Merge remote-tracking branch 'origin/develop' into develop

Author: James Cori

docs/swagger.yaml

@@ -2095,7 +2095,7 @@ paths:
       tags:
         - Attachments
       description: >
-        Create a new attachment in the system.
+        Create a new attachment in the system. If you want to create multiple attachment, you can pass an array of objects instead of a single object.
       security:
         - bearer: []
       produces:

src/common/helper.js

@@ -639,13 +639,19 @@ function getESClient () {
 /**
  * Ensure project exist
  * @param {String} projectId the project id
- * @param {String} userToken the user token
+ * @param {String} currentUser the user
  */
-async function ensureProjectExist (projectId, userToken) {
+async function ensureProjectExist (projectId, currentUser) {
   let token = await getM2MToken()
   const url = `${config.PROJECTS_API_URL}/${projectId}`
   try {
-    await axios.get(url, { headers: { Authorization: `Bearer ${token}` } })
+    const res = await axios.get(url, { headers: { Authorization: `Bearer ${token}` } })
+    if (currentUser.isMachine || hasAdminRole(currentUser)) {
+      return
+    }
+    if (!_.find(_.get(res, 'data.members', []), m => _.toString(m.userId) === _.toString(currentUser.userId))) {
+      throw new errors.ForbiddenError(`You don't have access to project with ID: ${projectId}`)
+    }
   } catch (err) {
     if (_.get(err, 'response.status') === HttpStatus.NOT_FOUND) {
       throw new errors.BadRequestError(`Project with id: ${projectId} doesn't exist`)

src/controllers/AttachmentController.js

@@ -2,6 +2,7 @@
  * Controller for attachment endpoints
  */
 const HttpStatus = require('http-status-codes')
+const _ = require('lodash')
 const service = require('../services/AttachmentService')
 
 /**
@@ -10,7 +11,8 @@ const service = require('../services/AttachmentService')
  * @param {Object} res the response
  */
 async function createAttachment (req, res) {
-  const result = await service.createAttachment(req.authUser, req.params.challengeId, req.body)
+  const body = _.isArray(req.body) ? req.body : [req.body]
+  const result = await service.createAttachment(req.authUser, req.params.challengeId, body)
   res.status(HttpStatus.CREATED).send(result)
 }
 

src/controllers/ChallengeController.js

@@ -24,7 +24,7 @@ async function searchChallenges (req, res) {
  */
 async function createChallenge (req, res) {
   logger.debug(`createChallenge User: ${JSON.stringify(req.authUser)} - Body: ${JSON.stringify(req.body)}`)
-  const result = await service.createChallenge(req.authUser, req.body, req.userToken)
+  const result = await service.createChallenge(req.authUser, req.body)
   res.status(HttpStatus.CREATED).send(result)
 }
 
@@ -45,7 +45,7 @@ async function getChallenge (req, res) {
  */
 async function fullyUpdateChallenge (req, res) {
   logger.debug(`fullyUpdateChallenge User: ${JSON.stringify(req.authUser)} - ChallengeID: ${req.params.challengeId} - Body: ${JSON.stringify(req.body)}`)
-  const result = await service.fullyUpdateChallenge(req.authUser, req.params.challengeId, req.body, req.userToken)
+  const result = await service.fullyUpdateChallenge(req.authUser, req.params.challengeId, req.body)
   res.send(result)
 }
 
@@ -56,7 +56,7 @@ async function fullyUpdateChallenge (req, res) {
  */
 async function partiallyUpdateChallenge (req, res) {
   logger.debug(`partiallyUpdateChallenge User: ${JSON.stringify(req.authUser)} - ChallengeID: ${req.params.challengeId} - Body: ${JSON.stringify(req.body)}`)
-  const result = await service.partiallyUpdateChallenge(req.authUser, req.params.challengeId, req.body, req.userToken)
+  const result = await service.partiallyUpdateChallenge(req.authUser, req.params.challengeId, req.body)
   res.send(result)
 }
 

src/services/AttachmentService.js

@@ -52,36 +52,40 @@ async function _getChallengeAttachment (challengeId, attachmentId) {
 /**
  * Create attachment.
  * @param {String} challengeId the challenge id
- * @param {Object} attachment the attachment to created
+ * @param {Array} attachments the attachments to be created
  * @returns {Object} the created attachment
  */
-async function createAttachment (currentUser, challengeId, attachment) {
+async function createAttachment (currentUser, challengeId, attachments) {
   const challenge = await helper.getById('Challenge', challengeId)
   await helper.ensureUserCanModifyChallenge(currentUser, challenge)
-  validateUrl(attachment.url)
-  const attachmentObject = { id: uuid(), challengeId, ...attachment }
-  const ret = await helper.create('Attachment', attachmentObject)
+  const newAttachments = []
+  for (const attachment of attachments) {
+    validateUrl(attachment.url)
+    const attachmentObject = { id: uuid(), challengeId, ...attachment }
+    const newAttachment = await helper.create('Attachment', attachmentObject)
+    await helper.postBusEvent(constants.Topics.ChallengeAttachmentCreated, newAttachment)
+    newAttachments.push(newAttachment)
+  }
   // update challenge object
   await challengeService.partiallyUpdateChallenge(currentUser, challengeId, {
     attachments: [
       ..._.get(challenge, 'attachments', []),
-      ret
+      ...newAttachments
     ]
   })
   // post bus event
-  await helper.postBusEvent(constants.Topics.ChallengeAttachmentCreated, ret)
-  return ret
+  return newAttachments
 }
 
 createAttachment.schema = {
   currentUser: Joi.any(),
   challengeId: Joi.id(),
-  attachment: Joi.object().keys({
+  attachments: Joi.array().items(Joi.object().keys({
     name: Joi.string().required(),
     url: Joi.string().uri().required(),
     fileSize: Joi.fileSize(),
     description: Joi.string()
-  }).required()
+  })).required().min(1)
 }
 
 /**

src/services/ChallengeService.js

@@ -813,10 +813,9 @@ async function populatePhases (phases, startDate, timelineTemplateId) {
  * Create challenge.
  * @param {Object} currentUser the user who perform operation
  * @param {Object} challenge the challenge to created
- * @param {String} userToken the user token
  * @returns {Object} the created challenge
  */
-async function createChallenge (currentUser, challenge, userToken) {
+async function createChallenge (currentUser, challenge) {
   if (!_.isUndefined(_.get(challenge, 'legacy.reviewType'))) {
     _.set(challenge, 'legacy.reviewType', _.toUpper(_.get(challenge, 'legacy.reviewType')))
   }
@@ -825,7 +824,7 @@ async function createChallenge (currentUser, challenge, userToken) {
   if (challenge.status === constants.challengeStatuses.Active) {
     throw new errors.BadRequestError('You cannot create an Active challenge. Please create a Draft challenge and then change the status to Active.')
   }
-  await helper.ensureProjectExist(challenge.projectId, userToken)
+  await helper.ensureProjectExist(challenge.projectId, currentUser)
   const { track, type } = await validateChallengeData(challenge)
   if (_.get(type, 'isTask')) {
     _.set(challenge, 'task.isTask', true)
@@ -1021,8 +1020,7 @@ createChallenge.schema = {
       id: Joi.id(),
       roleId: Joi.id()
     }))
-  }).required(),
-  userToken: Joi.any()
+  }).required()
 }
 
 /**
@@ -1176,16 +1174,15 @@ async function validateWinners (winners, challengeId) {
  * @param {Object} currentUser the user who perform operation
  * @param {String} challengeId the challenge id
  * @param {Object} data the challenge data to be updated
- * @param {String} userToken the user token
  * @param {Boolean} isFull the flag indicate it is a fully update operation.
  * @returns {Object} the updated challenge
  */
-async function update (currentUser, challengeId, data, userToken, isFull) {
+async function update (currentUser, challengeId, data, isFull) {
   if (!_.isUndefined(_.get(data, 'legacy.reviewType'))) {
     _.set(data, 'legacy.reviewType', _.toUpper(_.get(data, 'legacy.reviewType')))
   }
   if (data.projectId) {
-    await helper.ensureProjectExist(data.projectId, userToken)
+    await helper.ensureProjectExist(data.projectId, currentUser)
   }
 
   helper.ensureNoDuplicateOrNullElements(data.tags, 'tags')
@@ -1697,11 +1694,10 @@ function sanitizeChallenge (challenge) {
  * @param {Object} currentUser the user who perform operation
  * @param {String} challengeId the challenge id
  * @param {Object} data the challenge data to be updated
- * @param {String} userToken the user token
  * @returns {Object} the updated challenge
  */
-async function fullyUpdateChallenge (currentUser, challengeId, data, userToken) {
-  return update(currentUser, challengeId, sanitizeChallenge(data), userToken, true)
+async function fullyUpdateChallenge (currentUser, challengeId, data) {
+  return update(currentUser, challengeId, sanitizeChallenge(data), true)
 }
 
 fullyUpdateChallenge.schema = {
@@ -1785,20 +1781,18 @@ fullyUpdateChallenge.schema = {
       roleId: Joi.id()
     }).unknown(true)).optional().allow([]),
     overview: Joi.any().forbidden()
-  }).unknown(true).required(),
-  userToken: Joi.any()
+  }).unknown(true).required()
 }
 
 /**
  * Partially update challenge.
  * @param {Object} currentUser the user who perform operation
  * @param {String} challengeId the challenge id
  * @param {Object} data the challenge data to be updated
- * @param {String} userToken the user token
  * @returns {Object} the updated challenge
  */
-async function partiallyUpdateChallenge (currentUser, challengeId, data, userToken) {
-  return update(currentUser, challengeId, sanitizeChallenge(data), userToken)
+async function partiallyUpdateChallenge (currentUser, challengeId, data) {
+  return update(currentUser, challengeId, sanitizeChallenge(data))
 }
 
 partiallyUpdateChallenge.schema = {
@@ -1879,8 +1873,7 @@ partiallyUpdateChallenge.schema = {
     }).unknown(true)).min(1),
     terms: Joi.array().items(Joi.id().optional()).optional().allow([]),
     overview: Joi.any().forbidden()
-  }).unknown(true).required(),
-  userToken: Joi.any()
+  }).unknown(true).required()
 }
 
 /**