fix(pass): DOMA-11223 get only permitted employees for sending push in pass miniapp

apps/condo/domains/miniapp/utils/b2bAppServiceUserAccess/config.js

@@ -77,6 +77,9 @@ const B2B_APP_SERVICE_USER_ACCESS_AVAILABLE_SCHEMAS = {
         OrganizationEmployee: {
             canBeManaged: false,
         },
+        OrganizationEmployeeRole: {
+            canBeManaged: false,
+        },
 
         // Property domain
         Property: {},

apps/condo/domains/organization/access/OrganizationEmployeeRole.js

@@ -6,18 +6,26 @@ const get = require('lodash/get')
 const { throwAuthenticationError } = require('@open-condo/keystone/apolloErrorFormatter')
 const { getById } = require('@open-condo/keystone/schema')
 
+const { canReadObjectsAsB2BAppServiceUser } = require('@condo/domains/miniapp/utils/b2bAppServiceUserAccess')
 const {
     getEmployedOrRelatedOrganizationsByPermissions,
     checkPermissionsInEmployedOrRelatedOrganizations,
 } = require('@condo/domains/organization/utils/accessSchema')
+const { SERVICE } = require('@condo/domains/user/constants/common')
 
 
-async function canReadOrganizationEmployeeRoles ({ authentication: { item: user }, context }) {
+async function canReadOrganizationEmployeeRoles (args) {
+    const { authentication: { item: user }, context } = args
+
     if (!user) return throwAuthenticationError()
     if (user.deletedAt) return false
 
     if (user.isSupport || user.isAdmin) return {}
 
+    if (user.type === SERVICE) {
+        return await canReadObjectsAsB2BAppServiceUser(args)
+    }
+
     const permittedOrganizations = await getEmployedOrRelatedOrganizationsByPermissions(context, user, [])
 
     return {

apps/condo/migrations/20250311153856-0459_auto_20250311_1039.js

@@ -0,0 +1,52 @@
+// auto generated by kmigrator
+// KMIGRATOR:0459_auto_20250311_1039:IyBHZW5lcmF0ZWQgYnkgRGphbmdvIDMuMi41IG9uIDIwMjUtMDMtMTEgMTA6MzkKCmZyb20gZGphbmdvLmRiIGltcG9ydCBtaWdyYXRpb25zLCBtb2RlbHMKCgpjbGFzcyBNaWdyYXRpb24obWlncmF0aW9ucy5NaWdyYXRpb24pOgoKICAgIGRlcGVuZGVuY2llcyA9IFsKICAgICAgICAoJ19kamFuZ29fc2NoZW1hJywgJzA0NThfYjJiYXBwYWNjZXNzcmlnaHRzZXRfY2FubWFuYWdlaW52b2ljZXNfYW5kX21vcmUnKSwKICAgIF0KCiAgICBvcGVyYXRpb25zID0gWwogICAgICAgIG1pZ3JhdGlvbnMuQWRkRmllbGQoCiAgICAgICAgICAgIG1vZGVsX25hbWU9J2IyYmFwcGFjY2Vzc3JpZ2h0c2V0JywKICAgICAgICAgICAgbmFtZT0nY2FuTWFuYWdlT3JnYW5pemF0aW9uRW1wbG95ZWVSb2xlcycsCiAgICAgICAgICAgIGZpZWxkPW1vZGVscy5Cb29sZWFuRmllbGQoZGVmYXVsdD1GYWxzZSksCiAgICAgICAgKSwKICAgICAgICBtaWdyYXRpb25zLkFkZEZpZWxkKAogICAgICAgICAgICBtb2RlbF9uYW1lPSdiMmJhcHBhY2Nlc3NyaWdodHNldCcsCiAgICAgICAgICAgIG5hbWU9J2NhblJlYWRPcmdhbml6YXRpb25FbXBsb3llZVJvbGVzJywKICAgICAgICAgICAgZmllbGQ9bW9kZWxzLkJvb2xlYW5GaWVsZChkZWZhdWx0PUZhbHNlKSwKICAgICAgICApLAogICAgICAgIG1pZ3JhdGlvbnMuQWRkRmllbGQoCiAgICAgICAgICAgIG1vZGVsX25hbWU9J2IyYmFwcGFjY2Vzc3JpZ2h0c2V0aGlzdG9yeXJlY29yZCcsCiAgICAgICAgICAgIG5hbWU9J2Nhbk1hbmFnZU9yZ2FuaXphdGlvbkVtcGxveWVlUm9sZXMnLAogICAgICAgICAgICBmaWVsZD1tb2RlbHMuQm9vbGVhbkZpZWxkKGJsYW5rPVRydWUsIG51bGw9VHJ1ZSksCiAgICAgICAgKSwKICAgICAgICBtaWdyYXRpb25zLkFkZEZpZWxkKAogICAgICAgICAgICBtb2RlbF9uYW1lPSdiMmJhcHBhY2Nlc3NyaWdodHNldGhpc3RvcnlyZWNvcmQnLAogICAgICAgICAgICBuYW1lPSdjYW5SZWFkT3JnYW5pemF0aW9uRW1wbG95ZWVSb2xlcycsCiAgICAgICAgICAgIGZpZWxkPW1vZGVscy5Cb29sZWFuRmllbGQoYmxhbms9VHJ1ZSwgbnVsbD1UcnVlKSwKICAgICAgICApLAogICAgXQo=
+
+exports.up = async (knex) => {
+    await knex.raw(`
+    BEGIN;
+--
+-- Add field canManageOrganizationEmployeeRoles to b2bappaccessrightset
+--
+ALTER TABLE "B2BAppAccessRightSet" ADD COLUMN "canManageOrganizationEmployeeRoles" boolean DEFAULT false NOT NULL;
+ALTER TABLE "B2BAppAccessRightSet" ALTER COLUMN "canManageOrganizationEmployeeRoles" DROP DEFAULT;
+--
+-- Add field canReadOrganizationEmployeeRoles to b2bappaccessrightset
+--
+ALTER TABLE "B2BAppAccessRightSet" ADD COLUMN "canReadOrganizationEmployeeRoles" boolean DEFAULT false NOT NULL;
+ALTER TABLE "B2BAppAccessRightSet" ALTER COLUMN "canReadOrganizationEmployeeRoles" DROP DEFAULT;
+--
+-- Add field canManageOrganizationEmployeeRoles to b2bappaccessrightsethistoryrecord
+--
+ALTER TABLE "B2BAppAccessRightSetHistoryRecord" ADD COLUMN "canManageOrganizationEmployeeRoles" boolean NULL;
+--
+-- Add field canReadOrganizationEmployeeRoles to b2bappaccessrightsethistoryrecord
+--
+ALTER TABLE "B2BAppAccessRightSetHistoryRecord" ADD COLUMN "canReadOrganizationEmployeeRoles" boolean NULL;
+COMMIT;
+
+    `)
+}
+
+exports.down = async (knex) => {
+    await knex.raw(`
+    BEGIN;
+--
+-- Add field canReadOrganizationEmployeeRoles to b2bappaccessrightsethistoryrecord
+--
+ALTER TABLE "B2BAppAccessRightSetHistoryRecord" DROP COLUMN "canReadOrganizationEmployeeRoles" CASCADE;
+--
+-- Add field canManageOrganizationEmployeeRoles to b2bappaccessrightsethistoryrecord
+--
+ALTER TABLE "B2BAppAccessRightSetHistoryRecord" DROP COLUMN "canManageOrganizationEmployeeRoles" CASCADE;
+--
+-- Add field canReadOrganizationEmployeeRoles to b2bappaccessrightset
+--
+ALTER TABLE "B2BAppAccessRightSet" DROP COLUMN "canReadOrganizationEmployeeRoles" CASCADE;
+--
+-- Add field canManageOrganizationEmployeeRoles to b2bappaccessrightset
+--
+ALTER TABLE "B2BAppAccessRightSet" DROP COLUMN "canManageOrganizationEmployeeRoles" CASCADE;
+COMMIT;
+
+    `)
+}

apps/condo/schema.graphql

@@ -72426,6 +72426,8 @@ type B2BAppAccessRightSetHistoryRecord {
   canManageOrganizations: Boolean
   canReadOrganizationEmployees: Boolean
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean
@@ -72529,6 +72531,10 @@ input B2BAppAccessRightSetHistoryRecordWhereInput {
   canReadOrganizationEmployees_not: Boolean
   canManageOrganizationEmployees: Boolean
   canManageOrganizationEmployees_not: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canReadOrganizationEmployeeRoles_not: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles_not: Boolean
   canReadProperties: Boolean
   canReadProperties_not: Boolean
   canManageProperties: Boolean
@@ -72674,6 +72680,10 @@ enum SortB2BAppAccessRightSetHistoryRecordsBy {
   canReadOrganizationEmployees_DESC
   canManageOrganizationEmployees_ASC
   canManageOrganizationEmployees_DESC
+  canReadOrganizationEmployeeRoles_ASC
+  canReadOrganizationEmployeeRoles_DESC
+  canManageOrganizationEmployeeRoles_ASC
+  canManageOrganizationEmployeeRoles_DESC
   canReadProperties_ASC
   canReadProperties_DESC
   canManageProperties_ASC
@@ -72738,6 +72748,8 @@ input B2BAppAccessRightSetHistoryRecordUpdateInput {
   canManageOrganizations: Boolean
   canReadOrganizationEmployees: Boolean
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean
@@ -72790,6 +72802,8 @@ input B2BAppAccessRightSetHistoryRecordCreateInput {
   canManageOrganizations: Boolean
   canReadOrganizationEmployees: Boolean
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean
@@ -72877,6 +72891,11 @@ type B2BAppAccessRightSet {
   """ Currently, this field is read-only. You cannot get manage access for the specified schema. 
   """
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+
+  """ Currently, this field is read-only. You cannot get manage access for the specified schema. 
+  """
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean
@@ -72972,6 +72991,10 @@ input B2BAppAccessRightSetWhereInput {
   canReadOrganizationEmployees_not: Boolean
   canManageOrganizationEmployees: Boolean
   canManageOrganizationEmployees_not: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canReadOrganizationEmployeeRoles_not: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles_not: Boolean
   canReadProperties: Boolean
   canReadProperties_not: Boolean
   canManageProperties: Boolean
@@ -73099,6 +73122,10 @@ enum SortB2BAppAccessRightSetsBy {
   canReadOrganizationEmployees_DESC
   canManageOrganizationEmployees_ASC
   canManageOrganizationEmployees_DESC
+  canReadOrganizationEmployeeRoles_ASC
+  canReadOrganizationEmployeeRoles_DESC
+  canManageOrganizationEmployeeRoles_ASC
+  canManageOrganizationEmployeeRoles_DESC
   canReadProperties_ASC
   canReadProperties_DESC
   canManageProperties_ASC
@@ -73163,6 +73190,8 @@ input B2BAppAccessRightSetUpdateInput {
   canManageOrganizations: Boolean
   canReadOrganizationEmployees: Boolean
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean
@@ -73212,6 +73241,8 @@ input B2BAppAccessRightSetCreateInput {
   canManageOrganizations: Boolean
   canReadOrganizationEmployees: Boolean
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean