fix(pass): DOMA-11223 get only permitted employees for sending push in pass miniapp (#5903)

* fix(pass): DOMA-11223 get only permitted employees for sending push in pass miniapp

* chore(condo): DOMA-11223 recreate migration after rebase

* fix(condo): DOMA-11223 query B2BAppRole without employee role in test

* chore(pass): DOMA-11223 update submodule to main

Author: nomerdvadcatpyat

apps/condo/domains/miniapp/gql.js

@@ -70,6 +70,9 @@ const B2BAppPromoBlock = generateGqlQueries('B2BAppPromoBlock', B2B_APP_PROMO_BL
 const B2B_APP_ROLE_FIELDS = `{ app { id } role { id } permissions ${COMMON_FIELDS} }`
 const B2BAppRole = generateGqlQueries('B2BAppRole', B2B_APP_ROLE_FIELDS)
 
+const B2B_APP_ROLE_WITHOUT_EMPLOYEE_ROLE_FIELDS = `{ app { id } permissions ${COMMON_FIELDS} }`
+const B2BAppRoleWithoutEmployeeRole = generateGqlQueries('B2BAppRole', B2B_APP_ROLE_WITHOUT_EMPLOYEE_ROLE_FIELDS)
+
 const MESSAGE_APP_BLACK_LIST_FIELDS = `{ app { id } description ${COMMON_FIELDS} }`
 const MessageAppBlackList = generateGqlQueries('MessageAppBlackList', MESSAGE_APP_BLACK_LIST_FIELDS)
 
@@ -115,5 +118,6 @@ module.exports = {
     B2BAccessTokenReadonlyAdmin,
     AppMessageSetting,
     SEND_B2B_APP_PUSH_MESSAGE_MUTATION,
+    B2BAppRoleWithoutEmployeeRole,
 /* AUTOGENERATE MARKER <EXPORTS> */
 }

apps/condo/domains/miniapp/schema/B2BAppAccessRightSet.test.js

@@ -542,6 +542,8 @@ describe('B2BApp permissions for service user', () => {
         expect(foundRight).toHaveProperty('accessRightSet.canReadTicketCommentFiles', false)
         expect(foundRight).toHaveProperty('accessRightSet.canReadTicketCommentFiles', false)
         expect(foundRight).toHaveProperty('accessRightSet.canExecuteSendB2BAppPushMessage', false)
+        expect(foundRight).toHaveProperty('accessRightSet.canReadOrganizationEmployeeRoles', false)
+        expect(foundRight).toHaveProperty('accessRightSet.canManageOrganizationEmployeeRoles', false)
     })
 
     describe('Bulk-operations', () => {

apps/condo/domains/miniapp/schema/B2BAppRole.test.js

@@ -16,9 +16,9 @@ const {
     waitFor,
 } = require('@open-condo/keystone/test.utils')
 
-const { NOT_FOUND } = require('@condo/domains/common/constants/errors')
 const {
     B2BAppRole,
+    B2BAppRoleWithoutEmployeeRole,
     createTestB2BAppRole,
     updateTestB2BAppRole,
     createTestB2BApp,
@@ -252,7 +252,7 @@ describe('B2BAppRole', () => {
                 await createTestB2BAppContext(manager, anotherApp, manager.organization)
                 const [anotherAppRole] = await createTestB2BAppRole(manager, anotherApp, employee.role)
 
-                const roles = await B2BAppRole.getAll(serviceUser, { id_in: [role.id, anotherRole.id, anotherAppRole.id] })
+                const roles = await B2BAppRoleWithoutEmployeeRole.getAll(serviceUser, { id_in: [role.id, anotherRole.id, anotherAppRole.id] })
                 expect(roles).toHaveLength(2)
                 expect(roles).toEqual(expect.arrayContaining([
                     expect.objectContaining({ id: role.id }),

apps/condo/domains/miniapp/utils/b2bAppServiceUserAccess/config.js

@@ -77,6 +77,9 @@ const B2B_APP_SERVICE_USER_ACCESS_AVAILABLE_SCHEMAS = {
         OrganizationEmployee: {
             canBeManaged: false,
         },
+        OrganizationEmployeeRole: {
+            canBeManaged: false,
+        },
 
         // Property domain
         Property: {},

apps/condo/domains/miniapp/utils/testSchema/index.js

@@ -29,7 +29,7 @@ const {
 } = require('@condo/domains/miniapp/gql')
 const { MessageAppBlackList: MessageAppBlackListGQL } = require('@condo/domains/miniapp/gql')
 const { B2BAppPermission: B2BAppPermissionGQL } = require('@condo/domains/miniapp/gql')
-const { B2BAppRole: B2BAppRoleGQL } = require('@condo/domains/miniapp/gql')
+const { B2BAppRole: B2BAppRoleGQL, B2BAppRoleWithoutEmployeeRole: B2BAppRoleWithoutEmployeeRoleGQL } = require('@condo/domains/miniapp/gql')
 const { B2BAppAccessRightSet: B2BAppAccessRightSetGQL } = require('@condo/domains/miniapp/gql')
 const { B2BAppNewsSharingConfig: B2BAppNewsSharingConfigGQL } = require('@condo/domains/miniapp/gql')
 const { B2BAccessToken: B2BAccessTokenGQL } = require('@condo/domains/miniapp/gql')
@@ -67,6 +67,7 @@ const B2BAppPromoBlock = generateGQLTestUtils(B2BAppPromoBlockGQL)
 const MessageAppBlackList = generateGQLTestUtils(MessageAppBlackListGQL)
 const B2BAppPermission = generateGQLTestUtils(B2BAppPermissionGQL)
 const B2BAppRole = generateGQLTestUtils(B2BAppRoleGQL)
+const B2BAppRoleWithoutEmployeeRole = generateGQLTestUtils(B2BAppRoleWithoutEmployeeRoleGQL)
 const B2BAppAccessRightSet = generateGQLTestUtils(B2BAppAccessRightSetGQL)
 const B2BAppNewsSharingConfig = generateGQLTestUtils(B2BAppNewsSharingConfigGQL)
 const AppMessageSetting = generateGQLTestUtils(AppMessageSettingGQL)
@@ -692,7 +693,7 @@ module.exports = {
     B2CAppProperty, createTestB2CAppProperty, updateTestB2CAppProperty,
     sendB2CAppPushMessageByTestClient,
     MessageAppBlackList, createTestMessageAppBlackList, updateTestMessageAppBlackList,
-    B2BAppRole, createTestB2BAppRole, updateTestB2BAppRole,
+    B2BAppRole, B2BAppRoleWithoutEmployeeRole, createTestB2BAppRole, updateTestB2BAppRole,
     B2BAppAccessRightSet, createTestB2BAppAccessRightSet, updateTestB2BAppAccessRightSet,
     B2BAppNewsSharingConfig, createTestB2BAppNewsSharingConfig, updateTestB2BAppNewsSharingConfig,
     sendB2BAppPushMessageByTestClient,

apps/condo/domains/organization/access/OrganizationEmployeeRole.js

@@ -6,18 +6,26 @@ const get = require('lodash/get')
 const { throwAuthenticationError } = require('@open-condo/keystone/apolloErrorFormatter')
 const { getById } = require('@open-condo/keystone/schema')
 
+const { canReadObjectsAsB2BAppServiceUser } = require('@condo/domains/miniapp/utils/b2bAppServiceUserAccess')
 const {
     getEmployedOrRelatedOrganizationsByPermissions,
     checkPermissionsInEmployedOrRelatedOrganizations,
 } = require('@condo/domains/organization/utils/accessSchema')
+const { SERVICE } = require('@condo/domains/user/constants/common')
 
 
-async function canReadOrganizationEmployeeRoles ({ authentication: { item: user }, context }) {
+async function canReadOrganizationEmployeeRoles (args) {
+    const { authentication: { item: user }, context } = args
+
     if (!user) return throwAuthenticationError()
     if (user.deletedAt) return false
 
     if (user.isSupport || user.isAdmin) return {}
 
+    if (user.type === SERVICE) {
+        return await canReadObjectsAsB2BAppServiceUser(args)
+    }
+
     const permittedOrganizations = await getEmployedOrRelatedOrganizationsByPermissions(context, user, [])
 
     return {

apps/condo/migrations/20250313095904-0460_auto_20250313_0459.js

@@ -0,0 +1,52 @@
+// auto generated by kmigrator
+// KMIGRATOR:0460_auto_20250313_0459:IyBHZW5lcmF0ZWQgYnkgRGphbmdvIDMuMi41IG9uIDIwMjUtMDMtMTMgMDQ6NTkKCmZyb20gZGphbmdvLmRiIGltcG9ydCBtaWdyYXRpb25zLCBtb2RlbHMKCgpjbGFzcyBNaWdyYXRpb24obWlncmF0aW9ucy5NaWdyYXRpb24pOgoKICAgIGRlcGVuZGVuY2llcyA9IFsKICAgICAgICAoJ19kamFuZ29fc2NoZW1hJywgJzA0NTlfYXV0b18yMDI1MDMxMF8xNDQ4JyksCiAgICBdCgogICAgb3BlcmF0aW9ucyA9IFsKICAgICAgICBtaWdyYXRpb25zLkFkZEZpZWxkKAogICAgICAgICAgICBtb2RlbF9uYW1lPSdiMmJhcHBhY2Nlc3NyaWdodHNldCcsCiAgICAgICAgICAgIG5hbWU9J2Nhbk1hbmFnZU9yZ2FuaXphdGlvbkVtcGxveWVlUm9sZXMnLAogICAgICAgICAgICBmaWVsZD1tb2RlbHMuQm9vbGVhbkZpZWxkKGRlZmF1bHQ9RmFsc2UpLAogICAgICAgICksCiAgICAgICAgbWlncmF0aW9ucy5BZGRGaWVsZCgKICAgICAgICAgICAgbW9kZWxfbmFtZT0nYjJiYXBwYWNjZXNzcmlnaHRzZXQnLAogICAgICAgICAgICBuYW1lPSdjYW5SZWFkT3JnYW5pemF0aW9uRW1wbG95ZWVSb2xlcycsCiAgICAgICAgICAgIGZpZWxkPW1vZGVscy5Cb29sZWFuRmllbGQoZGVmYXVsdD1GYWxzZSksCiAgICAgICAgKSwKICAgICAgICBtaWdyYXRpb25zLkFkZEZpZWxkKAogICAgICAgICAgICBtb2RlbF9uYW1lPSdiMmJhcHBhY2Nlc3NyaWdodHNldGhpc3RvcnlyZWNvcmQnLAogICAgICAgICAgICBuYW1lPSdjYW5NYW5hZ2VPcmdhbml6YXRpb25FbXBsb3llZVJvbGVzJywKICAgICAgICAgICAgZmllbGQ9bW9kZWxzLkJvb2xlYW5GaWVsZChibGFuaz1UcnVlLCBudWxsPVRydWUpLAogICAgICAgICksCiAgICAgICAgbWlncmF0aW9ucy5BZGRGaWVsZCgKICAgICAgICAgICAgbW9kZWxfbmFtZT0nYjJiYXBwYWNjZXNzcmlnaHRzZXRoaXN0b3J5cmVjb3JkJywKICAgICAgICAgICAgbmFtZT0nY2FuUmVhZE9yZ2FuaXphdGlvbkVtcGxveWVlUm9sZXMnLAogICAgICAgICAgICBmaWVsZD1tb2RlbHMuQm9vbGVhbkZpZWxkKGJsYW5rPVRydWUsIG51bGw9VHJ1ZSksCiAgICAgICAgKSwKICAgIF0K
+
+exports.up = async (knex) => {
+    await knex.raw(`
+    BEGIN;
+--
+-- Add field canManageOrganizationEmployeeRoles to b2bappaccessrightset
+--
+ALTER TABLE "B2BAppAccessRightSet" ADD COLUMN "canManageOrganizationEmployeeRoles" boolean DEFAULT false NOT NULL;
+ALTER TABLE "B2BAppAccessRightSet" ALTER COLUMN "canManageOrganizationEmployeeRoles" DROP DEFAULT;
+--
+-- Add field canReadOrganizationEmployeeRoles to b2bappaccessrightset
+--
+ALTER TABLE "B2BAppAccessRightSet" ADD COLUMN "canReadOrganizationEmployeeRoles" boolean DEFAULT false NOT NULL;
+ALTER TABLE "B2BAppAccessRightSet" ALTER COLUMN "canReadOrganizationEmployeeRoles" DROP DEFAULT;
+--
+-- Add field canManageOrganizationEmployeeRoles to b2bappaccessrightsethistoryrecord
+--
+ALTER TABLE "B2BAppAccessRightSetHistoryRecord" ADD COLUMN "canManageOrganizationEmployeeRoles" boolean NULL;
+--
+-- Add field canReadOrganizationEmployeeRoles to b2bappaccessrightsethistoryrecord
+--
+ALTER TABLE "B2BAppAccessRightSetHistoryRecord" ADD COLUMN "canReadOrganizationEmployeeRoles" boolean NULL;
+COMMIT;
+
+    `)
+}
+
+exports.down = async (knex) => {
+    await knex.raw(`
+    BEGIN;
+--
+-- Add field canReadOrganizationEmployeeRoles to b2bappaccessrightsethistoryrecord
+--
+ALTER TABLE "B2BAppAccessRightSetHistoryRecord" DROP COLUMN "canReadOrganizationEmployeeRoles" CASCADE;
+--
+-- Add field canManageOrganizationEmployeeRoles to b2bappaccessrightsethistoryrecord
+--
+ALTER TABLE "B2BAppAccessRightSetHistoryRecord" DROP COLUMN "canManageOrganizationEmployeeRoles" CASCADE;
+--
+-- Add field canReadOrganizationEmployeeRoles to b2bappaccessrightset
+--
+ALTER TABLE "B2BAppAccessRightSet" DROP COLUMN "canReadOrganizationEmployeeRoles" CASCADE;
+--
+-- Add field canManageOrganizationEmployeeRoles to b2bappaccessrightset
+--
+ALTER TABLE "B2BAppAccessRightSet" DROP COLUMN "canManageOrganizationEmployeeRoles" CASCADE;
+COMMIT;
+
+    `)
+}

apps/condo/schema.graphql

@@ -72429,6 +72429,8 @@ type B2BAppAccessRightSetHistoryRecord {
   canManageOrganizations: Boolean
   canReadOrganizationEmployees: Boolean
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean
@@ -72532,6 +72534,10 @@ input B2BAppAccessRightSetHistoryRecordWhereInput {
   canReadOrganizationEmployees_not: Boolean
   canManageOrganizationEmployees: Boolean
   canManageOrganizationEmployees_not: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canReadOrganizationEmployeeRoles_not: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles_not: Boolean
   canReadProperties: Boolean
   canReadProperties_not: Boolean
   canManageProperties: Boolean
@@ -72677,6 +72683,10 @@ enum SortB2BAppAccessRightSetHistoryRecordsBy {
   canReadOrganizationEmployees_DESC
   canManageOrganizationEmployees_ASC
   canManageOrganizationEmployees_DESC
+  canReadOrganizationEmployeeRoles_ASC
+  canReadOrganizationEmployeeRoles_DESC
+  canManageOrganizationEmployeeRoles_ASC
+  canManageOrganizationEmployeeRoles_DESC
   canReadProperties_ASC
   canReadProperties_DESC
   canManageProperties_ASC
@@ -72741,6 +72751,8 @@ input B2BAppAccessRightSetHistoryRecordUpdateInput {
   canManageOrganizations: Boolean
   canReadOrganizationEmployees: Boolean
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean
@@ -72793,6 +72805,8 @@ input B2BAppAccessRightSetHistoryRecordCreateInput {
   canManageOrganizations: Boolean
   canReadOrganizationEmployees: Boolean
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean
@@ -72880,6 +72894,11 @@ type B2BAppAccessRightSet {
   """ Currently, this field is read-only. You cannot get manage access for the specified schema. 
   """
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+
+  """ Currently, this field is read-only. You cannot get manage access for the specified schema. 
+  """
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean
@@ -72975,6 +72994,10 @@ input B2BAppAccessRightSetWhereInput {
   canReadOrganizationEmployees_not: Boolean
   canManageOrganizationEmployees: Boolean
   canManageOrganizationEmployees_not: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canReadOrganizationEmployeeRoles_not: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles_not: Boolean
   canReadProperties: Boolean
   canReadProperties_not: Boolean
   canManageProperties: Boolean
@@ -73102,6 +73125,10 @@ enum SortB2BAppAccessRightSetsBy {
   canReadOrganizationEmployees_DESC
   canManageOrganizationEmployees_ASC
   canManageOrganizationEmployees_DESC
+  canReadOrganizationEmployeeRoles_ASC
+  canReadOrganizationEmployeeRoles_DESC
+  canManageOrganizationEmployeeRoles_ASC
+  canManageOrganizationEmployeeRoles_DESC
   canReadProperties_ASC
   canReadProperties_DESC
   canManageProperties_ASC
@@ -73166,6 +73193,8 @@ input B2BAppAccessRightSetUpdateInput {
   canManageOrganizations: Boolean
   canReadOrganizationEmployees: Boolean
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean
@@ -73215,6 +73244,8 @@ input B2BAppAccessRightSetCreateInput {
   canManageOrganizations: Boolean
   canReadOrganizationEmployees: Boolean
   canManageOrganizationEmployees: Boolean
+  canReadOrganizationEmployeeRoles: Boolean
+  canManageOrganizationEmployeeRoles: Boolean
   canReadProperties: Boolean
   canManageProperties: Boolean
   canReadTickets: Boolean