@opengis/admin 0.3.20 → 0.3.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/server/routes/widget/controllers/widget.del.js +20 -4
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@opengis/admin",
3
- "version": "0.3.20",
3
+ "version": "0.3.21",
4
4
  "description": "This project Softpro Admin",
5
5
  "main": "dist/admin.js",
6
6
  "type": "module",
package/server/routes/widget/controllers/widget.del.js CHANGED
@@ -1,3 +1,11 @@
1
+ import { isFileExists } from "@opengis/fastify-file/utils.js";
2
+
3
+ async function checkAccess(pg, objectid, id) {
4
+ const { uid, filepath } = await pg.query(`select uid, file_path as filepath from crm.files where entity_id=$1 and file_id=$2`, [objectid, id])
5
+ .then(el => el.rows?.[0] || {});
6
+ return { uid, exists: filepath ? await isFileExists(filepath) : null };
7
+ }
8
+
1
9
  /**
2
10
  * Дістає CRM дані для vue хешує ідентифікатори, підтягує селекти
3
11
  *
@@ -21,21 +29,29 @@ import { pgClients, logChanges } from "@opengis/fastify-table/utils.js";
21
29
 
22
30
  export default async function widgetDel({
23
31
  pg = pgClients.client, params = {}, session = {},
24
- }) {
32
+ }, reply) {
25
33
  const { user = {} } = session.passport || {};
26
34
  if (!user.uid) return { error: 'access restricted', status: 403 };
27
35
  const { type, objectid, id } = params;
28
36
 
29
37
  if (!objectid) return { error: 'id required', status: 400 };
30
38
 
39
+ // force delete db entry if file not exists
40
+ const { exists, uid } = ['file', 'gallery'].includes(type) ? await checkAccess(pg, objectid, id) : null;
41
+
42
+ if (exists && !user?.user_type?.includes?.('admin') && uid && user?.uid !== uid) {
43
+ return reply.status(403).send('access restricted: file exists, not an author');
44
+ }
45
+
31
46
  const sqls = {
32
47
  comment: 'delete from crm.communications where entity_id=$1 and uid=$2 and communication_id=$3',
33
48
  checklist: 'delete from crm.checklists where entity_id=$1 and uid=$2 and checklist_id=$3',
34
- file: 'update crm.files set file_status=3 where entity_id=$1 and uid=$2 and file_id=$3 returning uploaded_name',
35
- gallery: 'update crm.files set file_status=3 where entity_id=$1 and uid=$2 and file_id=$3 returning uploaded_name',
49
+ file: `update crm.files set file_status=3 where entity_id=$1 and ${!exists || user?.user_type?.includes?.('admin') ? '$2=$2' : 'uid=$2'} and file_id=$3 returning uploaded_name`,
50
+ gallery: `update crm.files set file_status=3 where entity_id=$1 and ${!exists || user?.user_type?.includes?.('admin') ? '$2=$2' : 'uid=$2'} and file_id=$3 returning uploaded_name`,
36
51
  };
37
52
  const sql = sqls[type];
38
- if (!sql) return { error: 'type not valid', status: 401 };
53
+ // console.log(sql);
54
+ if (!sql) return reply.status(400).send('type not valid');
39
55
 
40
56
  const { rows = [] } = await pg.query(sql, [objectid, user.uid, id]);
41
57
  const table = { comment: 'crm.communications', checklist: 'crm.checklists', file: 'crm.files', gallery: 'crm.files' }[type];