTransaction({}); let error; try { - const options = {transaction: tx, accessToken: {userId: 1}}; + ctx.req.accessToken.userId = employee; const mailAclId = 2; await models.MailAliasAccount.destroyAll({id: mailAclId}, options); - - await tx.rollback(); } catch (e) { - await tx.rollback(); error = e; } expect(error).toBeUndefined(); }); + + it('should throw an error if they cannot edit an alias', async() => { + try { + ctx.req.accessToken.userId = administrative; + await models.MailAliasAccount.create({mailAlias: itAlias, account: employee}, options); + } catch (e) { + expect(e.message).toEqual('You are not allowed to modify the alias'); + } + }); + + it('should throw an error if they are teamBoss but have not got the alias', async() => { + try { + ctx.req.accessToken.userId = salesBoss; + await models.MailAliasAccount.create({mailAlias: itAlias, account: employee}, options); + } catch (e) { + expect(e.message).toEqual('You are not allowed to modify the alias'); + } + }); }); diff --git a/db/dump/fixtures.before.sql b/db/dump/fixtures.before.sql index cb9ee0fe6..42927d464 100644 --- a/db/dump/fixtures.before.sql +++ b/db/dump/fixtures.before.sql @@ -146,6 +146,7 @@ INSERT INTO `account`.`mailAliasAccount`(`mailAlias`, `account`) (1, 1), (1, 18), (3, 18), + (3, 19), (1, 9), (2, 9); diff --git a/db/versions/10916-purpleCamellia/00-canEditOwnAlias.sql b/db/versions/10916-purpleCamellia/00-canEditOwnAlias.sql new file mode 100644 index 000000000..952be79de --- /dev/null +++ b/db/versions/10916-purpleCamellia/00-canEditOwnAlias.sql @@ -0,0 +1,3 @@ +INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`) + VALUES + ('MailAliasAccount','canEditOwnAlias','WRITE','ALLOW','ROLE','teamBoss'); \ No newline at end of file diff --git a/modules/account/back/models/mail-alias-account.js b/modules/account/back/models/mail-alias-account.js index 61ca344e9..5d5ce1d5c 100644 --- a/modules/account/back/models/mail-alias-account.js +++ b/modules/account/back/models/mail-alias-account.js @@ -38,8 +38,19 @@ module.exports = Self => { principalType: 'USER', roleId: {inq: allowedRoles.map(x => x.roleFk)} }); + if (nRoles) return; - if (!nRoles) - throw new ForbiddenError('You are not allowed to modify the alias'); + const canEditOwnAlias = await models.ACL.checkAccessAcl(ctx, + 'MailAliasAccount', 'canEditOwnAlias', 'WRITE'); + + if (canEditOwnAlias) { + const hasAlias = await Self.count({ + account: userId, + mailAlias: mailAliasFk + }); + if (hasAlias) return; + } + + throw new ForbiddenError('You are not allowed to modify the alias'); } };