Skip to content
This repository has been archived by the owner on Sep 12, 2023. It is now read-only.

Commit

Permalink
intrn(employee schedule): ensure ownership is checked to update
Browse files Browse the repository at this point in the history
  • Loading branch information
@KennethTrecy
KennethTrecy committed Sep 11, 2022
1 parent e0f356b commit 0cbe18b
Showing 1 changed file with 29 additions and 5 deletions.
34 changes: 29 additions & 5 deletions routes/api/employee_schedule/update(id).patch.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,30 @@ import type { EmployeeScheduleDocument } from "$/types/documents/employee_schedu
import { DayValues } from "$/types/database"

import Log from "$!/singletons/log"
import Policy from "!/bases/policy"
import UserManager from "%/managers/user"
import NoContentResponseInfo from "!/response_infos/no_content"
import EmployeeScheduleManager from "%/managers/employee_schedule"
import convertTimeToMinutes from "$/object/convert_time_to_minutes"
import DoubleBoundJSONController from "!/controllers/double_bound_json"

import Policy from "!/bases/policy"
import PermissionBasedPolicy from "!/policies/permission-based"
import CommonMiddlewareList from "!/middlewares/common_middleware_list"
import convertTimeToMinutes from "$/object/convert_time_to_minutes"
import BelongsToCurrentUserPolicy from "!/policies/belongs_to_current_user"
import { user as permissionGroup } from "$/permissions/permission_list"
import {
UPDATE_OWN_DATA,
UPDATE_ANYONE_ON_OWN_DEPARTMENT,
UPDATE_ANYONE_ON_ALL_DEPARTMENTS
} from "$/permissions/user_combinations"

import string from "!/validators/base/string"
import integer from "!/validators/base/integer"
import exists from "!/validators/manager/exists"
import required from "!/validators/base/required"
import range from "!/validators/comparison/range"
import oneOf from "!/validators/comparison/one-of"
import Merger from "!/middlewares/miscellaneous/merger"
import makeRelationshipRules from "!/rule_sets/make_relationships"
import makeResourceDocumentRules from "!/rule_sets/make_resource_document"
import uniqueEmployeeSchedule from "!/validators/date/unique_employee_schedule"
Expand All @@ -28,8 +38,23 @@ export default class extends DoubleBoundJSONController {
get filePath(): string { return __filename }

get policy(): Policy {
// TODO: Combine with permission-based policy
return CommonMiddlewareList.reachableEmployeeOnlyPolicy
return new Merger([
CommonMiddlewareList.reachableEmployeeOnlyPolicy,
new PermissionBasedPolicy(permissionGroup, [
UPDATE_OWN_DATA,
UPDATE_ANYONE_ON_OWN_DEPARTMENT,
UPDATE_ANYONE_ON_ALL_DEPARTMENTS
]),
new BelongsToCurrentUserPolicy(this.manager, {
"bypassNecessarilyWith": {
"combinations": [
UPDATE_ANYONE_ON_OWN_DEPARTMENT,
UPDATE_ANYONE_ON_ALL_DEPARTMENTS
],
"group": permissionGroup
}
})
]) as unknown as Policy
}

makeBodyRuleGenerator(unusedRequest: AuthenticatedIDRequest): FieldRules {
Expand Down Expand Up @@ -91,7 +116,6 @@ export default class extends DoubleBoundJSONController {

get manager(): BaseManagerClass { return UserManager }

// TODO: Limit the updating to current user unless there is enough permission to update user info
async handle(request: AuthenticatedIDRequest, unusedResponse: Response)
: Promise<NoContentResponseInfo> {
const manager = new EmployeeScheduleManager(request.transaction, request.cache)
Expand Down

0 comments on commit 0cbe18b

Please sign in to comment.