const UserError = require('vn-loopback/util/user-error'); module.exports = Self => { Self.remoteMethodCtx('updateTimeEntry', { description: 'Updates a time entry for a worker if the user role is above the worker', accessType: 'READ', accepts: [{ arg: 'id', type: 'number', required: true, description: 'The time entry id', http: {source: 'path'} }, { arg: 'direction', type: 'string', required: true }], returns: { type: 'boolean', root: true }, http: { path: `/:id/updateTimeEntry`, verb: 'POST' } }); Self.updateTimeEntry = async(ctx, id, options) => { const currentUserId = ctx.req.accessToken.userId; const models = Self.app.models; const args = ctx.args; let myOptions = {}; if (typeof options == 'object') Object.assign(myOptions, options); const targetTimeEntry = await Self.findById(id, null, myOptions); const isSubordinate = await models.Worker.isSubordinate(ctx, targetTimeEntry.userFk, myOptions); const isTeamBoss = await models.Account.hasRole(currentUserId, 'teamBoss', myOptions); const isHimself = currentUserId == targetTimeEntry.userFk; const notAllowed = isSubordinate === false || (isSubordinate && isHimself && !isTeamBoss); if (notAllowed) throw new UserError(`You don't have enough privileges`); return targetTimeEntry.updateAttributes({ direction: args.direction }, myOptions); }; };