From 24327a99a3cd44616688b3f56d5c8abbe8458821 Mon Sep 17 00:00:00 2001 From: OxSaitama Date: Wed, 16 Aug 2023 11:09:48 +0200 Subject: [PATCH] add checks on user (office)role update --- src/app/api/admin/UsersController.ts | 31 +++++++++++++++++-- src/app/api/super-admin/UsersController.ts | 30 ++++++++++++++++-- .../admin/UsersService/UsersService.ts | 10 +++++- 3 files changed, 65 insertions(+), 6 deletions(-) diff --git a/src/app/api/admin/UsersController.ts b/src/app/api/admin/UsersController.ts index ee208504..1c7c3251 100644 --- a/src/app/api/admin/UsersController.ts +++ b/src/app/api/admin/UsersController.ts @@ -10,11 +10,13 @@ import ruleHandler from "@App/middlewares/RulesHandler"; import userHandler from "@App/middlewares/OfficeMembershipHandlers/UserHandler"; import { validateOrReject } from "class-validator"; import roleHandler from "@App/middlewares/RolesHandler"; +import RolesService from "@Services/admin/RolesService/RolesService"; +import OfficeRolesService from "@Services/admin/OfficeRolesService/OfficeRolesService"; @Controller() @Service() export default class UsersController extends ApiController { - constructor(private usersService: UsersService) { + constructor(private usersService: UsersService, private roleService: RolesService, private officeRoleService: OfficeRolesService) { super(); } @@ -75,7 +77,7 @@ export default class UsersController extends ApiController { return; } - const userFound = await this.usersService.getByUid(uid); + const userFound = await this.usersService.getByUidWithRole(uid); if (!userFound) { this.httpNotFoundRequest(response, "user not found"); @@ -87,7 +89,30 @@ export default class UsersController extends ApiController { //validate user await validateOrReject(userEntity, { groups: ["updateUser"] }); - + + if(userEntity.role) { + const role = await this.roleService.getByUid(userEntity.role.uid!); + if(!role) { + this.httpBadRequest(response, "Role not found"); + return; + } + if (role.name === "super-admin" || userFound.role.name === "super-admin" ) { + this.httpBadRequest(response, "Cannot assign or remove super-admin role"); + return; + } + } + + if(userEntity.office_role) { + const officeRole = await this.officeRoleService.getByUid(userEntity.office_role.uid!); + if(!officeRole) { + this.httpBadRequest(response, "Office role not found"); + return; + } + if (officeRole.office_uid != userFound.office_uid) { + this.httpBadRequest(response, "Cannot assign an office role from another office"); + return; + } + } //call service to get prisma entity const userEntityUpdated = await this.usersService.update(uid, userEntity); diff --git a/src/app/api/super-admin/UsersController.ts b/src/app/api/super-admin/UsersController.ts index f6e28794..618c4728 100644 --- a/src/app/api/super-admin/UsersController.ts +++ b/src/app/api/super-admin/UsersController.ts @@ -8,11 +8,13 @@ import User from "le-coffre-resources/dist/SuperAdmin"; import authHandler from "@App/middlewares/AuthHandler"; import ruleHandler from "@App/middlewares/RulesHandler"; import roleHandler from "@App/middlewares/RolesHandler"; +import RolesService from "@Services/super-admin/RolesService/RolesService"; +import OfficeRolesService from "@Services/super-admin/OfficeRolesService/OfficeRolesService"; @Controller() @Service() export default class UsersController extends ApiController { - constructor(private usersService: UsersService) { + constructor(private usersService: UsersService, private roleService: RolesService, private officeRoleService: OfficeRolesService) { super(); } @@ -97,7 +99,7 @@ export default class UsersController extends ApiController { return; } - const userFound = await this.usersService.getByUid(uid, {role: true, votes: true}); + const userFound = await this.usersService.getByUidWithRole(uid); if (!userFound) { this.httpNotFoundRequest(response, "user not found"); @@ -109,6 +111,30 @@ export default class UsersController extends ApiController { //validate user await validateOrReject(userEntity, { groups: ["updateUser"] }); + + if(userEntity.role) { + const role = await this.roleService.getByUid(userEntity.role.uid!); + if(!role) { + this.httpBadRequest(response, "Role not found"); + return; + } + if (role.name === "super-admin" || userFound.role.name === "super-admin" ) { + this.httpBadRequest(response, "Cannot assign or remove super-admin role"); + return; + } + } + + if(userEntity.office_role) { + const officeRole = await this.officeRoleService.getByUid(userEntity.office_role.uid!); + if(!officeRole) { + this.httpBadRequest(response, "Office role not found"); + return; + } + if (officeRole.office_uid != userFound.office_uid) { + this.httpBadRequest(response, "Cannot assign an office role from another office"); + return; + } + } //call service to get prisma entity const userEntityUpdated = await this.usersService.update(uid, userEntity); diff --git a/src/services/admin/UsersService/UsersService.ts b/src/services/admin/UsersService/UsersService.ts index f23c09d7..6167352e 100644 --- a/src/services/admin/UsersService/UsersService.ts +++ b/src/services/admin/UsersService/UsersService.ts @@ -31,7 +31,7 @@ export default class UsersService extends BaseService { * @description : Modify a user * @throws {Error} If user modification failed */ - public update(uid: string, userEntity: User): Promise { + public async update(uid: string, userEntity: User): Promise { return this.userRepository.updateRole(uid, userEntity); } @@ -51,6 +51,14 @@ export default class UsersService extends BaseService { return this.userRepository.findOneByUidWithOffice(uid); } + /** + * @description : Get a user by uid with office + * @throws {Error} If user cannot be get by uid + */ + public getByUidWithRole(uid: string) { + return this.userRepository.findOneByUidWithRole(uid); + } + /** * @description : Get a user by uid * @throws {Error} If user cannot be get by uid