npm - @stamhoofd/backend - Versions diffs - 2.83.0 → 2.83.2 - Mend

@stamhoofd/backend 2.83.0 → 2.83.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/src/endpoints/organization/dashboard/organization/PatchOrganizationEndpoint.ts CHANGED Viewed

@@ -1,17 +1,17 @@
-import { AutoEncoderPatchType, cloneObject, Decoder, isPatchableArray, ObjectData, PatchableArrayAutoEncoder, patchObject } from '@simonbackx/simple-encoding';
+import { AutoEncoderPatchType, cloneObject, Decoder, isPatchableArray, isPatchMap, ObjectData, PatchableArray, PatchableArrayAutoEncoder, PatchMap, patchObject } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { SimpleError, SimpleErrors } from '@simonbackx/simple-errors';
 import { Organization, OrganizationRegistrationPeriod, PayconiqPayment, Platform, RegistrationPeriod, StripeAccount, Webshop } from '@stamhoofd/models';
-import { BuckarooSettings, Company, OrganizationMetaData, OrganizationPatch, Organization as OrganizationStruct, PayconiqAccount, PaymentMethod, PaymentMethodHelper, PermissionLevel, PlatformConfig } from '@stamhoofd/structures';
+import { BuckarooSettings, Company, MemberResponsibility, OrganizationMetaData, OrganizationPatch, Organization as OrganizationStruct, PayconiqAccount, PaymentMethod, PaymentMethodHelper, PermissionLevel, PermissionRoleDetailed, PermissionRoleForResponsibility, PermissionsResourceType, ResourcePermissions } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
 import { AuthenticatedStructures } from '../../../../helpers/AuthenticatedStructures';
 import { BuckarooHelper } from '../../../../helpers/BuckarooHelper';
 import { Context } from '../../../../helpers/Context';
+import { MemberUserSyncer } from '../../../../helpers/MemberUserSyncer';
 import { SetupStepUpdater } from '../../../../helpers/SetupStepUpdater';
 import { TagHelper } from '../../../../helpers/TagHelper';
 import { ViesHelper } from '../../../../helpers/ViesHelper';
-import { MemberUserSyncer } from '../../../../helpers/MemberUserSyncer';
 type Params = Record<string, never>;
 type Query = undefined;
@@ -376,6 +376,130 @@ export class PatchOrganizationEndpoint extends Endpoint<Params, Query, Body, Res
                     statusCode: 403,
                 });
             }
+            // Give users without full access permission to alter responsibilities in order to give other users permissions to resources they also have full permissions to
+            if (request.body.privateMeta && request.body.privateMeta.isPatch()) {
+                if (request.body.privateMeta.inheritedResponsibilityRoles) {
+                    const patchableArray: PatchableArrayAutoEncoder<PermissionRoleForResponsibility> = new PatchableArray();
+                    for (const patch of request.body.privateMeta.inheritedResponsibilityRoles.getPatches()) {
+                        const resources: Map<PermissionsResourceType, Map<string, ResourcePermissions>> = patch.resources.applyTo(new Map<PermissionsResourceType, Map<string, ResourcePermissions>>());
+                        if (!await Context.auth.hasFullAccessForOrganizationResources(request.body.id, resources)) {
+                            throw new SimpleError({
+                                code: 'permission_denied',
+                                message: 'You do not have permissions to edit inherited responsibility roles',
+                                statusCode: 403,
+                            });
+                        }
+                        patchableArray.addPatch(PermissionRoleForResponsibility.patch({
+                            id: patch.id,
+                            resources: patch.resources,
+                        }));
+                    }
+                    for (const { put, afterId } of request.body.privateMeta.inheritedResponsibilityRoles.getPuts()) {
+                        const resources: Map<PermissionsResourceType, Map<string, ResourcePermissions>> = put.resources;
+                        if (!await Context.auth.hasFullAccessForOrganizationResources(request.body.id, resources)) {
+                            throw new SimpleError({
+                                code: 'permission_denied',
+                                message: 'You do not have permissions to add inherited responsibility roles',
+                                statusCode: 403,
+                            });
+                        }
+                        const limitedPut = PermissionRoleForResponsibility.create({
+                            id: put.id,
+                            name: put.name,
+                            responsibilityId: put.responsibilityId,
+                            responsibilityGroupId: put.responsibilityGroupId,
+                            resources: put.resources,
+                        });
+                        patchableArray.addPut(limitedPut, afterId);
+                    }
+                    organization.privateMeta = organization.privateMeta.patch({
+                        inheritedResponsibilityRoles: patchableArray,
+                    });
+                }
+                if (request.body.privateMeta.responsibilities) {
+                    const patchableArray: PatchableArrayAutoEncoder<MemberResponsibility> = new PatchableArray();
+                    for (const patch of request.body.privateMeta.responsibilities.getPatches()) {
+                        if (!patch.permissions) {
+                            continue;
+                        };
+                        const resources: Map<PermissionsResourceType, Map<string, ResourcePermissions>> = isPatchMap(patch.permissions.resources) ? patch.permissions.resources.applyTo(new Map<PermissionsResourceType, Map<string, ResourcePermissions>>()) : patch.permissions.resources;
+                        if (!await Context.auth.hasFullAccessForOrganizationResources(request.body.id, resources)) {
+                            throw new SimpleError({
+                                code: 'permission_denied',
+                                message: 'You do not have permissions to edit responsibilities',
+                                statusCode: 403,
+                            });
+                        }
+                        patchableArray.addPatch(MemberResponsibility.patch({
+                            id: patch.id,
+                            permissions: PermissionRoleForResponsibility.patch({
+                                resources: isPatchMap(patch.permissions.resources) ? patch.permissions.resources : new PatchMap(patch.permissions.resources),
+                            }),
+                        }));
+                    }
+                    if (request.body.privateMeta.responsibilities.getPuts().length > 0) {
+                        throw new SimpleError({
+                            code: 'permission_denied',
+                            message: 'You do not have permissions to add responsibilities',
+                            statusCode: 403,
+                        });
+                    }
+                    organization.privateMeta = organization.privateMeta.patch({
+                        responsibilities: patchableArray,
+                    });
+                }
+                if (request.body.privateMeta.roles) {
+                    const patchableArray: PatchableArrayAutoEncoder<PermissionRoleDetailed> = new PatchableArray();
+                    for (const patch of request.body.privateMeta.roles.getPatches()) {
+                        const resources: Map<PermissionsResourceType, Map<string, ResourcePermissions>> = patch.resources.applyTo(new Map<PermissionsResourceType, Map<string, ResourcePermissions>>());
+                        if (!await Context.auth.hasFullAccessForOrganizationResources(request.body.id, resources)) {
+                            throw new SimpleError({
+                                code: 'permission_denied',
+                                message: 'You do not have permissions to edit roles',
+                                statusCode: 403,
+                            });
+                        }
+                        patchableArray.addPatch(PermissionRoleDetailed.patch({
+                            id: patch.id,
+                            resources: patch.resources,
+                        }));
+                    }
+                    if (request.body.privateMeta.roles.getPuts().length > 0) {
+                        throw new SimpleError({
+                            code: 'permission_denied',
+                            message: 'You do not have permissions to add roles',
+                            statusCode: 403,
+                        });
+                    }
+                    organization.privateMeta = organization.privateMeta.patch({
+                        roles: patchableArray,
+                    });
+                }
+                await organization.save();
+            }
         }
         // Only needed for permissions atm, so no put or delete here

package/src/helpers/AdminPermissionChecker.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { AutoEncoderPatchType, PatchMap } from '@simonbackx/simple-encoding';
 import { isSimpleError, isSimpleErrors, SimpleError } from '@simonbackx/simple-errors';
 import { BalanceItem, CachedBalance, Document, EmailTemplate, Event, EventNotification, Group, Member, MemberPlatformMembership, MemberWithRegistrations, Order, Organization, OrganizationRegistrationPeriod, Payment, Registration, User, Webshop } from '@stamhoofd/models';
-import { AccessRight, EventPermissionChecker, FinancialSupportSettings, GroupCategory, GroupStatus, GroupType, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, RecordSettings } from '@stamhoofd/structures';
+import { AccessRight, EventPermissionChecker, FinancialSupportSettings, GroupCategory, GroupStatus, GroupType, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, RecordSettings, ResourcePermissions } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
 import { MemberRecordStore } from '../services/MemberRecordStore';
 import { addTemporaryMemberAccess, hasTemporaryMemberAccess } from './TemporaryMemberAccess';
@@ -373,6 +373,27 @@ export class AdminPermissionChecker {
         return false;
     }
+    /**
+        Returns true if the user has full access to all resource ids in the provided resources map. The resource permissions in the map are ignored for now.
+    */
+    async hasFullAccessForOrganizationResources(organizationId: string, resources: Map<PermissionsResourceType, Map<string, ResourcePermissions>>): Promise<boolean> {
+        const organizationPermissions = await this.getOrganizationPermissions(organizationId);
+        if (!organizationPermissions) {
+            return false;
+        }
+        for (const [resourceType, mapForType] of resources.entries()) {
+            for (const resourceId of mapForType.keys()) {
+                if (!organizationPermissions.hasResourceAccess(resourceType, resourceId, PermissionLevel.Full)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
     async canAccessWebshop(webshop: { id: string; organizationId: string }, permissionLevel: PermissionLevel = PermissionLevel.Read) {
         const organizationPermissions = await this.getOrganizationPermissions(webshop.organizationId);

package/src/services/PlatformMembershipService.ts CHANGED Viewed

@@ -214,7 +214,6 @@ export class PlatformMembershipService {
                         membershipTypeId: { sign: 'IN', value: types },
                         deletedAt: null,
                     });
-                    const activeMembershipsUndeletable = activeMemberships.filter(m => !m.canDelete() || !m.generated);
                     if (defaultMemberships.length === 0) {
                         // Stop all active memberships that were added automatically
@@ -233,23 +232,6 @@ export class PlatformMembershipService {
                         continue;
                     }
-                    if (activeMembershipsUndeletable.length) {
-                        // Skip automatic additions
-                        for (const m of activeMembershipsUndeletable) {
-                            try {
-                                await m.calculatePrice(me);
-                            }
-                            catch (e) {
-                                // Ignore error: membership might not be available anymore
-                                if (!silent) {
-                                    console.error('Failed to calculate price for undeletable membership', m.id, e);
-                                }
-                            }
-                            await m.save();
-                        }
-                        continue;
-                    }
                     // Add the cheapest available membership
                     const organizations = await Organization.getByIDs(...Formatter.uniqueArray(defaultMemberships.map(m => m.registration.organizationId)));
@@ -286,28 +268,58 @@ export class PlatformMembershipService {
                     })[0];
                     if (!cheapestMembership) {
+                        // Technically not possible, but for type checking
                         console.error('No membership found');
                         continue;
                     }
                     // Check if already have the same membership
                     // if that is the case, we'll keep that one and update the price + dates if the organization matches the cheapest/earliest membership
-                    let didFind = false;
+                    let didFind: MemberPlatformMembership | null = null;
                     for (const m of activeMemberships) {
                         if (m.membershipTypeId === cheapestMembership.membership.id && m.organizationId === cheapestMembership.registration.organizationId) {
-                            // Update the price of this active membership (could have changed)
-                            try {
-                                await m.calculatePrice(me, cheapestMembership.registration);
+                            if (!m.locked) {
+                                // Update the price and dates of this active membership (could have changed)
+                                try {
+                                    await m.calculatePrice(me, cheapestMembership.registration);
+                                }
+                                catch (e) {
+                                    // Ignore error: membership might not be available anymore
+                                    if (!silent) {
+                                        console.error('Failed to calculate price for active membership', m.id, e);
+                                    }
+                                }
+                                await m.save();
                             }
-                            catch (e) {
-                                // Ignore error: membership might not be available anymore
+                            didFind = m;
+                            break;
+                        }
+                    }
+                    // Delete all other generated memberships that are not the cheapest one
+                    for (const m of activeMemberships) {
+                        if (m.id !== didFind?.id) {
+                            if (!m.locked && (m.generated || m.membershipTypeId === cheapestMembership.membership.id)) {
                                 if (!silent) {
-                                    console.error('Failed to calculate price for active membership', m.id, e);
+                                    console.log('Removing membership because cheaper membership found or duplicate, for: ' + me.id + ' - membership ' + m.id);
+                                }
+                                await m.doDelete();
+                            }
+                            else {
+                                // Update price
+                                if (!m.locked) {
+                                    try {
+                                        await m.calculatePrice(me);
+                                    }
+                                    catch (e) {
+                                    // Ignore error: membership might not be available anymore
+                                        if (!silent) {
+                                            console.error('Failed to calculate price for undeletable membership', m.id, e);
+                                        }
+                                    }
+                                    await m.save();
                                 }
                             }
-                            await m.save();
-                            didFind = true;
-                            break;
                         }
                     }
@@ -315,6 +327,8 @@ export class PlatformMembershipService {
                         continue;
                     }
+                    // Otherwise make sure we create a new membership
                     const periodConfig = cheapestMembership.membership.periods.get(period.id);
                     if (!periodConfig) {
                         console.error('Missing membership prices for membership type ' + cheapestMembership.membership.id + ' and period ' + period.id);
@@ -351,16 +365,6 @@ export class PlatformMembershipService {
                     await membership.calculatePrice(me, cheapestMembership.registration);
                     await membership.save();
-                    // This reasoning allows us to replace an existing membership with a cheaper one (not date based ones, but type based ones)
-                    for (const toDelete of activeMemberships) {
-                        if (toDelete.canDelete() && toDelete.generated) {
-                            if (!silent) {
-                                console.log('Removing membership because cheaper membership found for: ' + me.id + ' - membership ' + toDelete.id);
-                            }
-                            await toDelete.doDelete();
-                        }
-                    }
                 }
             });
         });