From 049982d427a4bc9cfebcf18b896b5a5205eae460 Mon Sep 17 00:00:00 2001 From: Thomas Kranitsas Date: Wed, 6 Jan 2021 19:58:07 +0200 Subject: [PATCH] user access updates --- src/common/helper.js | 12 ++++++++--- src/controllers/ChallengeController.js | 6 +++--- src/services/ChallengeService.js | 29 ++++++++++---------------- 3 files changed, 23 insertions(+), 24 deletions(-) diff --git a/src/common/helper.js b/src/common/helper.js index e30e67cf..7c7b9ab1 100644 --- a/src/common/helper.js +++ b/src/common/helper.js @@ -639,13 +639,19 @@ function getESClient () { /** * Ensure project exist * @param {String} projectId the project id - * @param {String} userToken the user token + * @param {String} currentUser the user */ -async function ensureProjectExist (projectId, userToken) { +async function ensureProjectExist (projectId, currentUser) { let token = await getM2MToken() const url = `${config.PROJECTS_API_URL}/${projectId}` try { - await axios.get(url, { headers: { Authorization: `Bearer ${token}` } }) + const res = await axios.get(url, { headers: { Authorization: `Bearer ${token}` } }) + if (currentUser.isMachine || hasAdminRole(currentUser)) { + return + } + if (!_.find(_.get(res, 'data.members', []), m => _.toString(m.userId) === _.toString(currentUser.userId))) { + throw new errors.ForbiddenError(`You don't have access to project with ID: ${projectId}`) + } } catch (err) { if (_.get(err, 'response.status') === HttpStatus.NOT_FOUND) { throw new errors.BadRequestError(`Project with id: ${projectId} doesn't exist`) diff --git a/src/controllers/ChallengeController.js b/src/controllers/ChallengeController.js index 61586671..1e4cfbb5 100644 --- a/src/controllers/ChallengeController.js +++ b/src/controllers/ChallengeController.js @@ -24,7 +24,7 @@ async function searchChallenges (req, res) { */ async function createChallenge (req, res) { logger.debug(`createChallenge User: ${JSON.stringify(req.authUser)} - Body: ${JSON.stringify(req.body)}`) - const result = await service.createChallenge(req.authUser, req.body, req.userToken) + const result = await service.createChallenge(req.authUser, req.body) res.status(HttpStatus.CREATED).send(result) } @@ -45,7 +45,7 @@ async function getChallenge (req, res) { */ async function fullyUpdateChallenge (req, res) { logger.debug(`fullyUpdateChallenge User: ${JSON.stringify(req.authUser)} - ChallengeID: ${req.params.challengeId} - Body: ${JSON.stringify(req.body)}`) - const result = await service.fullyUpdateChallenge(req.authUser, req.params.challengeId, req.body, req.userToken) + const result = await service.fullyUpdateChallenge(req.authUser, req.params.challengeId, req.body) res.send(result) } @@ -56,7 +56,7 @@ async function fullyUpdateChallenge (req, res) { */ async function partiallyUpdateChallenge (req, res) { logger.debug(`partiallyUpdateChallenge User: ${JSON.stringify(req.authUser)} - ChallengeID: ${req.params.challengeId} - Body: ${JSON.stringify(req.body)}`) - const result = await service.partiallyUpdateChallenge(req.authUser, req.params.challengeId, req.body, req.userToken) + const result = await service.partiallyUpdateChallenge(req.authUser, req.params.challengeId, req.body) res.send(result) } diff --git a/src/services/ChallengeService.js b/src/services/ChallengeService.js index af0f96db..ddecb9e7 100644 --- a/src/services/ChallengeService.js +++ b/src/services/ChallengeService.js @@ -813,10 +813,9 @@ async function populatePhases (phases, startDate, timelineTemplateId) { * Create challenge. * @param {Object} currentUser the user who perform operation * @param {Object} challenge the challenge to created - * @param {String} userToken the user token * @returns {Object} the created challenge */ -async function createChallenge (currentUser, challenge, userToken) { +async function createChallenge (currentUser, challenge) { if (!_.isUndefined(_.get(challenge, 'legacy.reviewType'))) { _.set(challenge, 'legacy.reviewType', _.toUpper(_.get(challenge, 'legacy.reviewType'))) } @@ -825,7 +824,7 @@ async function createChallenge (currentUser, challenge, userToken) { if (challenge.status === constants.challengeStatuses.Active) { throw new errors.BadRequestError('You cannot create an Active challenge. Please create a Draft challenge and then change the status to Active.') } - await helper.ensureProjectExist(challenge.projectId, userToken) + await helper.ensureProjectExist(challenge.projectId, currentUser) const { track, type } = await validateChallengeData(challenge) if (_.get(type, 'isTask')) { _.set(challenge, 'task.isTask', true) @@ -1021,8 +1020,7 @@ createChallenge.schema = { id: Joi.id(), roleId: Joi.id() })) - }).required(), - userToken: Joi.any() + }).required() } /** @@ -1176,16 +1174,15 @@ async function validateWinners (winners, challengeId) { * @param {Object} currentUser the user who perform operation * @param {String} challengeId the challenge id * @param {Object} data the challenge data to be updated - * @param {String} userToken the user token * @param {Boolean} isFull the flag indicate it is a fully update operation. * @returns {Object} the updated challenge */ -async function update (currentUser, challengeId, data, userToken, isFull) { +async function update (currentUser, challengeId, data, isFull) { if (!_.isUndefined(_.get(data, 'legacy.reviewType'))) { _.set(data, 'legacy.reviewType', _.toUpper(_.get(data, 'legacy.reviewType'))) } if (data.projectId) { - await helper.ensureProjectExist(data.projectId, userToken) + await helper.ensureProjectExist(data.projectId, currentUser) } helper.ensureNoDuplicateOrNullElements(data.tags, 'tags') @@ -1697,11 +1694,10 @@ function sanitizeChallenge (challenge) { * @param {Object} currentUser the user who perform operation * @param {String} challengeId the challenge id * @param {Object} data the challenge data to be updated - * @param {String} userToken the user token * @returns {Object} the updated challenge */ -async function fullyUpdateChallenge (currentUser, challengeId, data, userToken) { - return update(currentUser, challengeId, sanitizeChallenge(data), userToken, true) +async function fullyUpdateChallenge (currentUser, challengeId, data) { + return update(currentUser, challengeId, sanitizeChallenge(data), true) } fullyUpdateChallenge.schema = { @@ -1785,8 +1781,7 @@ fullyUpdateChallenge.schema = { roleId: Joi.id() }).unknown(true)).optional().allow([]), overview: Joi.any().forbidden() - }).unknown(true).required(), - userToken: Joi.any() + }).unknown(true).required() } /** @@ -1794,11 +1789,10 @@ fullyUpdateChallenge.schema = { * @param {Object} currentUser the user who perform operation * @param {String} challengeId the challenge id * @param {Object} data the challenge data to be updated - * @param {String} userToken the user token * @returns {Object} the updated challenge */ -async function partiallyUpdateChallenge (currentUser, challengeId, data, userToken) { - return update(currentUser, challengeId, sanitizeChallenge(data), userToken) +async function partiallyUpdateChallenge (currentUser, challengeId, data) { + return update(currentUser, challengeId, sanitizeChallenge(data)) } partiallyUpdateChallenge.schema = { @@ -1879,8 +1873,7 @@ partiallyUpdateChallenge.schema = { }).unknown(true)).min(1), terms: Joi.array().items(Joi.id().optional()).optional().allow([]), overview: Joi.any().forbidden() - }).unknown(true).required(), - userToken: Joi.any() + }).unknown(true).required() } /**