4 changed files with 93 additions and 26 deletions
--- a/back/models/specs/mailAliasAccount.spec.js
+++ b/back/models/specs/mailAliasAccount.spec.js
@ -1,56 +1,108 @@
-const models = require('vn-loopback/server/server').models;
+const {models} = require('vn-loopback/server/server');
+const LoopBackContext = require('loopback-context');

 describe('loopback model MailAliasAccount', () => {
-    it('should add a mail Alias', async() => {
-        const tx = await models.MailAliasAccount.beginTransaction({});
-        let error;
+    const employee = 1;
+    const administrative = 5;
+    const developer = 9;
+    const salesBoss = 19;
+    const developerBoss = 120;

-        try {
-            const options = {transaction: tx, accessToken: {userId: 9}};
-            await models.MailAliasAccount.create({mailAlias: 2, account: 5}, options);
+    const salesAlias = 3;
+    const itAlias = 2;

-            await tx.rollback();
-        } catch (e) {
-            await tx.rollback();
-            error = e;
-        }
+    let ctx;
+    let options;
+    let tx;

-        expect(error).toBeUndefined();
+    beforeEach(async() => {
+        ctx = {
+            req: {
+                accessToken: {},
+                headers: {origin: 'http://localhost'}
+            },
+            args: {}
+        };
+
+        spyOn(LoopBackContext, 'getCurrentContext').and.returnValue({
+            active: ctx.req
+        });
+
+        options = {transaction: tx};
+        tx = await models.MailAliasAccount.beginTransaction({});
+        options.transaction = tx;
+    });
+
+    afterEach(async() => {
+        await tx.rollback();
+    });
+
+    it('should add a mail alias if they are developerBoss', async() => {
+        ctx.req.accessToken.userId = developerBoss;
+
+        const {mailAlias, account} = await models.MailAliasAccount.create({
+            account: employee,
+            mailAlias: salesAlias
+        }, options);
+
+        expect(mailAlias).toEqual(salesAlias);
+        expect(account).toEqual(employee);
    });

    it('should add a mail Alias of an inherit role', async() => {
-        const tx = await models.MailAliasAccount.beginTransaction({});
        let error;

        try {
-            const options = {transaction: tx, accessToken: {userId: 9}};
-            await models.MailAliasAccount.create({mailAlias: 3, account: 5}, options);
-
-            await tx.rollback();
+            ctx.req.accessToken.userId = developer;
+            await models.MailAliasAccount.create({mailAlias: salesAlias, account: administrative}, options);
        } catch (e) {
-            await tx.rollback();
            error = e;
        }

        expect(error).toBeUndefined();
    });

+    it('should add the sales alias if they are teamBoss and have it', async() => {
+        ctx.req.accessToken.userId = salesBoss;
+        const {mailAlias, account} = await models.MailAliasAccount.create({
+            mailAlias: salesAlias,
+            account: employee
+        }, options);
+
+        expect(mailAlias).toEqual(salesAlias);
+        expect(account).toEqual(employee);
+    });
+
    it('should delete a mail Alias', async() => {
-        const tx = await models.MailAliasAccount.beginTransaction({});
        let error;

        try {
-            const options = {transaction: tx, accessToken: {userId: 1}};
+            ctx.req.accessToken.userId = employee;
            const mailAclId = 2;
            await models.MailAliasAccount.destroyAll({id: mailAclId}, options);
-
-            await tx.rollback();
        } catch (e) {
-            await tx.rollback();
            error = e;
        }

        expect(error).toBeUndefined();
    });
+
+    it('should throw an error if they cannot edit an alias', async() => {
+        try {
+            ctx.req.accessToken.userId = administrative;
+            await models.MailAliasAccount.create({mailAlias: itAlias, account: employee}, options);
+        } catch (e) {
+            expect(e.message).toEqual('You are not allowed to modify the alias');
+        }
+    });
+
+    it('should throw an error if they are teamBoss but have not got the alias', async() => {
+        try {
+            ctx.req.accessToken.userId = salesBoss;
+            await models.MailAliasAccount.create({mailAlias: itAlias, account: employee}, options);
+        } catch (e) {
+            expect(e.message).toEqual('You are not allowed to modify the alias');
+        }
+    });
 });

--- a/db/dump/fixtures.before.sql
+++ b/db/dump/fixtures.before.sql
@ -146,6 +146,7 @@ INSERT INTO `account`.`mailAliasAccount`(`mailAlias`, `account`)
        (1, 1),
        (1, 18),
        (3, 18),
+        (3, 19),
        (1, 9),
        (2, 9);

--- a/db/versions/10916-purpleCamellia/00-canEditOwnAlias.sql
+++ b/db/versions/10916-purpleCamellia/00-canEditOwnAlias.sql
@ -0,0 +1,3 @@
+INSERT INTO `salix`.`ACL` (`model`, `property`, `accessType`, `permission`, `principalType`, `principalId`)
+    VALUES
+        ('MailAliasAccount','canEditOwnAlias','WRITE','ALLOW','ROLE','teamBoss');
--- a/modules/account/back/models/mail-alias-account.js
+++ b/modules/account/back/models/mail-alias-account.js
@ -38,8 +38,19 @@ module.exports = Self => {
                principalType: 'USER',
                roleId: {inq: allowedRoles.map(x => x.roleFk)}
            });
+        if (nRoles) return;

-        if (!nRoles)
-            throw new ForbiddenError('You are not allowed to modify the alias');
+        const canEditOwnAlias = await models.ACL.checkAccessAcl(ctx,
+            'MailAliasAccount', 'canEditOwnAlias', 'WRITE');
+
+        if (canEditOwnAlias) {
+            const hasAlias = await Self.count({
+                account: userId,
+                mailAlias: mailAliasFk
+            });
+            if (hasAlias) return;
+        }
+
+        throw new ForbiddenError('You are not allowed to modify the alias');
    }
 };