@stamhoofd/backend 2.65.2 → 2.66.0

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.65.2",
+    "version": "2.66.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -37,14 +37,14 @@
         "@simonbackx/simple-encoding": "2.19.0",
         "@simonbackx/simple-endpoints": "1.15.0",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.65.2",
-        "@stamhoofd/backend-middleware": "2.65.2",
-        "@stamhoofd/email": "2.65.2",
-        "@stamhoofd/models": "2.65.2",
-        "@stamhoofd/queues": "2.65.2",
-        "@stamhoofd/sql": "2.65.2",
-        "@stamhoofd/structures": "2.65.2",
-        "@stamhoofd/utility": "2.65.2",
+        "@stamhoofd/backend-i18n": "2.66.0",
+        "@stamhoofd/backend-middleware": "2.66.0",
+        "@stamhoofd/email": "2.66.0",
+        "@stamhoofd/models": "2.66.0",
+        "@stamhoofd/queues": "2.66.0",
+        "@stamhoofd/sql": "2.66.0",
+        "@stamhoofd/structures": "2.66.0",
+        "@stamhoofd/utility": "2.66.0",
         "archiver": "^7.0.1",
         "aws-sdk": "^2.885.0",
         "axios": "1.6.8",
@@ -64,5 +64,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "2db24a133a1f990d69cafc26f0425f473bc42ae2"
+    "gitHead": "e4c406ad52c3f2018f5fbff17869a2003ec773c2"
 }

package/src/helpers/AdminPermissionChecker.ts

@@ -820,21 +820,26 @@ export class AdminPermissionChecker {
         const recordCategories: RecordCategory[] = [];
         for (const organization of organizations) {
             if (isUserManager) {
-                // If the user is a manager, we can always access all records
-                // if we ever add private records, we can exclude them here
                 for (const category of organization.meta.recordsConfiguration.recordCategories) {
-                    recordCategories.push(category);
+                    if (category.checkPermissionForUserManager(level)) {
+                        recordCategories.push(category);
+                    }
                 }
-                continue;
             }
 
             const permissions = await this.getOrganizationPermissions(organization);
+
             if (!permissions) {
                 continue;
             }
 
             // Now add all records of this organization
             for (const category of organization.meta.recordsConfiguration.recordCategories) {
+                if (isUserManager && recordCategories.find(c => c.id === category.id)) {
+                    // Already added
+                    continue;
+                }
+
                 if (permissions.hasResourceAccess(PermissionsResourceType.RecordCategories, category.id, level)) {
                     recordCategories.push(category);
                 }
@@ -862,9 +867,14 @@ export class AdminPermissionChecker {
                     continue;
                 }
 
-                if (isUserManager || platformPermissions?.hasResourceAccess(PermissionsResourceType.RecordCategories, category.id, level)) {
+                if (platformPermissions?.hasResourceAccess(PermissionsResourceType.RecordCategories, category.id, level)) {
                     recordCategories.push(category);
                 }
+                else if (isUserManager) {
+                    if (category.checkPermissionForUserManager(level)) {
+                        recordCategories.push(category);
+                    }
+                }
             }
         }
 
@@ -1003,10 +1013,22 @@ export class AdminPermissionChecker {
     async getAccessibleRecordSet(member: MemberWithRegistrations, level: PermissionLevel = PermissionLevel.Read): Promise<Set<string>> {
         const categories = await this.getAccessibleRecordCategories(member, level);
         const set = new Set<string>();
+        const isUserManager = this.isUserManager(member);
 
-        for (const category of categories) {
-            for (const record of category.getAllRecords()) {
-                set.add(record.id);
+        if (isUserManager) {
+            for (const category of categories) {
+                for (const record of category.getAllRecords()) {
+                    if (record.checkPermissionForUserManager(level)) {
+                        set.add(record.id);
+                    }
+                }
+            }
+        }
+        else {
+            for (const category of categories) {
+                for (const record of category.getAllRecords()) {
+                    set.add(record.id);
+                }
             }
         }
 
@@ -1033,17 +1055,6 @@ export class AdminPermissionChecker {
      * Changes data inline
      */
     async filterMemberData(member: MemberWithRegistrations, data: MemberWithRegistrationsBlob): Promise<MemberWithRegistrationsBlob> {
-        const isUserManager = this.isUserManager(member);
-        if (isUserManager) {
-            // For the user manager, we don't delete data, because when registering a new member, it doesn't have any organizations yet...
-            if (!(await this.canAccessMember(member, PermissionLevel.Full))) {
-                data.details.securityCode = null;
-                data.details.notes = null;
-            }
-
-            return data;
-        }
-
         const records = await this.getAccessibleRecordSet(member, PermissionLevel.Read);
 
         const cloned = data.clone();
@@ -1054,6 +1065,17 @@ export class AdminPermissionChecker {
             }
         }
 
+        const isUserManager = this.isUserManager(member);
+        if (isUserManager) {
+            // For a user manager without an organization, we don't delete data, because when registering a new member, it doesn't have any organizations yet...
+            if (!(await this.canAccessMember(member, PermissionLevel.Full))) {
+                cloned.details.securityCode = null;
+                cloned.details.notes = null;
+            }
+
+            return cloned;
+        }
+
         // Has financial read access?
         if (!await this.hasFinancialMemberAccess(member, PermissionLevel.Read)) {
             cloned.details.requiresFinancialSupport = null;
@@ -1106,7 +1128,6 @@ export class AdminPermissionChecker {
         const hasRecordAnswers = !!data.details.recordAnswers;
         const hasNotes = data.details.notes !== undefined;
         const isSetFinancialSupportTrue = data.details.shouldApplyReducedPrice;
-        const isUserManager = this.isUserManager(member);
 
         if (data.details.securityCode !== undefined || data.details.trackingYear !== undefined) {
             const hasFullAccess = await this.canAccessMember(member, PermissionLevel.Full);
@@ -1136,7 +1157,7 @@ export class AdminPermissionChecker {
                 });
             }
 
-            const records = isUserManager ? new Set() : await this.getAccessibleRecordSet(member, PermissionLevel.Write);
+            const records = await this.getAccessibleRecordSet(member, PermissionLevel.Write);
 
             for (const [key, value] of data.details.recordAnswers.entries()) {
                 let name: string | undefined = undefined;
@@ -1162,7 +1183,7 @@ export class AdminPermissionChecker {
                     name = value.settings.name;
                 }
 
-                if (!isUserManager && !records.has(key)) {
+                if (!records.has(key)) {
                     throw new SimpleError({
                         code: 'permission_denied',
                         message: `Je hebt geen toegangsrechten om het antwoord op ${name ?? 'deze vraag'} aan te passen voor dit lid`,
@@ -1172,6 +1193,8 @@ export class AdminPermissionChecker {
             }
         }
 
+        const isUserManager = this.isUserManager(member);
+
         if (hasNotes && isUserManager && !(await this.canAccessMember(member, PermissionLevel.Full))) {
             throw new SimpleError({
                 code: 'permission_denied',