This commit is contained in:
@@ -1,11 +1,9 @@
|
||||
/* eslint-disable */
|
||||
import _ from "../libs/lodash.min.js";
|
||||
import store from "../store";
|
||||
import ayt from "./ayatype";
|
||||
import rights from "./bizroles";
|
||||
|
||||
export default {
|
||||
AYATYPE: ayt,
|
||||
export default {
|
||||
ROLE_RIGHTS: rights,
|
||||
AUTHORIZATION_ROLES: {
|
||||
///<summary>No role set</summary>
|
||||
@@ -50,9 +48,7 @@ export default {
|
||||
/////////////////////////////////
|
||||
//
|
||||
//
|
||||
getRights(vm, oType, ownerId) {
|
||||
//NOTE: this is to mirror the functionality of BizRoles.cs where all rights by role are specified in server project
|
||||
//any change there needs to be mirrored here
|
||||
getRights(vm, oType, ownerId) {
|
||||
|
||||
//from bizroles.cs:
|
||||
//HOW THIS WORKS / WHATS EXPECTED
|
||||
@@ -62,7 +58,6 @@ export default {
|
||||
//PICKLIST NOTE: this does not control getting a list of names for selection which is role independent because it's required for so much indirectly
|
||||
//DELETE = SAME AS CHANGE FOR NOW (There is no specific delete right for now though it's checked for by routes in Authorized.cs in case we want to add it in future as a separate right from create.)
|
||||
|
||||
//TODO: get this working, then decompose it into several files to make it cleaner
|
||||
var ret = {
|
||||
change: false,
|
||||
read: false,
|
||||
@@ -78,122 +73,24 @@ export default {
|
||||
var objectRoleRights = this.ROLE_RIGHTS[typeName];
|
||||
//get the logged in user's role
|
||||
var userRole = vm.$store.state.roles;
|
||||
//see if it's self owned
|
||||
var isSelfOwned = ownerId == vm.$store.state.userId;
|
||||
|
||||
//calculate the effective rights taking into consideration self owned etc
|
||||
|
||||
//NOTE: for bitwise comparison we do this:
|
||||
//Desired role to check can be a single role value or the intersection of multiple bits of role values,
|
||||
//for example if it's a single role then just that number is used (i.e. 2)
|
||||
//however if its a bunch of roles that can do that operation they need to be intersected (i.e. 2|32|128) which returns a single value for comparison
|
||||
//and that's how they come from the server so for example a widget change bizrole requires
|
||||
// Change = AuthorizationRoles.BizAdminFull (enum value 2) | AuthorizationRoles.InventoryFull (enum value 32), these are intersected (2|32) to yield 34
|
||||
//now I can compare the user role to 34 to check if either of those two roles are set like this:
|
||||
//All roles except inventoryfull = 32735 so to be clear it has BizAdminFull which is enough to change a widget, so to check:
|
||||
// (32735&34) will be nonzero (true), specifically it will calculate to 2 but we don't care about the exact number, just that it isn't zero which
|
||||
//would indicate that none of the bit fields to check against are set in the user role hence they don't have that right.
|
||||
//if we need to combine rights just do it like in c# by intersection operator | (2|32) = 34
|
||||
//UserCurrentRole & (desiredRole) == 0 or false if no desired role bits set in currentrole or non zero if any of the bits are a match
|
||||
//
|
||||
|
||||
//a non zero result of the bitwise calculation means true and zero means false so using !! to force it into a boolean value (contrary to some style guides that say !! is obscure but I say it saves a lot of typing)
|
||||
var canChange = !!(userRole & objectRoleRights.Change);
|
||||
var canEditOwn = !!(userRole & objectRoleRights.EditOwn);
|
||||
var canEditOwn = isSelfOwned && (!!(userRole & objectRoleRights.EditOwn));
|
||||
var canReadFullRecord = !!(userRole & objectRoleRights.ReadFullRecord);
|
||||
|
||||
//TEST BizAdminLimited, should only be able to read full record, no edit, no change rights
|
||||
var testUserBizAdminLimited = {
|
||||
userId: 2,
|
||||
roles: 1
|
||||
};
|
||||
|
||||
var canChange2 = !!(testUserBizAdminLimited.roles & objectRoleRights.Change);
|
||||
var canEditOwn2 = !!(testUserBizAdminLimited.roles & objectRoleRights.EditOwn);
|
||||
var canReadFullRecord2 = !!(testUserBizAdminLimited.roles & objectRoleRights.ReadFullRecord);
|
||||
|
||||
//widget rights required
|
||||
// Change: 34
|
||||
//
|
||||
// EditOwn: 256
|
||||
//
|
||||
// ReadFullRecord: 17
|
||||
|
||||
/**
|
||||
*
|
||||
|
||||
* NoRole = 0,
|
||||
///<summary>BizAdminLimited</summary>
|
||||
BizAdminLimited = 1,
|
||||
///<summary>BizAdminFull</summary>
|
||||
BizAdminFull = 2,
|
||||
///<summary>DispatchLimited</summary>
|
||||
DispatchLimited = 4,
|
||||
///<summary>DispatchFull</summary>
|
||||
DispatchFull = 8,
|
||||
///<summary>InventoryLimited</summary>
|
||||
InventoryLimited = 16,
|
||||
///<summary>InventoryFull</summary>
|
||||
InventoryFull = 32,
|
||||
///<summary>AccountingFull</summary>
|
||||
AccountingFull = 64,//No limited role, not sure if there is a need
|
||||
///<summary>TechLimited</summary>
|
||||
TechLimited = 128,
|
||||
///<summary>TechFull</summary>
|
||||
TechFull = 256,
|
||||
///<summary>SubContractorLimited</summary>
|
||||
SubContractorLimited = 512,
|
||||
///<summary>SubContractorFull</summary>
|
||||
SubContractorFull = 1024,
|
||||
///<summary>ClientLimited</summary>
|
||||
ClientLimited = 2048,
|
||||
///<summary>ClientFull</summary>
|
||||
ClientFull = 4096,
|
||||
///<summary>OpsAdminLimited</summary>
|
||||
OpsAdminLimited = 8192,
|
||||
///<summary>OpsAdminFull</summary>
|
||||
OpsAdminFull = 16384,
|
||||
|
||||
|
||||
////////////////////////////////////////////////////////////
|
||||
//WIDGET
|
||||
//
|
||||
roles.Add(AyaType.Widget, new BizRoleSet()
|
||||
{
|
||||
Change = AuthorizationRoles.BizAdminFull (2) | AuthorizationRoles.InventoryFull (32), =34
|
||||
EditOwn = AuthorizationRoles.TechFull, = 256
|
||||
ReadFullRecord = AuthorizationRoles.BizAdminLimited | AuthorizationRoles.InventoryLimited = 17
|
||||
});
|
||||
|
||||
|
||||
//One owner who doesn't control anything but views stuff
|
||||
GenSeedUser(log, 1, AuthorizationRoles.DispatchLimited | AuthorizationRoles.InventoryLimited | AuthorizationRoles.OpsAdminLimited, UserType.NonSchedulable, timeZoneOffset);
|
||||
(4|16|8192) = 8212
|
||||
|
||||
|
||||
|
||||
|
||||
So checking role = eg: InventoryFull === (UserRole && InventoryFull)
|
||||
But a test shows a user with role 1 bizadminlimited has no rights to readfull record a widget
|
||||
17&1=1
|
||||
So checking a role should be userRole===(UserRole && InventoryFull), lets try it
|
||||
8212 = user with no rights to Change a widget, what happens if we test it:
|
||||
8212===(8212&34)= false
|
||||
InventoryFull User with rights to change a full record:
|
||||
32===(32&34)=true
|
||||
OpsAdminFull user with no rights to change a full record
|
||||
16384===(16384&34)=false!!
|
||||
User with every single right but the two required for changing a widget: 32733
|
||||
let's test it:
|
||||
32733===(32733&34)=false! Yes.
|
||||
let's try one more with bizadminfull added to the prior all other rights and confirm it works:32735
|
||||
32735===(32735&34)=false NO! This did not work, WTF it returns 2 instead, maybe the number is too large
|
||||
|
||||
No, 2 is ok, it means that's the bit field that matches, if it returned zero that would indicate a non match in any case so...
|
||||
|
||||
3
|
||||
|
||||
Ok, this is not working as expected, need to figure this out, test it in a c# console just to confirm if there is a difference there between the two platforms when not expected.
|
||||
After some research I'm probably doing it wrong:
|
||||
ret.change=canChange || canEditOwn;
|
||||
ret.delete=ret.change;//FOR NOW
|
||||
ret.read=canReadFullRecord;
|
||||
|
||||
return ret;
|
||||
}
|
||||
};
|
||||
/*
|
||||
USING BITWISE OPERATORS CHEAT SHEET
|
||||
//https://codeburst.io/using-javascript-bitwise-operators-in-real-life-f551a731ff5
|
||||
// Test whether your bit number has a single attribute. '&' ensures
|
||||
// an intersection between them.
|
||||
@@ -230,83 +127,4 @@ if (myBitNumber == (myBitNumber | (HAS_FOO2 | HAS_FOO4))) {
|
||||
if (myBitNumber == (myBitNumber | (HAS_FOO2 | HAS_FOO3 | HAS_FOO4))) {
|
||||
// False
|
||||
}
|
||||
|
||||
|
||||
*
|
||||
*/
|
||||
|
||||
/**
|
||||
*
|
||||
* What to do:
|
||||
* Object is to return ret fully set as per rights
|
||||
*
|
||||
* Look up AyaType key name from value (i.e. 2="Widget")
|
||||
* Use the type key name to find the object in AYANOVA_RIGHTS by key name
|
||||
* Error if not found of course
|
||||
* Using the object found check if can do each thing in RET and return RET
|
||||
*
|
||||
* To check need to do just like HasRole, i.e. this: role === (store.state.roles & role);
|
||||
*
|
||||
* AyaNova7Import: Object { Change: 16384, EditOwn: 0, ReadFullRecord: 0 }
|
||||
|
||||
DataFilter: Object { Change: 2, EditOwn: 32767, ReadFullRecord: 32767 }
|
||||
|
||||
FormCustom: Object { Change: 2, EditOwn: 0, ReadFullRecord: 32767 }
|
||||
|
||||
JobOperations: Object { Change: 16384, EditOwn: 0, ReadFullRecord: 8195 }
|
||||
|
||||
License: Object { Change: 16386, EditOwn: 0, ReadFullRecord: 8193 }
|
||||
|
||||
Locale: Object { Change: 16386, EditOwn: 0, ReadFullRecord: 32767 }
|
||||
|
||||
LogFile: Object { Change: 0, EditOwn: 0, ReadFullRecord: 24576 }
|
||||
|
||||
Metrics: Object { Change: 0, EditOwn: 0, ReadFullRecord: 24576 }
|
||||
|
||||
ServerState: Object { Change: 16384, EditOwn: 0, ReadFullRecord: 32767 }
|
||||
|
||||
User: Object { Change: 2, EditOwn: 0, ReadFullRecord: 1 }
|
||||
|
||||
UserOptions: Object { Change: 2, EditOwn: 0, ReadFullRecord: 1 }
|
||||
|
||||
Widget: Object { Change: 34, EditOwn: 256, ReadFullRecord: 17 }
|
||||
|
||||
<prototype>: Object { … }
|
||||
authorizationroles.js:72
|
||||
userRole
|
||||
"32767"
|
||||
objType
|
||||
2
|
||||
*
|
||||
*/
|
||||
|
||||
// switch (objType) {
|
||||
// case ayatype.Widget:
|
||||
// //WIDGET
|
||||
// // Change = AuthorizationRoles.BizAdminFull | AuthorizationRoles.InventoryFull,
|
||||
// // EditOwn = AuthorizationRoles.TechFull,
|
||||
// // ReadFullRecord = AuthorizationRoles.BizAdminLimited | AuthorizationRoles.InventoryLimited
|
||||
// ret.change =
|
||||
// this.hasrole(this.AUTHORIZATION_ROLES.BizAdminFull) ||
|
||||
// this.hasrole(this.AUTHORIZATION_ROLES.InventoryFull);
|
||||
// ret.editOwn =
|
||||
// objId == store.state.userId &&
|
||||
// this.hasrole(this.AUTHORIZATION_ROLES.TechFull);
|
||||
// ret.readFull =
|
||||
// this.hasrole(this.AUTHORIZATION_ROLES.BizAdminLimited) ||
|
||||
// this.hasRole(this.AUTHORIZATION_ROLES.InventoryLimited);
|
||||
// ret.delete = ret.change || ret.editOwn;
|
||||
|
||||
// // ////////////////////////////////////////////////////////////
|
||||
|
||||
// break;
|
||||
// default:
|
||||
// throw new "authorizationroles::rights - not coded for object type "() +
|
||||
// objType;
|
||||
// }
|
||||
return ret;
|
||||
}
|
||||
};
|
||||
/*
|
||||
{"User":{"Change":2,"EditOwn":0,"ReadFullRecord":1},"UserOptions":{"Change":2,"EditOwn":0,"ReadFullRecord":1},"Widget":{"Change":34,"EditOwn":256,"ReadFullRecord":17},"ServerState":{"Change":16384,"EditOwn":0,"ReadFullRecord":32767},"License":{"Change":16386,"EditOwn":0,"ReadFullRecord":8193},"LogFile":{"Change":0,"EditOwn":0,"ReadFullRecord":24576},"JobOperations":{"Change":16384,"EditOwn":0,"ReadFullRecord":8195},"AyaNova7Import":{"Change":16384,"EditOwn":0,"ReadFullRecord":0},"Metrics":{"Change":0,"EditOwn":0,"ReadFullRecord":24576},"Locale":{"Change":16386,"EditOwn":0,"ReadFullRecord":32767},"DataFilter":{"Change":2,"EditOwn":32767,"ReadFullRecord":32767},"FormCustom":{"Change":2,"EditOwn":0,"ReadFullRecord":32767}}
|
||||
*/
|
||||
*/
|
||||
Reference in New Issue
Block a user