From 411933a608718dc7e4e2af3c5dfaf0f7defaac21 Mon Sep 17 00:00:00 2001
From: jorgep <jorgep@verdnatura.es>
Date: Fri, 3 May 2024 12:17:51 +0200
Subject: [PATCH 1/3] feat: refs #6598 acls back

---
 back/methods/vn-user/acls.js | 72 ++++++++++++++++++++++++++++++++++++
 back/models/vn-user.js       |  1 +
 back/models/vn-user.json     |  7 ++++
 3 files changed, 80 insertions(+)
 create mode 100644 back/methods/vn-user/acls.js

diff --git a/back/methods/vn-user/acls.js b/back/methods/vn-user/acls.js
new file mode 100644
index 000000000..7da75ed2c
--- /dev/null
+++ b/back/methods/vn-user/acls.js
@@ -0,0 +1,72 @@
+module.exports = Self => {
+    Self.remoteMethodCtx('acls', {
+        description: 'Get all of the current user acls',
+        returns: {
+            type: 'Object',
+            root: true
+        },
+        http: {
+            path: '/acls',
+            verb: 'GET'
+        }
+    });
+
+    const staticAcls = new Map();
+    const app = require('vn-loopback/server/server');
+    app.on('started', function() {
+        for (const model of app.models()) {
+            for (const acl of model.settings.acls) {
+                if (acl.principalType == 'ROLE' && acl.permission == 'ALLOW') {
+                    const staticAcl = {
+                        model: model.name,
+                        property: '*',
+                        accessType: acl.accessType,
+                        permission: acl.permission,
+                        principalType: acl.principalType,
+                        principalId: acl.principalId,
+                    };
+                    if (staticAcls.has(acl.principalId))
+                        staticAcls.get(acl.principalId).push(staticAcl);
+                    else
+                        staticAcls.set(acl.principalId, [staticAcl]);
+                }
+            }
+        }
+    });
+
+    Self.acls = async function(ctx) {
+        const models = Self.app.models;
+        const acls = [];
+        const userId = ctx.req.accessToken.userId;
+        if (userId) {
+            const roleMapping = await models.RoleMapping.find({
+                where: {
+                    principalId: userId
+                },
+                include: [
+                    {
+                        relation: 'role',
+                        scope: {
+                            fields: [
+                                'name'
+                            ]
+                        }
+                    }
+                ]
+            });
+            const dynamicAcls = await models.ACL.find({
+                where: {
+                    principalId: {
+                        inq: roleMapping.map(rm => rm.role().name)
+                    }
+                }
+            });
+            dynamicAcls.forEach(acl => acls.push(acl));
+            staticAcls.get('$authenticated').forEach(acl => acls.push(acl));
+        } else
+            staticAcls.get('$unauthenticated').forEach(acl => acls.push(acl));
+
+        staticAcls.get('$everyone').forEach(acl => acls.push(acl));
+        return acls;
+    };
+};
diff --git a/back/models/vn-user.js b/back/models/vn-user.js
index b59f13ffa..08a4daf54 100644
--- a/back/models/vn-user.js
+++ b/back/models/vn-user.js
@@ -15,6 +15,7 @@ module.exports = function(Self) {
     require('../methods/vn-user/renew-token')(Self);
     require('../methods/vn-user/share-token')(Self);
     require('../methods/vn-user/update-user')(Self);
+    require('../methods/vn-user/acls')(Self);
 
     Self.definition.settings.acls = Self.definition.settings.acls.filter(acl => acl.property !== 'create');
 
diff --git a/back/models/vn-user.json b/back/models/vn-user.json
index 5f6ac3f47..ebd2ea2f3 100644
--- a/back/models/vn-user.json
+++ b/back/models/vn-user.json
@@ -133,6 +133,13 @@
             "principalType": "ROLE",
             "principalId": "$authenticated",
             "permission": "ALLOW"
+        },
+        {
+			"property": "acls",
+			"accessType": "*",
+			"principalType": "ROLE",
+			"principalId": "$everyone",
+			"permission": "ALLOW"
         }
     ],
     "scopes": {
-- 
2.40.1


From 5abc95af5122b53b4e03d412ba284bd288060034 Mon Sep 17 00:00:00 2001
From: jorgep <jorgep@verdnatura.es>
Date: Fri, 17 May 2024 11:29:16 +0200
Subject: [PATCH 2/3] feat: refs #6598 back test

---
 back/methods/vn-user/specs/acls.spec.js | 36 +++++++++++++++++++++++++
 back/tests-helper.js                    |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 back/methods/vn-user/specs/acls.spec.js

diff --git a/back/methods/vn-user/specs/acls.spec.js b/back/methods/vn-user/specs/acls.spec.js
new file mode 100644
index 000000000..486d23bca
--- /dev/null
+++ b/back/methods/vn-user/specs/acls.spec.js
@@ -0,0 +1,36 @@
+const {models} = require('vn-loopback/server/server');
+const id = {administrative: 5, employee: 1, productionBoss: 50};
+
+describe('VnUser acls()', () => {
+    it('should get its owns acls', async() => {
+        const hasAdministrativeAcls = await hasAcl('administrative', id.administrative);
+        const hasProductionBossAcls = await hasAcl('productionBoss', id.productionBoss);
+
+        expect(hasAdministrativeAcls).toBeTruthy();
+        expect(hasProductionBossAcls).toBeTruthy();
+    });
+
+    it('should not get administrative acls', async() => {
+        const hasAdministrativeAcls = await hasAcl('administrative', id.employee);
+
+        expect(hasAdministrativeAcls).toBeFalsy();
+    });
+
+    it('should get the $authenticated acls', async() => {
+        const hasAuthAcls = await hasAcl('$authenticated', id.employee);
+
+        expect(hasAuthAcls).toBeTruthy();
+    });
+
+    it('should get the $everyone acls', async() => {
+        const hasEveryoneAcls = await hasAcl('$everyone', id.employee);
+
+        expect(hasEveryoneAcls).toBeTruthy();
+    });
+});
+
+const hasAcl = async(role, userId) => {
+    const ctx = {req: {accessToken: {userId}, headers: {origin: 'http://localhost'}}};
+    const acls = await models.VnUser.acls(ctx);
+    return Object.values(acls).some(acl => acl.principalId === role);
+};
diff --git a/back/tests-helper.js b/back/tests-helper.js
index b88fa1fd6..6d465bc2a 100644
--- a/back/tests-helper.js
+++ b/back/tests-helper.js
@@ -17,6 +17,7 @@ async function init() {
             err => err ? reject(err) : resolve());
     });
     // FIXME: Workaround to wait for loopback to be ready
+    app.emit('started');
     await app.models.Application.status();
 }
 
-- 
2.40.1


From 0e51fa861cb4ce8707ad2106ad5204f0a5c41706 Mon Sep 17 00:00:00 2001
From: jorgep <jorgep@verdnatura.es>
Date: Fri, 17 May 2024 11:35:29 +0200
Subject: [PATCH 3/3] fix: refs #6598 drop variables

---
 back/methods/vn-user/specs/acls.spec.js | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/back/methods/vn-user/specs/acls.spec.js b/back/methods/vn-user/specs/acls.spec.js
index 486d23bca..0349b39fb 100644
--- a/back/methods/vn-user/specs/acls.spec.js
+++ b/back/methods/vn-user/specs/acls.spec.js
@@ -3,29 +3,20 @@ const id = {administrative: 5, employee: 1, productionBoss: 50};
 
 describe('VnUser acls()', () => {
     it('should get its owns acls', async() => {
-        const hasAdministrativeAcls = await hasAcl('administrative', id.administrative);
-        const hasProductionBossAcls = await hasAcl('productionBoss', id.productionBoss);
-
-        expect(hasAdministrativeAcls).toBeTruthy();
-        expect(hasProductionBossAcls).toBeTruthy();
+        expect(await hasAcl('administrative', id.administrative)).toBeTruthy();
+        expect(await hasAcl('productionBoss', id.productionBoss)).toBeTruthy();
     });
 
     it('should not get administrative acls', async() => {
-        const hasAdministrativeAcls = await hasAcl('administrative', id.employee);
-
-        expect(hasAdministrativeAcls).toBeFalsy();
+        expect(await hasAcl('administrative', id.employee)).toBeFalsy();
     });
 
     it('should get the $authenticated acls', async() => {
-        const hasAuthAcls = await hasAcl('$authenticated', id.employee);
-
-        expect(hasAuthAcls).toBeTruthy();
+        expect(await hasAcl('$authenticated', id.employee)).toBeTruthy();
     });
 
     it('should get the $everyone acls', async() => {
-        const hasEveryoneAcls = await hasAcl('$everyone', id.employee);
-
-        expect(hasEveryoneAcls).toBeTruthy();
+        expect(await hasAcl('$everyone', id.employee)).toBeTruthy();
     });
 });
 
-- 
2.40.1