npm - @stamhoofd/backend - Versions diffs - 2.83.0 → 2.83.1 - Mend

@stamhoofd/backend 2.83.0 → 2.83.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/src/endpoints/organization/dashboard/organization/PatchOrganizationEndpoint.ts CHANGED Viewed

@@ -1,17 +1,17 @@
-import { AutoEncoderPatchType, cloneObject, Decoder, isPatchableArray, ObjectData, PatchableArrayAutoEncoder, patchObject } from '@simonbackx/simple-encoding';
+import { AutoEncoderPatchType, cloneObject, Decoder, isPatchableArray, isPatchMap, ObjectData, PatchableArray, PatchableArrayAutoEncoder, PatchMap, patchObject } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { SimpleError, SimpleErrors } from '@simonbackx/simple-errors';
 import { Organization, OrganizationRegistrationPeriod, PayconiqPayment, Platform, RegistrationPeriod, StripeAccount, Webshop } from '@stamhoofd/models';
-import { BuckarooSettings, Company, OrganizationMetaData, OrganizationPatch, Organization as OrganizationStruct, PayconiqAccount, PaymentMethod, PaymentMethodHelper, PermissionLevel, PlatformConfig } from '@stamhoofd/structures';
+import { BuckarooSettings, Company, MemberResponsibility, OrganizationMetaData, OrganizationPatch, Organization as OrganizationStruct, PayconiqAccount, PaymentMethod, PaymentMethodHelper, PermissionLevel, PermissionRoleDetailed, PermissionRoleForResponsibility, PermissionsResourceType, ResourcePermissions } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
 import { AuthenticatedStructures } from '../../../../helpers/AuthenticatedStructures';
 import { BuckarooHelper } from '../../../../helpers/BuckarooHelper';
 import { Context } from '../../../../helpers/Context';
+import { MemberUserSyncer } from '../../../../helpers/MemberUserSyncer';
 import { SetupStepUpdater } from '../../../../helpers/SetupStepUpdater';
 import { TagHelper } from '../../../../helpers/TagHelper';
 import { ViesHelper } from '../../../../helpers/ViesHelper';
-import { MemberUserSyncer } from '../../../../helpers/MemberUserSyncer';
 type Params = Record<string, never>;
 type Query = undefined;
@@ -376,6 +376,130 @@ export class PatchOrganizationEndpoint extends Endpoint<Params, Query, Body, Res
                     statusCode: 403,
                 });
             }
+            // Give users without full access permission to alter responsibilities in order to give other users permissions to resources they also have full permissions to
+            if (request.body.privateMeta && request.body.privateMeta.isPatch()) {
+                if (request.body.privateMeta.inheritedResponsibilityRoles) {
+                    const patchableArray: PatchableArrayAutoEncoder<PermissionRoleForResponsibility> = new PatchableArray();
+                    for (const patch of request.body.privateMeta.inheritedResponsibilityRoles.getPatches()) {
+                        const resources: Map<PermissionsResourceType, Map<string, ResourcePermissions>> = patch.resources.applyTo(new Map<PermissionsResourceType, Map<string, ResourcePermissions>>());
+                        if (!await Context.auth.hasFullAccessForOrganizationResources(request.body.id, resources)) {
+                            throw new SimpleError({
+                                code: 'permission_denied',
+                                message: 'You do not have permissions to edit inherited responsibility roles',
+                                statusCode: 403,
+                            });
+                        }
+                        patchableArray.addPatch(PermissionRoleForResponsibility.patch({
+                            id: patch.id,
+                            resources: patch.resources,
+                        }));
+                    }
+                    for (const { put, afterId } of request.body.privateMeta.inheritedResponsibilityRoles.getPuts()) {
+                        const resources: Map<PermissionsResourceType, Map<string, ResourcePermissions>> = put.resources;
+                        if (!await Context.auth.hasFullAccessForOrganizationResources(request.body.id, resources)) {
+                            throw new SimpleError({
+                                code: 'permission_denied',
+                                message: 'You do not have permissions to add inherited responsibility roles',
+                                statusCode: 403,
+                            });
+                        }
+                        const limitedPut = PermissionRoleForResponsibility.create({
+                            id: put.id,
+                            name: put.name,
+                            responsibilityId: put.responsibilityId,
+                            responsibilityGroupId: put.responsibilityGroupId,
+                            resources: put.resources,
+                        });
+                        patchableArray.addPut(limitedPut, afterId);
+                    }
+                    organization.privateMeta = organization.privateMeta.patch({
+                        inheritedResponsibilityRoles: patchableArray,
+                    });
+                }
+                if (request.body.privateMeta.responsibilities) {
+                    const patchableArray: PatchableArrayAutoEncoder<MemberResponsibility> = new PatchableArray();
+                    for (const patch of request.body.privateMeta.responsibilities.getPatches()) {
+                        if (!patch.permissions) {
+                            continue;
+                        };
+                        const resources: Map<PermissionsResourceType, Map<string, ResourcePermissions>> = isPatchMap(patch.permissions.resources) ? patch.permissions.resources.applyTo(new Map<PermissionsResourceType, Map<string, ResourcePermissions>>()) : patch.permissions.resources;
+                        if (!await Context.auth.hasFullAccessForOrganizationResources(request.body.id, resources)) {
+                            throw new SimpleError({
+                                code: 'permission_denied',
+                                message: 'You do not have permissions to edit responsibilities',
+                                statusCode: 403,
+                            });
+                        }
+                        patchableArray.addPatch(MemberResponsibility.patch({
+                            id: patch.id,
+                            permissions: PermissionRoleForResponsibility.patch({
+                                resources: isPatchMap(patch.permissions.resources) ? patch.permissions.resources : new PatchMap(patch.permissions.resources),
+                            }),
+                        }));
+                    }
+                    if (request.body.privateMeta.responsibilities.getPuts().length > 0) {
+                        throw new SimpleError({
+                            code: 'permission_denied',
+                            message: 'You do not have permissions to add responsibilities',
+                            statusCode: 403,
+                        });
+                    }
+                    organization.privateMeta = organization.privateMeta.patch({
+                        responsibilities: patchableArray,
+                    });
+                }
+                if (request.body.privateMeta.roles) {
+                    const patchableArray: PatchableArrayAutoEncoder<PermissionRoleDetailed> = new PatchableArray();
+                    for (const patch of request.body.privateMeta.roles.getPatches()) {
+                        const resources: Map<PermissionsResourceType, Map<string, ResourcePermissions>> = patch.resources.applyTo(new Map<PermissionsResourceType, Map<string, ResourcePermissions>>());
+                        if (!await Context.auth.hasFullAccessForOrganizationResources(request.body.id, resources)) {
+                            throw new SimpleError({
+                                code: 'permission_denied',
+                                message: 'You do not have permissions to edit roles',
+                                statusCode: 403,
+                            });
+                        }
+                        patchableArray.addPatch(PermissionRoleDetailed.patch({
+                            id: patch.id,
+                            resources: patch.resources,
+                        }));
+                    }
+                    if (request.body.privateMeta.roles.getPuts().length > 0) {
+                        throw new SimpleError({
+                            code: 'permission_denied',
+                            message: 'You do not have permissions to add roles',
+                            statusCode: 403,
+                        });
+                    }
+                    organization.privateMeta = organization.privateMeta.patch({
+                        roles: patchableArray,
+                    });
+                }
+                await organization.save();
+            }
         }
         // Only needed for permissions atm, so no put or delete here

package/src/helpers/AdminPermissionChecker.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { AutoEncoderPatchType, PatchMap } from '@simonbackx/simple-encoding';
 import { isSimpleError, isSimpleErrors, SimpleError } from '@simonbackx/simple-errors';
 import { BalanceItem, CachedBalance, Document, EmailTemplate, Event, EventNotification, Group, Member, MemberPlatformMembership, MemberWithRegistrations, Order, Organization, OrganizationRegistrationPeriod, Payment, Registration, User, Webshop } from '@stamhoofd/models';
-import { AccessRight, EventPermissionChecker, FinancialSupportSettings, GroupCategory, GroupStatus, GroupType, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, RecordSettings } from '@stamhoofd/structures';
+import { AccessRight, EventPermissionChecker, FinancialSupportSettings, GroupCategory, GroupStatus, GroupType, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, RecordSettings, ResourcePermissions } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
 import { MemberRecordStore } from '../services/MemberRecordStore';
 import { addTemporaryMemberAccess, hasTemporaryMemberAccess } from './TemporaryMemberAccess';
@@ -373,6 +373,27 @@ export class AdminPermissionChecker {
         return false;
     }
+    /**
+        Returns true if the user has full access to all resource ids in the provided resources map. The resource permissions in the map are ignored for now.
+    */
+    async hasFullAccessForOrganizationResources(organizationId: string, resources: Map<PermissionsResourceType, Map<string, ResourcePermissions>>): Promise<boolean> {
+        const organizationPermissions = await this.getOrganizationPermissions(organizationId);
+        if (!organizationPermissions) {
+            return false;
+        }
+        for (const [resourceType, mapForType] of resources.entries()) {
+            for (const resourceId of mapForType.keys()) {
+                if (!organizationPermissions.hasResourceAccess(resourceType, resourceId, PermissionLevel.Full)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
     async canAccessWebshop(webshop: { id: string; organizationId: string }, permissionLevel: PermissionLevel = PermissionLevel.Read) {
         const organizationPermissions = await this.getOrganizationPermissions(webshop.organizationId);