Skip to content

Commit

Permalink
Merge pull request #2060 from navikt/fix_sikkerhet
Browse files Browse the repository at this point in the history 
Fix sikkerhet
  • Loading branch information
@olsenrasmus
olsenrasmus committed Sep 16, 2024
2 parents cb8c3a2 + 19e400e commit f3681f4
Show file tree
Hide file tree
Showing 8 changed files with 482 additions and 393 deletions.
575 changes: 297 additions & 278 deletions force-app/main/dialogue/classes/HOT_MessageHelper.cls
View file

Large diffs are not rendered by default.

52 changes: 31 additions & 21 deletions force-app/main/dialogue/classes/HOT_MessageHelperTest.cls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,14 @@ private class HOT_MessageHelperTest {
WorkType workType = HOT_TestDataFactory.createWorkType();
workType.Name = 'Work Type Name';
insert workType;
HOT_Request__c request = HOT_TestDataFactory.createRequest('Subject', workType);
Account account = HOT_TestDataFactory.createAccount(true);
insert account;

account = [SELECT Id FROM Account WHERE FirstName = 'Test' LIMIT 1];

HOT_Request__c request = HOT_TestDataFactory.createRequest('BRUKER-FORMIDLER', workType);
request.Account__c = account.Id;
request.Orderer__c = account.Id;
insert request;
Thread__c thread = new Thread__c();
thread.CRM_Type__c = 'HOT_BRUKER-TOLK';
Expand Down Expand Up @@ -490,7 +497,7 @@ private class HOT_MessageHelperTest {
Test.startTest();
List<Message__c> msgList = HOT_MessageHelper.getMessagesFromThread(tList.get(0).Id);
Test.stopTest();
System.assertEquals(1, msgList.size());
System.assertEquals(null, msgList, 'Should not have got any messages because no access');
}
@IsTest
static void getUserLisenceTest() {
Expand All @@ -506,7 +513,7 @@ private class HOT_MessageHelperTest {
HOT_MessageHelper.markAsRead(tList.get(0).Id);
Test.stopTest();
List<Message__c> msgList = [SELECT CRM_Read__c FROM Message__c WHERE CRM_Thread__c = :tList.get(0).Id];
System.assertEquals(true, msgList.get(0).CRM_Read__c);
System.assertEquals(false, msgList.get(0).CRM_Read__c, 'Should not be marked as red because no access');
}
@IsTest
static void setLastMessageFromTolk() {
Expand Down Expand Up @@ -604,12 +611,7 @@ private class HOT_MessageHelperTest {
FROM Message__c
WHERE CRM_Thread__c = :thread.Id
];
System.assertEquals(true, msgList.get(0).CRM_Read_By_Nav__c, 'Could not set CRM_Read_By_Nav__c to true.');
System.assertNotEquals(
null,
msgList.get(0).CRM_Read_By_Nav_Datetime__c,
'CRM_Read_By_Nav_Datetime__c was not set.'
);
System.assertEquals(false, msgList.get(0).CRM_Read_By_Nav__c, 'Should not have permission to set read by nav');
}
@IsTest
static void createMessageTest() {
Expand Down Expand Up @@ -664,7 +666,7 @@ private class HOT_MessageHelperTest {
isReadbyUser = false;
}
Boolean test = true;
System.assertEquals(true, isReadbyUser, 'Is not read by user');
System.assertEquals(false, isReadbyUser, 'Does not have access to be marked as red.');
}
@IsTest
static void getRelatedObjectDetailsTestWO() {
Expand Down Expand Up @@ -819,7 +821,7 @@ private class HOT_MessageHelperTest {
Test.startTest();
String result = HOT_MessageHelper.getAccountOnThread(t.Id);
Test.stopTest();
System.assertEquals('Darth Vader', result);
System.assertEquals(null, result);
}
@IsTest
static void getAccountOnThreadWOTest() {
Expand All @@ -836,7 +838,7 @@ private class HOT_MessageHelperTest {
Test.startTest();
String result = HOT_MessageHelper.getAccountOnThread(t.Id);
Test.stopTest();
System.assertEquals('Darth Vader', result);
System.assertEquals('Darth Vader', result, 'Did not get correct name');
}
@IsTest
static void createThreadInterpreterInterpreters() {
Expand Down Expand Up @@ -1279,7 +1281,7 @@ private class HOT_MessageHelperTest {
}
@IsTest
static void createThreadWhenIRIsAssignedTest() {
WorkType workType = HOT_TestDataFactory.createWorkType();
WorkType workType = HOT_TestDataFactory.createWorkType();
workType.Name = 'Work Type Name';
insert workType;
HOT_Request__c request = HOT_TestDataFactory.createRequest('Subject', workType);
Expand Down Expand Up @@ -1312,14 +1314,18 @@ private class HOT_MessageHelperTest {
update sa;
System.runAs(currentUser) {
Thread__c thread = HOT_MessageHelper.createThreadInterpreter(sa.Id);

System.assertEquals(sa.Id, thread.CRM_Related_Object__c, 'Should have made a thread with relatedobject serviceAppointment');

System.assertEquals(
sa.Id,
thread.CRM_Related_Object__c,
'Should have made a thread with relatedobject serviceAppointment'
);
}
Test.stopTest();
Test.stopTest();
}
@IsTest
@IsTest
static void createThreadWhenIRIsNotAssignedTest() {
WorkType workType = HOT_TestDataFactory.createWorkType();
WorkType workType = HOT_TestDataFactory.createWorkType();
workType.Name = 'Work Type Name';
insert workType;
HOT_Request__c request = HOT_TestDataFactory.createRequest('Subject', workType);
Expand Down Expand Up @@ -1353,9 +1359,13 @@ private class HOT_MessageHelperTest {
update interestedResource;
System.runAs(currentUser) {
Thread__c thread = HOT_MessageHelper.createThreadInterpreter(sa.Id);

System.assertEquals(interestedResource.Id, thread.CRM_Related_Object__c, 'Should have made a thread with relatedobject interestedresource');

System.assertEquals(
interestedResource.Id,
thread.CRM_Related_Object__c,
'Should have made a thread with relatedobject interestedresource'
);
}
Test.stopTest();
Test.stopTest();
}
}
116 changes: 71 additions & 45 deletions force-app/main/dialogue/classes/HOT_ThreadDetailController.cls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ public without sharing class HOT_ThreadDetailController {
}
@AuraEnabled(cacheable=false)
public static boolean checkAccess(Id threadId) {
Boolean grantAccess = true;
Thread__c thread = [SELECT Id, CRM_Related_Object__c FROM Thread__c WHERE Id = :threadId];
Boolean grantAccess = false;
Thread__c thread = [SELECT Id, CRM_Related_Object__c, CRM_Thread_Type__c FROM Thread__c WHERE Id = :threadId];
Id relatedObjectId = thread.CRM_Related_Object__c;
String objectType = String.valueOf(relatedObjectId.getsobjecttype());
if (objectType == 'WorkOrder') {
Expand All @@ -27,76 +27,102 @@ public without sharing class HOT_ThreadDetailController {
FROM WorkOrder
WHERE Id = :thread.CRM_Related_Object__c
];
List<ServiceResource> serviceResource = [SELECT Id FROM ServiceResource WHERE AccountId = :user.AccountId];
List<ServiceResource> serviceResource = [
SELECT Id, HOT_IsEmployedInterpreter__c
FROM ServiceResource
WHERE RelatedRecordId = :user.Id
];
if (!serviceResource.isEmpty()) {
List<HOT_InterestedResource__c> irList = [
SELECT Id
FROM HOT_InterestedResource__c
List<AssignedResource> arList = [
SELECT ServiceResourceId
FROM AssignedResource
WHERE
ServiceAppointment__r.HOT_WorkOrderLineItem__r.WorkOrderId = :thread.CRM_Related_Object__c
AND Status__c = 'Assigned'
AND ServiceResource__c = :serviceResource[0].Id
ServiceAppointment.HOT_WorkOrderLineItem__r.WorkOrderId = :thread.CRM_Related_Object__c
AND ServiceResourceId IN :serviceResource
];
if (irList.size() != 0 || wo.HOT_Request__r.Account__c == user.AccountId) {
if (arList.size() != 0) {
grantAccess = true;
} else {
grantAccess = false;
}
} else if (wo.HOT_Request__r.Account__c == user.AccountId) {
grantAccess = true;
} else {
grantAccess = false;
}
}
if (objectType == 'HOT_WageClaim__c') {
User user = [SELECT Id, AccountId FROM User WHERE Id = :UserInfo.getUserId()];
ServiceResource serviceResource = [SELECT Id FROM ServiceResource WHERE AccountId = :user.AccountId];
List<ServiceResource> serviceResource = [SELECT Id FROM ServiceResource WHERE AccountId = :user.AccountId];
HOT_WageClaim__c wc = [
SELECT Id, ServiceResource__c
FROM HOT_WageClaim__c
WHERE Id = :thread.CRM_Related_Object__c
];
if (wc.ServiceResource__c == serviceResource.Id) {
Set<Id> serviceResourceIds = new Set<Id>();
for (ServiceResource sr : serviceResource) {
serviceResourceIds.add(sr.Id);
}
if (serviceResourceIds.contains(wc.ServiceResource__c)) {
grantAccess = true;
} else {
grantAccess = false;
}
}
if (objectType == 'HOT_InterestedResource__c') {
User user = [SELECT Id, AccountId FROM User WHERE Id = :UserInfo.getUserId()];
ServiceResource serviceResource = [SELECT Id FROM ServiceResource WHERE AccountId = :user.AccountId];
List<HOT_InterestedResource__c> irList = [
SELECT Id
FROM HOT_InterestedResource__c
WHERE Id = :thread.CRM_Related_Object__c AND ServiceResource__c = :serviceResource.Id
];
if (irList.size() != 0) {
grantAccess = true;
} else {
grantAccess = false;
if (user.AccountId != null) {
ServiceResource serviceResource = [SELECT Id FROM ServiceResource WHERE AccountId = :user.AccountId];
List<HOT_InterestedResource__c> irList = [
SELECT Id
FROM HOT_InterestedResource__c
WHERE Id = :thread.CRM_Related_Object__c AND ServiceResource__c = :serviceResource.Id
];
if (irList.size() != 0) {
grantAccess = true;
}
}
}
if (objectType == 'ServiceAppointment') {
User user = [SELECT Id, AccountId FROM User WHERE Id = :UserInfo.getUserId()];
ServiceResource serviceResource = [SELECT Id FROM ServiceResource WHERE AccountId = :user.AccountId];
List<HOT_InterestedResource__c> irList = [
SELECT Id
FROM HOT_InterestedResource__c
WHERE
ServiceAppointment__c = :thread.CRM_Related_Object__c
AND ServiceResource__c = :serviceResource.Id
AND (Status__c = 'Assigned'
OR Status__c = 'Canceled'
OR Status__c = 'Canceled by Interpreter'
OR Status__c = 'Reserved')
];
if (irList.size() != 0) {
grantAccess = true;
} else {
grantAccess = false;
User user = [SELECT Id FROM User WHERE Id = :UserInfo.getUserId()];
List<ServiceResource> srList = [SELECT Id FROM ServiceResource WHERE RelatedRecordId = :user.Id];
if (srList.size() != 0) {
List<HOT_InterestedResource__c> irList = [
SELECT Id
FROM HOT_InterestedResource__c
WHERE
ServiceAppointment__c = :thread.CRM_Related_Object__c
AND ServiceResource__c IN :srList
AND (Status__c = 'Assigned'
OR Status__c = 'Canceled'
OR Status__c = 'Canceled by Interpreter'
OR Status__c = 'Reserved')
];
List<AssignedResource> arList = [
SELECT Id
FROM AssignedResource
WHERE ServiceResourceId IN :srList AND ServiceAppointmentId = :thread.CRM_Related_Object__c
];
if (irList.size() != 0 || arList.size() != 0) {
grantAccess = true;
}
}
}

if (objectType == 'HOT_Request__c') {
HOT_Request__c request = [
SELECT Id, Orderer__c, Account__c
FROM HOT_Request__c
WHERE Id = :thread.CRM_Related_Object__c
];
User user = [SELECT Id, AccountId FROM User WHERE Id = :UserInfo.getUserId()];
if (user.AccountId != null) {
if (request.Account__c == user.AccountId || request.Orderer__c == user.AccountId) {
grantAccess = true;
}
}
}
User user = [SELECT Id, FirstName, Profile.Name FROM User WHERE Id = :UserInfo.getUserId()];
if (
(user.Profile.Name == 'HOT Tolk Formidler' || user.Profile.Name == 'Systemadministrator') &&
thread.CRM_Thread_Type__c.startsWith('HOT_')
) {
grantAccess = true;
}
return grantAccess;
}
}
13 changes: 7 additions & 6 deletions force-app/main/dialogue/classes/HOT_ThreadDetailControllerTest.cls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,11 @@ public without sharing class HOT_ThreadDetailControllerTest {
t.HOT_Request__c = request.Id;
insert t;

Test.startTest();
Thread__c thread = HOT_ThreadDetailController.getThreadDetails(t.Id);
Test.stopTest();
System.assertEquals('TEST', thread.HOT_Subject__c);
try {
Thread__c thread = HOT_ThreadDetailController.getThreadDetails(t.Id);
Assert.fail();
} catch (Exception e) {
}
}
@IsTest
public static void checkFreelanceAccessWO() {
Expand Down Expand Up @@ -237,8 +238,8 @@ public without sharing class HOT_ThreadDetailControllerTest {
insert t;
System.runAs(admin) {
boolean access = HOT_ThreadDetailController.checkAccess(t.Id);
boolean check = true;
System.assertEquals(check, access, 'Should have access to this thread');
boolean check = false;
System.assertEquals(check, access, 'Should not have access to this thread');
}
}
@IsTest
Expand Down
10 changes: 10 additions & 0 deletions force-app/main/freelanceCommunity/classes/HOT_MySAListControllerTest.cls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,16 @@ private class HOT_MySAListControllerTest {
@IsTest
static void getServiceAppointmentDetailsTest() {
ServiceAppointment serviceAppointment = [SELECT Id FROM ServiceAppointment LIMIT 1];
User admin = [SELECT Id, UserRoleId FROM User WHERE Id = :UserInfo.getUserId() LIMIT 1];

ServiceResource serviceResource = [SELECT Id FROM ServiceResource WHERE RelatedRecordId = :admin.Id];

HOT_InterestedResource__c ir = HOT_TestDataFactory.createInterestedResource(
serviceAppointment.Id,
serviceResource.Id
);
ir.Status__c = 'Interested';
insert ir;
ServiceAppointment saResult = HOT_MyServiceAppointmentListController.getServiceAppointmentDetails(
serviceAppointment.Id
);
Expand Down
Loading

0 comments on commit f3681f4

Please sign in to comment.