diff --git a/src/server/models/circuit.js b/src/server/models/circuit.js index 3c60292..894ca18 100755 --- a/src/server/models/circuit.js +++ b/src/server/models/circuit.js @@ -250,6 +250,18 @@ CircuitSchema.statics.findAllIdApp = async function (idapp) { return await Circuit.find(myfind, whatToShow).sort({ status: -1, numMembers: -1, name: 1 }); }; +CircuitSchema.statics.isCircuitAdmin = async function (idrec, username) { + const Circuit = this; + + + const mycirc = await Circuit.findOne({ _id: idrec }).lean(); + if (mycirc) { + return mycirc.admins.some(admin => admin.username === username); + } + + return false; +}; + CircuitSchema.statics.getFieldsForSearch = function () { return [ { field: 'name', type: tools.FieldType.string }, diff --git a/src/server/models/user.js b/src/server/models/user.js index f4fe753..039eb67 100755 --- a/src/server/models/user.js +++ b/src/server/models/user.js @@ -1459,6 +1459,7 @@ UserSchema.statics.createNewReqRegistrationGetLink = async function (idapp, user // Se è scaduto, ne crea uno nuovo // Creo il tokenforgot + /* if (!user.date_tokenreg || (!user.tokenreg) || (user.tokenreg && (user.date_tokenreg < new Date().getTime()))) { let mycodestr = user._id.toHexString() + new Date().getTime().toString(); @@ -1477,11 +1478,14 @@ UserSchema.statics.createNewReqRegistrationGetLink = async function (idapp, user } user.date_tokenreg = tools.AddDate(new Date(), 1); + return await user.save().then(() => { return user.tokenreg; }); + */ + } } diff --git a/src/server/router/index_router.js b/src/server/router/index_router.js index 6f5e846..dcc767c 100755 --- a/src/server/router/index_router.js +++ b/src/server/router/index_router.js @@ -339,9 +339,12 @@ router.post('/settable', authenticate, async (req, res) => { consentito = true; } - if ((!User.isAdmin(req.user.perm) && !User.isManager(req.user.perm) && - !User.isEditor(req.user.perm) && !User.isFacilitatore(req.user.perm)) && - !tools.ModificheConsentite(req, params.table, fieldsvalue)) { + if ((!User.isAdmin(req.user.perm) + && !User.isManager(req.user.perm) + && !User.isEditor(req.user.perm) + && !User.isFacilitatore(req.user.perm)) + && + await !tools.ModificheConsentite(req, params.table, fieldsvalue, mydata ? mydata._id: '')) { // If without permissions, exit return res.status(404). send({ code: server_constants.RIS_CODE_ERR_UNAUTHORIZED, msg: '' }); @@ -857,7 +860,7 @@ router.patch('/chval', authenticate, async (req, res) => { && !User.isManager(req.user.perm) && !User.isEditor(req.user.perm) && !User.isFacilitatore(req.user.perm)) - && (!tools.ModificheConsentite(req, mydata.table, fieldsvalue, id))) + && (await !tools.ModificheConsentite(req, mydata.table, fieldsvalue, id))) && !((mydata.table === 'accounts') && await Account.canEditAccountAdmins(req.user.username, mydata.id)) ) { @@ -1041,7 +1044,7 @@ router.patch('/chval', authenticate, async (req, res) => { } } - if (tools.ModificheConsentite(req, mydata.table, fieldsvalue)) { + if (await tools.ModificheConsentite(req, mydata.table, fieldsvalue)) { let msg = ''; if (mydata.table === 'users') { if ('aportador_solidario' in fieldsvalue) { @@ -1240,7 +1243,7 @@ router.delete('/delrec/:table/:id', authenticate, async (req, res) => { if ((!User.isAdmin(req.user.perm) && !User.isManager(req.user.perm)) && (tablename !== 'extralist') && - !tools.ModificheConsentite(req, tablename, fields, id, req.user)) { + await !tools.ModificheConsentite(req, tablename, fields, id, req.user)) { // If without permissions, exit return res.status(404). send({ code: server_constants.RIS_CODE_ERR_UNAUTHORIZED, msg: '' }); diff --git a/src/server/tools/general.js b/src/server/tools/general.js index 8121309..06a2ff3 100755 --- a/src/server/tools/general.js +++ b/src/server/tools/general.js @@ -3032,7 +3032,7 @@ module.exports = { ); if (this.testing()) { - console.log('query', query); + // console.log('query', query); } // console.log('query', query); @@ -3815,7 +3815,9 @@ module.exports = { return mystr.replace(/\s+/g, ''); }, - ModificheConsentite(req, table, fieldsvalue, idrec, user) { + async ModificheConsentite(req, table, fieldsvalue, idrec, user) { + const { Circuit } = require('../models/circuit'); + if (table === 'sharewithus') { return true; } @@ -3839,6 +3841,18 @@ module.exports = { //++Todo: Cancellalo solo se sono io il creatore dell'utente ... o se posso! return true; } + } else if (table === 'circuits') { + if (idrec) { + // Permetti di fare modifiche se è un admin del circuito + return await Circuit.isCircuitAdmin(idrec, req.user ? req.user.username : ''); + } + } else if (table === 'accounts') { + if (idrec) { + if ('fidoConcesso' in fieldsvalue) { + // Permetti di fare modifiche se è un admin del circuito + return await Circuit.isCircuitAdmin(idrec, req.user ? req.user.username : ''); + } + } } if (shared_consts.TABLES_PERM_CHANGE_FOR_USERS.includes(table)) { @@ -4171,7 +4185,7 @@ module.exports = { if (msg.includes('{appname}')) msg = msg.replace('{appname}', this.getNomeAppByIdApp(user.idapp)); msg = msg.replace('{username}', user.username); - msg = await this.checkStr(msg, '{time_exp_reg}', user, 1); + // msg = await this.checkStr(msg, '{time_exp_reg}', user, 1); msg = msg.replace('{name}', user.name ? user.name : user.username); msg = msg.replace('{surname}', user.surname ? user.surname : ''); @@ -4421,7 +4435,7 @@ module.exports = { /*if (params.openUrl) content = content + '\n' + '' + i18n.__('OPEN PAGE') + ''; - + */ }