npm - @stamhoofd/backend - Versions diffs - 2.65.1 → 2.66.0 - Mend

@stamhoofd/backend 2.65.1 → 2.66.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +10 -10
package/src/crons/balance-emails.ts +0 -1
package/src/helpers/AdminPermissionChecker.ts +45 -22

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.65.1",
+    "version": "2.66.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -37,14 +37,14 @@
         "@simonbackx/simple-encoding": "2.19.0",
         "@simonbackx/simple-endpoints": "1.15.0",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.65.1",
-        "@stamhoofd/backend-middleware": "2.65.1",
-        "@stamhoofd/email": "2.65.1",
-        "@stamhoofd/models": "2.65.1",
-        "@stamhoofd/queues": "2.65.1",
-        "@stamhoofd/sql": "2.65.1",
-        "@stamhoofd/structures": "2.65.1",
-        "@stamhoofd/utility": "2.65.1",
+        "@stamhoofd/backend-i18n": "2.66.0",
+        "@stamhoofd/backend-middleware": "2.66.0",
+        "@stamhoofd/email": "2.66.0",
+        "@stamhoofd/models": "2.66.0",
+        "@stamhoofd/queues": "2.66.0",
+        "@stamhoofd/sql": "2.66.0",
+        "@stamhoofd/structures": "2.66.0",
+        "@stamhoofd/utility": "2.66.0",
         "archiver": "^7.0.1",
         "aws-sdk": "^2.885.0",
         "axios": "1.6.8",
@@ -64,5 +64,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "7817159827eba1f565f35785d1700333ab613aef"
+    "gitHead": "e4c406ad52c3f2018f5fbff17869a2003ec773c2"
 }

package/src/crons/balance-emails.ts CHANGED Viewed

@@ -37,7 +37,6 @@ async function balanceEmails() {
     const platform = await Platform.getSharedPrivateStruct();
     if (!platform.config.featureFlags.includes('balance-emails')) {
-        console.log('Feature flag not enabled, skipping.');
         return;
     }
     const systemUser = await User.getSystem();

package/src/helpers/AdminPermissionChecker.ts CHANGED Viewed

@@ -820,21 +820,26 @@ export class AdminPermissionChecker {
         const recordCategories: RecordCategory[] = [];
         for (const organization of organizations) {
             if (isUserManager) {
-                // If the user is a manager, we can always access all records
-                // if we ever add private records, we can exclude them here
                 for (const category of organization.meta.recordsConfiguration.recordCategories) {
-                    recordCategories.push(category);
+                    if (category.checkPermissionForUserManager(level)) {
+                        recordCategories.push(category);
+                    }
                 }
-                continue;
             }
             const permissions = await this.getOrganizationPermissions(organization);
             if (!permissions) {
                 continue;
             }
             // Now add all records of this organization
             for (const category of organization.meta.recordsConfiguration.recordCategories) {
+                if (isUserManager && recordCategories.find(c => c.id === category.id)) {
+                    // Already added
+                    continue;
+                }
                 if (permissions.hasResourceAccess(PermissionsResourceType.RecordCategories, category.id, level)) {
                     recordCategories.push(category);
                 }
@@ -862,9 +867,14 @@ export class AdminPermissionChecker {
                     continue;
                 }
-                if (isUserManager || platformPermissions?.hasResourceAccess(PermissionsResourceType.RecordCategories, category.id, level)) {
+                if (platformPermissions?.hasResourceAccess(PermissionsResourceType.RecordCategories, category.id, level)) {
                     recordCategories.push(category);
                 }
+                else if (isUserManager) {
+                    if (category.checkPermissionForUserManager(level)) {
+                        recordCategories.push(category);
+                    }
+                }
             }
         }
@@ -1003,10 +1013,22 @@ export class AdminPermissionChecker {
     async getAccessibleRecordSet(member: MemberWithRegistrations, level: PermissionLevel = PermissionLevel.Read): Promise<Set<string>> {
         const categories = await this.getAccessibleRecordCategories(member, level);
         const set = new Set<string>();
+        const isUserManager = this.isUserManager(member);
-        for (const category of categories) {
-            for (const record of category.getAllRecords()) {
-                set.add(record.id);
+        if (isUserManager) {
+            for (const category of categories) {
+                for (const record of category.getAllRecords()) {
+                    if (record.checkPermissionForUserManager(level)) {
+                        set.add(record.id);
+                    }
+                }
+            }
+        }
+        else {
+            for (const category of categories) {
+                for (const record of category.getAllRecords()) {
+                    set.add(record.id);
+                }
             }
         }
@@ -1033,17 +1055,6 @@ export class AdminPermissionChecker {
      * Changes data inline
      */
     async filterMemberData(member: MemberWithRegistrations, data: MemberWithRegistrationsBlob): Promise<MemberWithRegistrationsBlob> {
-        const isUserManager = this.isUserManager(member);
-        if (isUserManager) {
-            // For the user manager, we don't delete data, because when registering a new member, it doesn't have any organizations yet...
-            if (!(await this.canAccessMember(member, PermissionLevel.Full))) {
-                data.details.securityCode = null;
-                data.details.notes = null;
-            }
-            return data;
-        }
         const records = await this.getAccessibleRecordSet(member, PermissionLevel.Read);
         const cloned = data.clone();
@@ -1054,6 +1065,17 @@ export class AdminPermissionChecker {
             }
         }
+        const isUserManager = this.isUserManager(member);
+        if (isUserManager) {
+            // For a user manager without an organization, we don't delete data, because when registering a new member, it doesn't have any organizations yet...
+            if (!(await this.canAccessMember(member, PermissionLevel.Full))) {
+                cloned.details.securityCode = null;
+                cloned.details.notes = null;
+            }
+            return cloned;
+        }
         // Has financial read access?
         if (!await this.hasFinancialMemberAccess(member, PermissionLevel.Read)) {
             cloned.details.requiresFinancialSupport = null;
@@ -1106,7 +1128,6 @@ export class AdminPermissionChecker {
         const hasRecordAnswers = !!data.details.recordAnswers;
         const hasNotes = data.details.notes !== undefined;
         const isSetFinancialSupportTrue = data.details.shouldApplyReducedPrice;
-        const isUserManager = this.isUserManager(member);
         if (data.details.securityCode !== undefined || data.details.trackingYear !== undefined) {
             const hasFullAccess = await this.canAccessMember(member, PermissionLevel.Full);
@@ -1136,7 +1157,7 @@ export class AdminPermissionChecker {
                 });
             }
-            const records = isUserManager ? new Set() : await this.getAccessibleRecordSet(member, PermissionLevel.Write);
+            const records = await this.getAccessibleRecordSet(member, PermissionLevel.Write);
             for (const [key, value] of data.details.recordAnswers.entries()) {
                 let name: string | undefined = undefined;
@@ -1162,7 +1183,7 @@ export class AdminPermissionChecker {
                     name = value.settings.name;
                 }
-                if (!isUserManager && !records.has(key)) {
+                if (!records.has(key)) {
                     throw new SimpleError({
                         code: 'permission_denied',
                         message: `Je hebt geen toegangsrechten om het antwoord op ${name ?? 'deze vraag'} aan te passen voor dit lid`,
@@ -1172,6 +1193,8 @@ export class AdminPermissionChecker {
             }
         }
+        const isUserManager = this.isUserManager(member);
         if (hasNotes && isUserManager && !(await this.canAccessMember(member, PermissionLevel.Full))) {
             throw new SimpleError({
                 code: 'permission_denied',