npm - @stamhoofd/backend - Versions diffs - 2.9.0 → 2.14.0 - Mend

@stamhoofd/backend 2.9.0 → 2.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/src/helpers/AdminPermissionChecker.ts CHANGED Viewed

@@ -814,7 +814,7 @@ export class AdminPermissionChecker {
     async hasFinancialMemberAccess(member: MemberWithRegistrations, level: PermissionLevel = PermissionLevel.Read): Promise<boolean> {
         const isUserManager = this.isUserManager(member)
-        if (isUserManager) {
+        if (isUserManager && level === PermissionLevel.Read) {
             return true;
         }
@@ -846,6 +846,15 @@ export class AdminPermissionChecker {
                 continue;
             }
+            if (isUserManager) {
+                // Requirements are higher: you need financial access to write your own financial
+                // data changes
+                if (permissions.hasAccessRight(AccessRight.OrganizationManagePayments)) {
+                    return true;
+                }
+                continue;
+            }
             if (permissions.hasAccessRight(level === PermissionLevel.Read ? AccessRight.MemberReadFinancialData : AccessRight.MemberWriteFinancialData)) {
                 return true;
             }
@@ -854,8 +863,16 @@ export class AdminPermissionChecker {
         // Platform data
         const platformPermissions = this.platformPermissions
         if (platformPermissions) {
-            if (platformPermissions.hasAccessRight(level === PermissionLevel.Read ? AccessRight.MemberReadFinancialData : AccessRight.MemberWriteFinancialData)) {
-                return true;
+            if (isUserManager) {
+                // Requirements are higher: you need financial access to write your own financial
+                // data changes
+                if (platformPermissions.hasAccessRight(AccessRight.OrganizationManagePayments)) {
+                    return true;
+                }
+            } else {
+                if (platformPermissions.hasAccessRight(level === PermissionLevel.Read ? AccessRight.MemberReadFinancialData : AccessRight.MemberWriteFinancialData)) {
+                    return true;
+                }
             }
         }
@@ -950,94 +967,97 @@ export class AdminPermissionChecker {
         const hasRecordAnswers = !!data.details.recordAnswers;
         const hasNotes = data.details.notes !== undefined;
         const isSetFinancialSupportTrue = data.details.requiresFinancialSupport?.value === true;
+        const isUserManager = this.isUserManager(member);
-        if(hasRecordAnswers || hasNotes || isSetFinancialSupportTrue) {
-            const isUserManager = this.isUserManager(member);
+        if (hasRecordAnswers) {
+            if (!(data.details.recordAnswers instanceof PatchMap)) {
+                throw new SimpleError({
+                    code: 'invalid_request',
+                    message: 'Cannot PUT recordAnswers',
+                    statusCode: 400
+                })
+            }
+            const records = isUserManager ? new Set() : await this.getAccessibleRecordSet(member, PermissionLevel.Write)
-            if (hasRecordAnswers) {
-                if (!(data.details.recordAnswers instanceof PatchMap)) {
-                    throw new SimpleError({
-                        code: 'invalid_request',
-                        message: 'Cannot PUT recordAnswers',
-                        statusCode: 400
-                    })
-                }
-                const records = isUserManager ? new Set() : await this.getAccessibleRecordSet(member, PermissionLevel.Write)
-                for (const [key, value] of data.details.recordAnswers.entries()) {
-                    let name: string | undefined = undefined
-                    if (value) {
-                        if (value.isPatch()) {
-                            throw new SimpleError({
-                                code: 'invalid_request',
-                                message: 'Cannot PATCH a record answer object',
-                                statusCode: 400
-                            })
-                        }
-                        const id = value.settings.id
-                        if (id !== key) {
-                            throw new SimpleError({
-                                code: 'invalid_request',
-                                message: 'Record answer key does not match record id',
-                                statusCode: 400
-                            })
-                        }
-                        name = value.settings.name
+            for (const [key, value] of data.details.recordAnswers.entries()) {
+                let name: string | undefined = undefined
+                if (value) {
+                    if (value.isPatch()) {
+                        throw new SimpleError({
+                            code: 'invalid_request',
+                            message: 'Cannot PATCH a record answer object',
+                            statusCode: 400
+                        })
                     }
-                    if (!isUserManager && !records.has(key)) {
+                    const id = value.settings.id
+                    if (id !== key) {
                         throw new SimpleError({
-                            code: 'permission_denied',
-                            message: `Je hebt geen toegangsrechten om het antwoord op ${name ?? 'deze vraag'} aan te passen voor dit lid`,
+                            code: 'invalid_request',
+                            message: 'Record answer key does not match record id',
                             statusCode: 400
                         })
                     }
+                    name = value.settings.name
                 }
-            }
-            if(hasNotes && isUserManager) {
-                throw new SimpleError({
-                    code: 'permission_denied',
-                    message: 'Cannot edit notes',
-                    statusCode: 400
-                })
+                if (!isUserManager && !records.has(key)) {
+                    throw new SimpleError({
+                        code: 'permission_denied',
+                        message: `Je hebt geen toegangsrechten om het antwoord op ${name ?? 'deze vraag'} aan te passen voor dit lid`,
+                        statusCode: 400
+                    })
+                }
             }
+        }
-            if(isSetFinancialSupportTrue) {
-                const financialSupport = this.platform.config.recordsConfiguration.financialSupport;
-                const preventSelfAssignment = financialSupport?.preventSelfAssignment === true;
+        if (hasNotes && isUserManager) {
+            throw new SimpleError({
+                code: 'permission_denied',
+                message: 'Cannot edit notes',
+                statusCode: 400
+            })
+        }
+        // Has financial write access?
+        if (!await this.hasFinancialMemberAccess(member, PermissionLevel.Write)) {
+            if (isUserManager && isSetFinancialSupportTrue) {
+                const financialSupportSettings = this.platform.config.financialSupport;
+                const preventSelfAssignment = financialSupportSettings?.preventSelfAssignment === true;
                 if(preventSelfAssignment) {
                     throw new SimpleError({
                         code: 'permission_denied',
-                        message: 'Je hebt geen toegangsrechten om de financiële status van dit lid aan te passen',
-                        human: financialSupport.preventSelfAssignmentText ?? FinancialSupportSettings.defaultPreventSelfAssignmentText,
+                        message: 'No permissions to enable financial support for your own members',
+                        human: financialSupportSettings.preventSelfAssignmentText ?? FinancialSupportSettings.defaultPreventSelfAssignmentText,
                         statusCode: 400
                     });
                 }
             }
-        }
-        // Has financial write access?
-        if (!await this.hasFinancialMemberAccess(member, PermissionLevel.Write)) {
             if (data.details.requiresFinancialSupport) {
-                throw new SimpleError({
-                    code: 'permission_denied',
-                    message: 'Je hebt geen toegangsrechten om de financiële status van dit lid aan te passen',
-                    statusCode: 400
-                })
+                if (isUserManager) {
+                    // Already handled
+                } else {
+                    throw new SimpleError({
+                        code: 'permission_denied',
+                        message: 'Je hebt geen toegangsrechten om de financiële status van dit lid aan te passen',
+                        statusCode: 400
+                    })
+                }
             }
-            if (data.details.uitpasNumber) {
-                throw new SimpleError({
-                    code: 'permission_denied',
-                    message: 'Je hebt geen toegangsrechten om het UiTPAS-nummer van dit lid aan te passen',
-                    statusCode: 400
-                })
+            if (!isUserManager) {
+                if (data.details.uitpasNumber) {
+                    throw new SimpleError({
+                        code: 'permission_denied',
+                        message: 'Je hebt geen toegangsrechten om het UiTPAS-nummer van dit lid aan te passen',
+                        statusCode: 400
+                    })
+                }
             }
             if (data.outstandingBalance) {

package/src/helpers/MemberUserSyncer.ts CHANGED Viewed

@@ -36,8 +36,14 @@ export class MemberUserSyncerStatic {
         } else {
             // Only auto unlink users that do not have an account
             for (const user of member.users) {
-                if (!user.hasAccount() && !userEmails.includes(user.email) && !parentAndUnverifiedEmails.includes(user.email)) {
-                    await this.unlinkUser(user, member)
+                if (!userEmails.includes(user.email) && !parentAndUnverifiedEmails.includes(user.email)) {
+                    if (!user.hasAccount()) {
+                        await this.unlinkUser(user, member)
+                    } else {
+                        // Make sure only linked as a parent, not as user self
+                        // This makes sure we don't inherit permissions and aren't counted as 'begin' the member
+                        await this.linkUser(user.email, member, true)
+                    }
                 }
             }
         }

package/src/helpers/ViesHelper.ts ADDED Viewed

@@ -0,0 +1,151 @@
+import { AutoEncoderPatchType } from '@simonbackx/simple-encoding';
+import { isSimpleError, isSimpleErrors, SimpleError } from '@simonbackx/simple-errors';
+import { Company, Country } from '@stamhoofd/structures';
+import axios from 'axios';
+import * as jsvat from 'jsvat-next'; // has no default export, so we need the wildcard
+export class ViesHelperStatic {
+    testMode = false;
+    async request(method: "GET" | "POST", url: string, content: any) {
+        const json = content ? JSON.stringify(content) : "";
+        console.log("[VIES REQUEST]", method, url, content ? "\n [VIES REQUEST] " : undefined, json)
+        const response = await axios.request({
+            method,
+            url,
+            headers: {
+                'Content-Type': json.length > 0 ? 'application/json' : "text/plain",
+            },
+            data: json
+        })
+        console.log("[VIES RESPONSE]", method, url, "\n[VIES RESPONSE]", JSON.stringify(response.data))
+        return response.data
+    }
+    async checkCompany(company: Company, patch: AutoEncoderPatchType<Company>|Company) {
+        if (!company.address) {
+            // Not allowed to set
+            patch.companyNumber = null;
+            patch.VATNumber = null;
+            return;
+        }
+        if (company.VATNumber !== null) {
+            // Changed VAT number
+            patch.VATNumber = await ViesHelper.checkVATNumber(company.address.country, company.VATNumber)
+            if (company.address.country === Country.Belgium) {
+                patch.companyNumber = company.VATNumber
+            }
+        }
+        if (company.companyNumber) {
+            if (company.VATNumber !== null && company.address.country === Country.Belgium) {
+                // Already validated
+            } else {
+                // Need to validate
+                const result = await ViesHelper.checkCompanyNumber(company.address.country, company.companyNumber)
+                patch.companyNumber = result.companyNumber
+                if (result.VATNumber !== undefined) {
+                    patch.VATNumber = result.VATNumber
+                }
+            }
+        }
+    }
+    async checkCompanyNumber(country: Country, companyNumber: string): Promise<{companyNumber: string|null, VATNumber?: string|null}> {
+        if (country !== Country.Belgium) {
+            // Not supported
+            return {
+                companyNumber
+            };
+        }
+        // In Belgium, the company number syntax is the same as VAT number
+        const result = jsvat.checkVAT(companyNumber, [jsvat.belgium]);
+        if (!result.isValid) {
+            throw new SimpleError({
+                "code": "invalid_field",
+                "message": "Ongeldig ondernemingsnummer: " + companyNumber,
+                "field": "companyNumber"
+            })
+        }
+        // If this is a valid VAT number, we can assume it's a valid company number
+        try {
+            const corrected = await this.checkVATNumber(Country.Belgium, companyNumber);
+            // this is a VAT number, not a company number
+            return {
+                companyNumber: corrected,
+                VATNumber: corrected
+            }
+        } catch (e) {
+            if (isSimpleError(e) || isSimpleErrors(e)) {
+                // Ignore: normal that it is not a valid VAT number
+            } else {
+                // Other errors should be thrown
+                throw e;
+            }
+        }
+        return {
+            companyNumber: result.value ?? companyNumber,
+            // VATNumber should always be set to null if it is not a valid VAT number
+            VATNumber: null
+        };
+    }
+    async checkVATNumber(country: Country, vatNumber: string): Promise<string> {
+        const result = jsvat.checkVAT(vatNumber, country === Country.Belgium ? [jsvat.belgium] : [jsvat.netherlands]);
+        if (!result.isValid) {
+            throw new SimpleError({
+                "code": "invalid_field",
+                "message": "Ongeldig BTW-nummer: " + vatNumber,
+                "field": "VATNumber"
+            })
+        }
+        const formatted = result.value ?? vatNumber;
+        try {
+            const cleaned = formatted.substring(2).replace(/(\.\-\s)+/g, "")
+            const response = await this.request("POST", "https://ec.europa.eu/taxation_customs/vies/rest-api/check-vat-number", {
+                countryCode: country,
+                vatNumber: cleaned
+            });
+            if (typeof response !== 'object' || response === null || typeof response.valid !== 'boolean') {
+                // APi error
+                throw new Error("Invalid response from VIES")
+            }
+            if (!response.valid) {
+                throw new SimpleError({
+                    "code": "invalid_field",
+                    "message": "Het opgegeven BTW-nummer is ongeldig of niet BTW-plichtig: " + formatted,
+                    "field": "VATNumber"
+                })
+            }
+        } catch (e) {
+            if (isSimpleError(e) || isSimpleErrors(e)) {
+                throw e;
+            }
+            // Unavailable: ignore for now
+            console.error('VIES error', e);
+        }
+        return formatted;
+    }
+}
+export const ViesHelper = new ViesHelperStatic();

package/.env.json DELETED Viewed

@@ -1,65 +0,0 @@
-{
-    "environment": "development",
-    "domains": {
-        "dashboard": "dashboard.stamhoofd",
-        "registration": {
-            "": "be.stamhoofd",
-            "BE": "be.stamhoofd",
-            "NL": "nl.stamhoofd"
-        },
-        "marketing": {
-            "": "www.be.stamhoofd",
-            "BE": "www.be.stamhoofd",
-            "NL": "www.nl.stamhoofd"
-        },
-        "webshop": {
-            "": "shop.be.stamhoofd",
-            "BE": "shop.be.stamhoofd",
-            "NL": "shop.nl.stamhoofd"
-        },
-        "webshopPrefix": "shop",
-        "legacyWebshop": "shop.stamhoofd",
-        "api": "api.stamhoofd",
-        "demoApi": "api.stamhoofd",
-        "rendererApi": "renderer.stamhoofd"
-    },
-        "translationNamespace": "digit",
-    "userMode": "platform",
-    "PORT": 9091,
-    "DB_HOST": "127.0.0.1",
-    "DB_USER": "root",
-    "DB_PASS": "root",
-    "DB_DATABASE": "ksa-stamhoofd",
-    "SMTP_HOST": "0.0.0.0",
-    "SMTP_USERNAME": "username",
-    "SMTP_PASSWORD": "password",
-    "SMTP_PORT": 1025,
-    "TRANSACTIONAL_SMTP_HOST": "0.0.0.0",
-    "TRANSACTIONAL_SMTP_USERNAME": "username",
-    "TRANSACTIONAL_SMTP_PASSWORD": "password",
-    "TRANSACTIONAL_SMTP_PORT": 1025,
-    "AWS_ACCESS_KEY_ID": "",
-    "AWS_SECRET_ACCESS_KEY": "",
-    "AWS_REGION": "",
-    "SPACES_ENDPOINT": "",
-    "SPACES_BUCKET": "",
-    "SPACES_KEY": "",
-    "SPACES_SECRET": "",
-    "MOLLIE_CLIENT_ID": "",
-    "MOLLIE_SECRET": "",
-    "MOLLIE_API_KEY": "",
-    "MOLLIE_ORGANIZATION_TOKEN": "",
-    "LATEST_IOS_VERSION": 0,
-    "LATEST_ANDROID_VERSION": 0,
-    "NOLT_SSO_SECRET_KEY": "",
-    "INTERNAL_SECRET_KEY": "",
-    "CRONS_DISABLED": false
-}