topcoder-platform · rootelement · Jan 6, 2021 · Jan 6, 2021
diff --git a/src/common/helper.js b/src/common/helper.js
@@ -639,13 +639,19 @@ function getESClient () {
 /**
  * Ensure project exist
  * @param {String} projectId the project id
- * @param {String} userToken the user token
+ * @param {String} currentUser the user
  */
-async function ensureProjectExist (projectId, userToken) {
+async function ensureProjectExist (projectId, currentUser) {
   let token = await getM2MToken()
   const url = `${config.PROJECTS_API_URL}/${projectId}`
   try {
-    await axios.get(url, { headers: { Authorization: `Bearer ${token}` } })
+    const res = await axios.get(url, { headers: { Authorization: `Bearer ${token}` } })
+    if (currentUser.isMachine || hasAdminRole(currentUser)) {
+      return
+    }
+    if (!_.find(_.get(res, 'data.members', []), m => _.toString(m.userId) === _.toString(currentUser.userId))) {
+      throw new errors.ForbiddenError(`You don't have access to project with ID: ${projectId}`)
+    }
   } catch (err) {
     if (_.get(err, 'response.status') === HttpStatus.NOT_FOUND) {
       throw new errors.BadRequestError(`Project with id: ${projectId} doesn't exist`)

diff --git a/src/controllers/ChallengeController.js b/src/controllers/ChallengeController.js
@@ -24,7 +24,7 @@ async function searchChallenges (req, res) {
  */
 async function createChallenge (req, res) {
   logger.debug(`createChallenge User: ${JSON.stringify(req.authUser)} - Body: ${JSON.stringify(req.body)}`)
-  const result = await service.createChallenge(req.authUser, req.body, req.userToken)
+  const result = await service.createChallenge(req.authUser, req.body)
   res.status(HttpStatus.CREATED).send(result)
 }
 
@@ -45,7 +45,7 @@ async function getChallenge (req, res) {
  */
 async function fullyUpdateChallenge (req, res) {
   logger.debug(`fullyUpdateChallenge User: ${JSON.stringify(req.authUser)} - ChallengeID: ${req.params.challengeId} - Body: ${JSON.stringify(req.body)}`)
-  const result = await service.fullyUpdateChallenge(req.authUser, req.params.challengeId, req.body, req.userToken)
+  const result = await service.fullyUpdateChallenge(req.authUser, req.params.challengeId, req.body)
   res.send(result)
 }
 
@@ -56,7 +56,7 @@ async function fullyUpdateChallenge (req, res) {
  */
 async function partiallyUpdateChallenge (req, res) {
   logger.debug(`partiallyUpdateChallenge User: ${JSON.stringify(req.authUser)} - ChallengeID: ${req.params.challengeId} - Body: ${JSON.stringify(req.body)}`)
-  const result = await service.partiallyUpdateChallenge(req.authUser, req.params.challengeId, req.body, req.userToken)
+  const result = await service.partiallyUpdateChallenge(req.authUser, req.params.challengeId, req.body)
   res.send(result)
 }
 

diff --git a/src/services/ChallengeService.js b/src/services/ChallengeService.js
@@ -813,10 +813,9 @@ async function populatePhases (phases, startDate, timelineTemplateId) {
  * Create challenge.
  * @param {Object} currentUser the user who perform operation
  * @param {Object} challenge the challenge to created
- * @param {String} userToken the user token
  * @returns {Object} the created challenge
  */
-async function createChallenge (currentUser, challenge, userToken) {
+async function createChallenge (currentUser, challenge) {
   if (!_.isUndefined(_.get(challenge, 'legacy.reviewType'))) {
     _.set(challenge, 'legacy.reviewType', _.toUpper(_.get(challenge, 'legacy.reviewType')))
   }
@@ -825,7 +824,7 @@ async function createChallenge (currentUser, challenge, userToken) {
   if (challenge.status === constants.challengeStatuses.Active) {
     throw new errors.BadRequestError('You cannot create an Active challenge. Please create a Draft challenge and then change the status to Active.')
   }
-  await helper.ensureProjectExist(challenge.projectId, userToken)
+  await helper.ensureProjectExist(challenge.projectId, currentUser)
   const { track, type } = await validateChallengeData(challenge)
   if (_.get(type, 'isTask')) {
     _.set(challenge, 'task.isTask', true)
@@ -1021,8 +1020,7 @@ createChallenge.schema = {
       id: Joi.id(),
       roleId: Joi.id()
     }))
-  }).required(),
-  userToken: Joi.any()
+  }).required()
 }
 
 /**
@@ -1176,16 +1174,15 @@ async function validateWinners (winners, challengeId) {
  * @param {Object} currentUser the user who perform operation
  * @param {String} challengeId the challenge id
  * @param {Object} data the challenge data to be updated
- * @param {String} userToken the user token
  * @param {Boolean} isFull the flag indicate it is a fully update operation.
  * @returns {Object} the updated challenge
  */
-async function update (currentUser, challengeId, data, userToken, isFull) {
+async function update (currentUser, challengeId, data, isFull) {
   if (!_.isUndefined(_.get(data, 'legacy.reviewType'))) {
     _.set(data, 'legacy.reviewType', _.toUpper(_.get(data, 'legacy.reviewType')))
   }
   if (data.projectId) {
-    await helper.ensureProjectExist(data.projectId, userToken)
+    await helper.ensureProjectExist(data.projectId, currentUser)
   }
 
   helper.ensureNoDuplicateOrNullElements(data.tags, 'tags')
@@ -1697,11 +1694,10 @@ function sanitizeChallenge (challenge) {
  * @param {Object} currentUser the user who perform operation
  * @param {String} challengeId the challenge id
  * @param {Object} data the challenge data to be updated
- * @param {String} userToken the user token
  * @returns {Object} the updated challenge
  */
-async function fullyUpdateChallenge (currentUser, challengeId, data, userToken) {
-  return update(currentUser, challengeId, sanitizeChallenge(data), userToken, true)
+async function fullyUpdateChallenge (currentUser, challengeId, data) {
+  return update(currentUser, challengeId, sanitizeChallenge(data), true)
 }
 
 fullyUpdateChallenge.schema = {
@@ -1785,20 +1781,18 @@ fullyUpdateChallenge.schema = {
       roleId: Joi.id()
     }).unknown(true)).optional().allow([]),
     overview: Joi.any().forbidden()
-  }).unknown(true).required(),
-  userToken: Joi.any()
+  }).unknown(true).required()
 }
 
 /**
  * Partially update challenge.
  * @param {Object} currentUser the user who perform operation
  * @param {String} challengeId the challenge id
  * @param {Object} data the challenge data to be updated
- * @param {String} userToken the user token
  * @returns {Object} the updated challenge
  */
-async function partiallyUpdateChallenge (currentUser, challengeId, data, userToken) {
-  return update(currentUser, challengeId, sanitizeChallenge(data), userToken)
+async function partiallyUpdateChallenge (currentUser, challengeId, data) {
+  return update(currentUser, challengeId, sanitizeChallenge(data))
 }
 
 partiallyUpdateChallenge.schema = {
@@ -1879,8 +1873,7 @@ partiallyUpdateChallenge.schema = {
     }).unknown(true)).min(1),
     terms: Joi.array().items(Joi.id().optional()).optional().allow([]),
     overview: Joi.any().forbidden()
-  }).unknown(true).required(),
-  userToken: Joi.any()
+  }).unknown(true).required()
 }
 
 /**