Fix: don't allow to update usage status or work status if not masterEditor #311
Conversation
…ditor on current or future workgroup of the edited asset, even for admins
| const checkStatusChange = ( | ||
| hasChanged: boolean, | ||
| newStatus: string, | ||
| allowedStatus: string, | ||
| errorMessage: string, | ||
| record: AssetEditDetail | undefined, | ||
| policy: AssetEditPolicy, | ||
| patchWorkgroupId: number | ||
| ) => { | ||
| if ( | ||
| hasChanged && | ||
| newStatus !== allowedStatus && | ||
| ((record != null && !policy.hasRole(Role.MasterEditor, record.workgroupId)) || | ||
| !policy.hasRole(Role.MasterEditor, patchWorkgroupId)) | ||
| ) { | ||
| throw new HttpException(errorMessage, HttpStatus.FORBIDDEN); | ||
| } | ||
| }; |
There was a problem hiding this comment.
I have some issues with this function. Note that these are just general observations - if and how you apply them is up to you. Solving some of these issues even makes others obsolete.
-
There is currently no reason for this to be a nested function (a function within another function). I like nested functions, as long as they reuse their outer scope, making their parameter list more readable. Here, the last three parameters are unnecessary - they can be replaced by accessing the outer function's scope.
-
As a general rule, I like to keep a function's parameter count at a maximum of 3 or 4. Any more than that and it becomes unclear what each argument passed to the function does. If there is no way to reduce the parameter count, use an options object, e.g:
const checkStatusChange = (hasChanged: boolean, options: { newStatus: string; allowedStatus: string; errorMessage: string; }) => { ... }
This makes function calls much more readable:
checkStatusChange(hasInternalUseChanged, { newStatus: patch.internalUse.statusAssetUseItemCode, allowedStatus: 'tobechecked', errorMessage: 'Changing the asset's status is not allowed', })
-
There is no reason for
allowedStatusanderrorMessageto be parameters, as they are the same for all function calls. -
Instead of passing
hasChangedandnewStatus, you could just pass the key'internalUse' | 'publicUse'. This would also enable you to computehasChangedwithin the function instead of duplicating it outside of it. -
Reading a function starting with
check, I would expect it to return a value (aboolean, most likely). Here, I would prefervalidateStatusto keep with the outer function's name, or evenvalidateStatusOrThrowif you want to be explicit about what it does.
If you want to keep it as acheck*, I personally would prefer to make the function return abooleanand then make the function caller throw the exception themself. This would also enable you to remove theerrorMessageparameter from the function, while keeping the function pure.
|
TIL-EBP
deleted the
bug/assets-309-restrict-editing-permissions-for-admins
branch
resolves #309