Many levels of nested filters fixed

Entity-Access · Jul 11, 2023 · 6f8ad05 · 6f8ad05
1 parent 1d4cc03
commit 6f8ad05
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/src/tests/security/events/OrderEvents.ts b/src/tests/security/events/OrderEvents.ts
@@ -28,6 +28,12 @@ export class OrderEvents extends EntityEvents<Order> {
         // user can only modify placed orders
         return query.where({ userID }, (p) => (x) => x.customerID === p.userID || x.orderItems.some((item) => item.product.ownerID === p.userID));
     }
+
+    onForeignKeyFilter(filter: ForeignKeyFilter<Order>): IEntityQuery<any> {
+        if (filter.is((x) => x.customer)) {
+            return filter.read();
+        }
+    }
 }
 
 export class OrderItemEvents extends EntityEvents<OrderItem> {
@@ -52,7 +58,7 @@ export class OrderItemEvents extends EntityEvents<OrderItem> {
         }
         const { userID } = this.user;
         // user can only modify placed orders
-        return query.where({ userID }, (p) => (x) => x.order.customerID === p.userID);
+        return query.where({ userID }, (p) => (x) => x.order.customerID === p.userID || x.product.ownerID === p.userID);
     }
 
     onForeignKeyFilter(filter: ForeignKeyFilter<OrderItem>): IEntityQuery<any> {

diff --git a/src/tests/security/events/UserEvents.ts b/src/tests/security/events/UserEvents.ts
@@ -13,6 +13,16 @@ export class UserEvents extends EntityEvents<User> {
             return null;
         }
         const { userID } = this.user;
-        return query.where({ userID }, (p) => (x) => x.userID === p.userID);
+        return query.where({ userID }, (p) => (x) => x.userID === p.userID
+            || x.orders.some(
+                (op) => op.orderItems.some((oi) => oi.product.ownerID === p.userID)));
+    }
+
+    modify(query: IEntityQuery<User>): IEntityQuery<User> {
+        if (this.user.admin) {
+            return null;
+        }
+        const { userID } = this.user;
+        return query.where({ userID}, (p) => (x) => x.userID === p.userID);
     }
 }
diff --git a/src/tests/security/tests/place-order.ts b/src/tests/security/tests/place-order.ts
@@ -30,7 +30,7 @@ async function getNewOrders(this: TestConfig) {
     const scope = ServiceProvider.global.createScope();
     try {
         const user = new UserInfo();
-        user.userID = 1;
+        user.userID = 2;
         scope.add(Logger, Logger.instance);
         scope.add(BaseDriver, this.driver);
         scope.add(UserInfo, user);