const ForbiddenError = require('vn-loopback/util/forbiddenError'); const UserError = require('vn-loopback/util/user-error'); module.exports = Self => { Self.rewriteDbError(function(err) { if (err.code === 'ER_DUP_ENTRY') return new UserError(`You already have the mailAlias`); return err; }); Self.beforeRemote('create', async function(ctx) { const mailAlias = ctx.args.data?.mailAlias; if (!mailAlias) return; await checkModifyPermission(ctx, mailAlias); }); Self.beforeRemote('deleteById', async function(ctx) { const instance = await Self.findById(ctx.args.id, {fields: ['mailAlias']} ); await checkModifyPermission(ctx, instance.mailAlias); }); async function checkModifyPermission(ctx, mailAliasFk) { const models = Self.app.models; const userId = ctx.req.accessToken.userId; const canEditAlias = await models.ACL.checkAccessAcl(ctx, 'MailAliasAccount', 'canEditAlias', 'WRITE'); if (canEditAlias) return; const allowedRoles = await models.MailAliasAcl.find({ fields: ['roleFk'], where: {mailAliasFk} }); const nRoles = allowedRoles.length && await models.RoleMapping.count({ principalId: userId, principalType: 'USER', roleId: {inq: allowedRoles.map(x => x.roleFk)} }); if (!nRoles) throw new ForbiddenError('You are not allowed to modify the alias'); } };