@stamhoofd/backend 2.89.1 → 2.90.0

package/src/helpers/AdminPermissionChecker.ts

@@ -152,10 +152,7 @@ export class AdminPermissionChecker {
         if (organizationId) {
             // If request is scoped to a different organization
             if (this.organization && organizationId !== this.organization.id) {
-                if (STAMHOOFD.userMode === 'organization') {
-                    return false;
-                }
-                // Otherwise allow for convenience
+                return false;
             }
 
             // If user is limited to scope
@@ -320,6 +317,10 @@ export class AdminPermissionChecker {
             return true;
         }
 
+        if (!this.checkScope(member.organizationId)) {
+            return false;
+        }
+
         if (member.organizationId && await this.hasFullAccess(member.organizationId, permissionLevel)) {
             return true;
         }
@@ -353,14 +354,12 @@ export class AdminPermissionChecker {
      */
     async canDeleteMember(member: MemberWithRegistrations) {
         if (member.registrations.length === 0 && this.isUserManager(member)) {
-            const platformMemberships = await MemberPlatformMembership.where({ memberId: member.id });
-            if (platformMemberships.length === 0) {
-                return true;
-            }
-
             const cachedBalance = await CachedBalance.getForObjects([member.id]);
             if (cachedBalance.length === 0 || (cachedBalance[0].amountOpen === 0 && cachedBalance[0].amountPending === 0)) {
-                return true;
+                const platformMemberships = await MemberPlatformMembership.where({ memberId: member.id });
+                if (platformMemberships.length === 0) {
+                    return true;
+                }
             }
         }
 
@@ -380,6 +379,11 @@ export class AdminPermissionChecker {
             return false;
         }
 
+        // Check permissions aren't scoped to a specific organization, and they mismatch
+        if (!this.checkScope(registration.organizationId)) {
+            return false;
+        }
+
         const organizationPermissions = await this.getOrganizationPermissions(registration.organizationId);
 
         if (!organizationPermissions) {
@@ -390,6 +394,15 @@ export class AdminPermissionChecker {
             // Only full permissions; because non-full doesn't have access to other periods
             return true;
         }
+        const organization = await this.getOrganization(registration.organizationId);
+
+        if (registration.periodId !== organization.periodId) {
+            if (STAMHOOFD.userMode === 'organization' || registration.periodId !== this.platform.period.id) {
+                // We already checked for full permissions - and we don't have full permissions
+                // so that also means no permissions for registrations in other periods
+                return false;
+            }
+        }
 
         const group = await this.getGroup(registration.groupId);
         if (!group || group.deletedAt) {
@@ -953,6 +966,11 @@ export class AdminPermissionChecker {
             return false;
         }
 
+        // Temporary access
+        if (hasTemporaryMemberAccess(this.user.id, member.id, level)) {
+            return true;
+        }
+
         // First list all organizations this member is part of
         const organizations: Organization[] = [];
 
@@ -1033,6 +1051,10 @@ export class AdminPermissionChecker {
             return false;
         }
 
+        if (hasTemporaryMemberAccess(this.user.id, member.id, PermissionLevel.Full)) {
+            return true;
+        }
+
         // First list all organizations this member is part of
         const organizations: Organization[] = [];
 
@@ -1073,6 +1095,65 @@ export class AdminPermissionChecker {
         return false;
     }
 
+    async canFilterMembersOnRecordId(recordId: string): Promise<{ canAccess: false; record: RecordSettings | null } | { canAccess: true; record: RecordSettings }> {
+        const record = await MemberRecordStore.getRecord(recordId);
+        if (!record) {
+            return {
+                canAccess: false,
+                record: null,
+            };
+        }
+
+        if (!this.checkScope(record.organizationId)) {
+            return {
+                canAccess: false,
+                record: record.record,
+            };
+        }
+
+        if (!this.user.permissions) {
+            return {
+                canAccess: false,
+                record: record.record,
+            };
+        }
+
+        if (record.organizationId) {
+            const organizationPermissions = await this.getOrganizationPermissions(record.organizationId);
+            if (organizationPermissions && organizationPermissions.hasResourceAccess(PermissionsResourceType.RecordCategories, record.rootCategoryId, PermissionLevel.Read)) {
+                return {
+                    canAccess: true,
+                    record: record.record,
+                };
+            }
+        }
+        else {
+            // ONLY check current scoped organization
+            if (this.organization) {
+                const organizationPermissions = await this.getOrganizationPermissions(this.organization.id);
+                if (organizationPermissions && organizationPermissions.hasResourceAccess(PermissionsResourceType.RecordCategories, record.rootCategoryId, PermissionLevel.Read)) {
+                    return {
+                        canAccess: true,
+                        record: record.record,
+                    };
+                }
+            }
+        }
+
+        // 2. Check platform permissions
+        if (this.platformPermissions?.hasResourceAccess(PermissionsResourceType.RecordCategories, record.rootCategoryId, PermissionLevel.Read)) {
+            return {
+                canAccess: true,
+                record: record.record,
+            };
+        }
+
+        return {
+            canAccess: false,
+            record: record.record,
+        };
+    }
+
     async checkRecordAccess(member: MemberWithRegistrations, recordId: string, level: PermissionLevel = PermissionLevel.Read): Promise<{ canAccess: false; record: RecordSettings | null } | { canAccess: true; record: RecordSettings }> {
         const record = await MemberRecordStore.getRecord(recordId);
         if (!record) {
@@ -1116,9 +1197,9 @@ export class AdminPermissionChecker {
             }
         }
         else {
-            // 1. Check all organizations (they can give permissions)
-            for (const organizationId of this.user.permissions.organizationPermissions.keys()) {
-                const organizationPermissions = await this.getOrganizationPermissions(organizationId);
+            // Also check current scoped organization
+            if (this.organization) {
+                const organizationPermissions = await this.getOrganizationPermissions(this.organization.id);
                 if (organizationPermissions && organizationPermissions.hasResourceAccess(PermissionsResourceType.RecordCategories, record.rootCategoryId, level)) {
                     return {
                         canAccess: true,
@@ -1136,16 +1217,42 @@ export class AdminPermissionChecker {
             };
         }
 
-        // It is possible that this is a platform admin, and inherits automatic permissions for tags. So'll need to loop all the organizations where this member has an active registration for
-        if (!record.organizationId && this.platformPermissions) {
-            const organizations = Formatter.uniqueArray(member.registrations.map(r => r.organizationId));
-            for (const organizationId of organizations) {
-                const organizationPermissions = await this.getOrganizationPermissions(organizationId);
+        if (hasTemporaryMemberAccess(this.user.id, member.id, PermissionLevel.Full)) {
+            return {
+                canAccess: true,
+                record: record.record,
+            };
+        }
+
+        // It is possible that this is a platform admin (or an admin that has access to multiple organizations), and inherits automatic permissions for tags. So'll need to loop all the organizations where this member has an active registration for
+        if (!record.organizationId && !this.organization && this.hasSomePlatformAccess()) {
+            const checkedOrganizations = new Map<string, boolean>();
+            for (const registration of member.registrations) {
+                const permissions = checkedOrganizations.get(registration.organizationId);
+
+                // Checking the organization permissions is faster (and less data lookups required), so we do that first before doing the more expensive registration access check
+                if (permissions !== null) {
+                    if (permissions === true && await this.canAccessRegistration(registration, level)) {
+                        return {
+                            canAccess: true,
+                            record: record.record,
+                        };
+                    }
+                    continue;
+                }
+
+                const organizationPermissions = await this.getOrganizationPermissions(registration.organizationId);
                 if (organizationPermissions && organizationPermissions.hasResourceAccess(PermissionsResourceType.RecordCategories, record.rootCategoryId, level)) {
-                    return {
-                        canAccess: true,
-                        record: record.record,
-                    };
+                    checkedOrganizations.set(registration.organizationId, true);
+                    if (await this.canAccessRegistration(registration, level)) {
+                        return {
+                            canAccess: true,
+                            record: record.record,
+                        };
+                    }
+                }
+                else {
+                    checkedOrganizations.set(registration.organizationId, false);
                 }
             }
         }

package/src/helpers/AuthenticatedStructures.ts

@@ -482,17 +482,20 @@ export class AuthenticatedStructures {
             const blob = MemberWithRegistrationsBlob.create({
                 ...member,
                 balances: memberBalances,
-                registrations: member.registrations.map((r) => {
-                    const base = r.getStructure();
-
-                    base.balances = balancesPermission
-                        ? (balances.filter(b => r.id === b.objectId && b.objectType === ReceivableBalanceType.registration).map((b) => {
-                                return GenericBalance.create(b);
-                            }))
-                        : [];
+                registrations: await Promise.all(
+                    member.registrations.map(async (r) => {
+                        const base = r.getStructure();
+
+                        base.balances = balancesPermission
+                            ? (balances.filter(b => r.id === b.objectId && b.objectType === ReceivableBalanceType.registration).map((b) => {
+                                    return GenericBalance.create(b);
+                                }))
+                            : [];
+                        base.group = await this.group(r.group);
 
-                    return base;
-                }),
+                        return base;
+                    }),
+                ),
                 details: member.details,
                 users: member.users.map(u => u.getStructure()),
             });

package/src/helpers/Context.ts

@@ -313,7 +313,7 @@ export class ContextInstance {
                 throw new SimpleError({
                     code: 'archived',
                     message: 'Full access is required to view inactive organizations',
-                    human: $t('Je moet een hoofdbeheerder zijn om inactieve verenigingen te bekijken'),
+                    human: $t('31bc55e4-1cf3-495a-8b35-686a4cc25f69'),
                     statusCode: 401,
                 });
             }

package/src/helpers/UitpasTokenRepository.ts

@@ -21,7 +21,7 @@ function assertIsUitpasTokenResponse(json: unknown): asserts json is UitpasToken
         throw new SimpleError({
             code: 'invalid_response_fetching_uitpas_token',
             message: `Invalid response when fetching UiTPAS token`,
-            human: $t(`Er is een fout opgetreden bij het communiceren met UiTPAS. Probeer het later opnieuw.`),
+            human: $t(`8f217db0-c672-46f0-a8f7-6eba6f080947`),
         });
     }
 }
@@ -35,43 +35,67 @@ export class UitpasTokenRepository {
         this.uitpasClientCredential = uitpasClientCredential;
     }
 
+    static async handleInQueue<T>(organizationId: string | null, handler: () => Promise<T>): Promise<T> {
+        return await QueueHandler.schedule('uitpas/token-' + (organizationId ?? 'platform'), handler);
+    }
+
+    static async storeIfValid(organizationId: string | null, clientId: string, clientSecret: string): Promise<boolean> {
+        if (!clientId || !clientSecret) { // empty strings
+            return false; // not valid
+        }
+        let model = new UitpasClientCredential();
+        model.organizationId = organizationId;
+        model.clientId = clientId;
+        model.clientSecret = clientSecret;
+        return await UitpasTokenRepository.handleInQueue(organizationId, async () => {
+            let repo = new UitpasTokenRepository(model);
+            try {
+                await repo.getNewAccessToken();
+            }
+            catch (e) {
+                return false; // not valid
+            }
+            // valid -> store
+            model = await UitpasTokenRepository.setModelInDb(organizationId, model);
+            repo.uitpasClientCredential = model; // update the uitpasClientCredential in the repo
+            repo = UitpasTokenRepository.setRepoInMemory(organizationId, repo);
+            return true;
+        });
+    }
+
     /**
      * organizationId (null means platform) -> UitpasTokenRepository
      */
     static knownTokens: Map<string | null, UitpasTokenRepository> = new Map();
 
-    private static async createRepoFromDb(organizationId: string | null): Promise<UitpasTokenRepository> {
-        // query db
-        let uitpasClientCredential = await UitpasClientCredential.select().where('organizationId', organizationId).first(false);
-        if (!uitpasClientCredential) {
-            // temporary solution, because platform client id and secret are not yet in the database
-            if (organizationId === null) {
-                if (!STAMHOOFD.UITPAS_API_CLIENT_ID || !STAMHOOFD.UITPAS_API_CLIENT_SECRET) {
-                    throw new SimpleError({
-                        code: 'uitpas_api_not_configured_for_platform',
-                        message: 'UiTPAS api is not configured for the platform',
-                        human: $t('UiTPAS is niet volledig geconfigureerd, contacteer de platformbeheerder.'),
-                    });
-                }
-                uitpasClientCredential = new UitpasClientCredential();
-                uitpasClientCredential.clientId = STAMHOOFD.UITPAS_API_CLIENT_ID;
-                uitpasClientCredential.clientSecret = STAMHOOFD.UITPAS_API_CLIENT_SECRET;
-                uitpasClientCredential.organizationId = null; // null means platform
-            }
-            else {
+    private static getRepoFromMemory(organizationId: string | null): UitpasTokenRepository | null {
+        return UitpasTokenRepository.knownTokens.get(organizationId) ?? null;
+    }
+
+    private static async getModelFromDb(organizationId: string | null) {
+        let model = await UitpasClientCredential.select().where('organizationId', organizationId).first(false);
+        if (model) {
+            return model; // found in database
+        }
+        if (organizationId === null) {
+            // platform client id and secret are not yet in the database, but should be configured in the environment variables
+            if (!STAMHOOFD.UITPAS_API_CLIENT_ID || !STAMHOOFD.UITPAS_API_CLIENT_SECRET) {
                 throw new SimpleError({
-                    code: 'uitpas_api_not_configured_for_this_organization',
-                    message: `UiTPAS api not configured for organization with id ${organizationId}`,
-                    human: $t(`De UiTPAS integratie is niet compleet, contacteer de beheerder.`),
+                    code: 'uitpas_api_not_configured_for_platform',
+                    message: 'UiTPAS api is not configured for the platform',
+                    human: $t('UiTPAS is niet volledig geconfigureerd, contacteer de platformbeheerder.'),
                 });
             }
+            model = new UitpasClientCredential();
+            model.clientId = STAMHOOFD.UITPAS_API_CLIENT_ID;
+            model.clientSecret = STAMHOOFD.UITPAS_API_CLIENT_SECRET;
+            model.organizationId = null; // null means platform
+            return model;
         }
-        const newRepo = new UitpasTokenRepository(uitpasClientCredential);
-        this.knownTokens.set(organizationId, newRepo);
-        return newRepo;
+        return null; // not found in database
     }
 
-    private async getNewAccessToken(): Promise<string> {
+    private async getNewAccessToken() {
         const url = 'https://account-test.uitid.be/realms/uitid/protocol/openid-connect/token';
         const myHeaders = new Headers();
         myHeaders.append('Content-Type', 'application/x-www-form-urlencoded');
@@ -90,15 +114,23 @@ export class UitpasTokenRepository {
             throw new SimpleError({
                 code: 'uitpas_unreachable_fetching_uitpas_token',
                 message: `Network issue when fetching UiTPAS  token`,
-                human: $t(`We konden UiTPAS niet bereiken. Probeer het later opnieuw.`),
+                human: $t(`6483c4c6-2fe8-456d-9110-f565952b6822`),
             });
         });
         if (!response.ok) {
+            if (response.status === 401) {
+                // Unauthorized, credentials are invalid
+                throw new SimpleError({
+                    code: 'invalid_uitpas_client_credentials',
+                    message: `Invalid UiTPAS client credentials`,
+                    human: $t(`De opgegeven UiTPAS client credentials zijn ongeldig. Controleer ze en probeer opnieuw.`),
+                });
+            }
             console.error(`Unsuccessful response when fetching UiTPAS token for organization with id ${this.uitpasClientCredential.organizationId}:`, response.statusText);
             throw new SimpleError({
                 code: 'unsuccessful_response_fetching_uitpas_token',
                 message: `Unsuccesful response when fetching UiTPAS token`,
-                human: $t(`Er is een fout opgetreden bij het verbinden met UiTPAS. Probeer het later opnieuw.`),
+                human: $t(`dd9b30ca-860f-47aa-8cb1-527fd156d9ca`),
             });
         }
         const json: unknown = await response.json().catch(() => {
@@ -106,7 +138,7 @@ export class UitpasTokenRepository {
             throw new SimpleError({
                 code: 'invalid_json_fetching_uitpas_token',
                 message: `Invalid json when fetching UiTPAS token`,
-                human: $t(`Er is een fout opgetreden bij het communiceren met UiTPAS. Probeer het later opnieuw.`),
+                human: $t(`8f217db0-c672-46f0-a8f7-6eba6f080947`),
             });
         });
         assertIsUitpasTokenResponse(json);
@@ -115,6 +147,25 @@ export class UitpasTokenRepository {
         return this.accessToken;
     }
 
+    private static setRepoInMemory(organizationId: string | null, repo: UitpasTokenRepository) {
+        UitpasTokenRepository.knownTokens.set(organizationId, repo);
+        return repo;
+    }
+
+    private static async setModelInDb(organizationId: string | null, model: UitpasClientCredential) {
+        const oldModel = await UitpasTokenRepository.getModelFromDb(organizationId);
+        if (oldModel) {
+            // update
+            oldModel.clientId = model.clientId;
+            oldModel.clientSecret = model.clientSecret;
+            await oldModel.save();
+            return oldModel; // return updated model
+        }
+        // create
+        await model.save();
+        return model; // return new model
+    }
+
     /**
      * Get the access token for the organization or platform.
      * @param organizationId the organization ID for which to get the access token. If null, it means the platform.
@@ -123,24 +174,63 @@ export class UitpasTokenRepository {
      * @throws SimpleError if the token cannot be obtained or the API is not configured
      */
     static async getAccessTokenFor(organizationId: string | null = null, forceRefresh: boolean = false): Promise<string> {
-        let repo = UitpasTokenRepository.knownTokens.get(organizationId);
+        let repo = UitpasTokenRepository.getRepoFromMemory(organizationId);
         if (repo && repo.accessToken && !forceRefresh && repo.expiresOn > new Date()) {
             return repo.accessToken;
         }
 
         // Prevent multiple concurrent requests for the same organization, asking for an access token to the UiTPAS API.
         // The queue can only run one at a time for the same organizationId
-        return await QueueHandler.schedule('uitpas/token-' + (organizationId ?? 'platform'), async () => {
+        return await UitpasTokenRepository.handleInQueue(organizationId, async () => {
             // we re-search for the repo, as another call to this funcion might have added while we we're waiting in the queue
-            repo = UitpasTokenRepository.knownTokens.get(organizationId);
+            repo = UitpasTokenRepository.getRepoFromMemory(organizationId);
             if (repo && repo.accessToken && !forceRefresh && repo.expiresOn > new Date()) {
                 return repo.accessToken;
             }
             if (!repo) {
-                repo = await UitpasTokenRepository.createRepoFromDb(organizationId);
+                const model = await UitpasTokenRepository.getModelFromDb(organizationId);
+                if (!model) {
+                    throw new SimpleError({
+                        code: 'uitpas_api_not_configured_for_this_organization',
+                        message: `UiTPAS api not configured for organization with id ${organizationId}`,
+                        human: $t('UiTPAS is nog niet volledig geconfigureerd voor deze organisatie.'),
+                    });
+                }
+                repo = UitpasTokenRepository.setRepoInMemory(organizationId, new UitpasTokenRepository(model)); // store in memory
             }
             // ask for a new access token
-            return repo.getNewAccessToken(); ;
+            return repo.getNewAccessToken();
+        });
+    }
+
+    static async getClientIdFor(organisationId: string | null): Promise<string> {
+        const repo = UitpasTokenRepository.getRepoFromMemory(organisationId);
+        if (!repo) {
+            const model = await UitpasClientCredential.select().where('organizationId', organisationId).first(false);
+            if (!model) {
+                return ''; // no client ID and secret configured
+            }
+            return model.clientId; // client ID configured, but not in memory
+        }
+        return repo.uitpasClientCredential.clientId; // client ID configured and in memory
+    }
+
+    static async clearClientCredentialsFor(organizationId: string | null): Promise<boolean> {
+        return await UitpasTokenRepository.handleInQueue(organizationId, async () => {
+            const repo = UitpasTokenRepository.getRepoFromMemory(organizationId);
+            if (repo) {
+                // in memory, thus also in db
+                await repo.uitpasClientCredential.delete(); // remove from db
+                UitpasTokenRepository.knownTokens.delete(organizationId); // remove from memory
+                return true;
+            }
+            // not in memory, maybe in db
+            const model = await UitpasTokenRepository.getModelFromDb(organizationId);
+            if (model) {
+                await model.delete(); // remove from database
+                return true;
+            }
+            return false; // nothing to clear
         });
     }
 }

package/src/helpers/ViesHelper.ts

@@ -68,7 +68,8 @@ export class ViesHelperStatic {
         // In Belgium, the company number syntax is the same as VAT number
         let correctedVATNumber = companyNumber;
 
-        if (companyNumber.length > 2 && companyNumber.substr(0, 2) !== country) {
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-enum-comparison
+        if (companyNumber.length > 2 && companyNumber.substr(0, 2).toUpperCase() !== country) {
             // Add required country in VAT number
             correctedVATNumber = country + companyNumber;
         }

package/src/seeds/0000000002-clear-stamhoofd-email-templates.ts

@@ -0,0 +1,13 @@
+import { Migration } from '@simonbackx/simple-database';
+import { EmailTemplate } from '@stamhoofd/models';
+
+export default new Migration(async () => {
+    if (STAMHOOFD.environment !== 'development' && STAMHOOFD.platformName.toLowerCase() !== 'stamhoofd') {
+        console.log('Skipped');
+        return;
+    }
+
+    console.log('Deleting all default email templates');
+    await EmailTemplate.delete()
+        .where('organizationId', null);
+});

package/src/seeds/0000000003-default-email-templates.ts

@@ -0,0 +1,20 @@
+import { Database, Migration } from '@simonbackx/simple-database';
+import { EmailTemplate } from '@stamhoofd/models';
+import { promises as fs } from 'fs';
+
+export default new Migration(async () => {
+    // Check if total email templates is 0
+    const firstEmailTemplate = await EmailTemplate.select().where('organizationId', null).first(false);
+    if (firstEmailTemplate) {
+        console.log('Skipped, email templates already exist');
+        return;
+    }
+
+    // Insert defaults
+    console.log('Inserting default email templates');
+    const sqlStatement = await fs.readFile(__dirname + '/data/default-email-templates.sql', { encoding: 'utf-8' });
+    await Database.statement(sqlStatement);
+
+    // Do something here
+    return Promise.resolve();
+});