45 lines
1.3 KiB
JavaScript
45 lines
1.3 KiB
JavaScript
module.exports = Self => {
|
|
Self.remoteMethod('isAuthorized', {
|
|
description: 'Return true if the current user is a superior of the worker that is passed by parameter',
|
|
accessType: 'READ',
|
|
accepts: [{
|
|
arg: 'ctx',
|
|
type: 'Object',
|
|
http: {source: 'context'}
|
|
}, {
|
|
arg: 'id',
|
|
type: 'number',
|
|
required: true,
|
|
description: 'The worker id',
|
|
http: {source: 'path'}
|
|
}],
|
|
returns: {
|
|
type: 'boolean',
|
|
root: true
|
|
},
|
|
http: {
|
|
path: `/:id/isAuthorized`,
|
|
verb: 'GET'
|
|
}
|
|
});
|
|
|
|
Self.isAuthorized = async(ctx, id, options) => {
|
|
const models = Self.app.models;
|
|
const currentUserId = ctx.req.accessToken.userId;
|
|
const isHimself = currentUserId == id;
|
|
|
|
const myOptions = {};
|
|
|
|
if (typeof options == 'object')
|
|
Object.assign(myOptions, options);
|
|
|
|
const isSubordinate = await models.Worker.isSubordinate(ctx, id, myOptions);
|
|
const isTeamBoss = await models.VnUser.hasRole(currentUserId, 'teamBoss', myOptions);
|
|
|
|
if (!isSubordinate || (isSubordinate && isHimself && !isTeamBoss))
|
|
return false;
|
|
|
|
return true;
|
|
};
|
|
};
|