From f976de1e9cb8078ad3119ec525ecfc78af598817 Mon Sep 17 00:00:00 2001 From: sarojbehera1 Date: Thu, 5 Oct 2023 03:01:36 +0530 Subject: [PATCH 1/3] Validate Group Ids are valid or not --- src/common/helper.js | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/common/helper.js b/src/common/helper.js index f39800f0..33085b1d 100644 --- a/src/common/helper.js +++ b/src/common/helper.js @@ -898,7 +898,27 @@ async function _filterChallengesByGroupsAccess(currentUser, challenges) { const needToCheckForGroupAccess = !currentUser ? true : !currentUser.isMachine && !hasAdminRole(currentUser); - if (!needToCheckForGroupAccess) return challenges; + if(!needToCheckForGroupAccess) + { + for (const challenge of challenges) { + if(challenge && challenge.groups && challenge.groups.length>0) { + const promises = []; + _.each(challenge.groups, (g) => { + promises.push( + (async () => { + const group = await getGroupById(g); + if ( !group || !group.status==='active') { + throw new errors.BadRequestError("The groups provided are invalid "+g); + } + })() + ); + }); + await Promise.all(promises); + res.push(challenge); + } + } + return res; + } let userGroups; From 3357c683b9f5b4d1429c5339cfaabae693cf49c9 Mon Sep 17 00:00:00 2001 From: sarojbehera1 Date: Fri, 6 Oct 2023 03:40:01 +0530 Subject: [PATCH 2/3] Creating function for validate groups by getGroupById --- src/common/helper.js | 22 +------------------ src/services/ChallengeService.js | 36 ++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 21 deletions(-) diff --git a/src/common/helper.js b/src/common/helper.js index 33085b1d..f39800f0 100644 --- a/src/common/helper.js +++ b/src/common/helper.js @@ -898,27 +898,7 @@ async function _filterChallengesByGroupsAccess(currentUser, challenges) { const needToCheckForGroupAccess = !currentUser ? true : !currentUser.isMachine && !hasAdminRole(currentUser); - if(!needToCheckForGroupAccess) - { - for (const challenge of challenges) { - if(challenge && challenge.groups && challenge.groups.length>0) { - const promises = []; - _.each(challenge.groups, (g) => { - promises.push( - (async () => { - const group = await getGroupById(g); - if ( !group || !group.status==='active') { - throw new errors.BadRequestError("The groups provided are invalid "+g); - } - })() - ); - }); - await Promise.all(promises); - res.push(challenge); - } - } - return res; - } + if (!needToCheckForGroupAccess) return challenges; let userGroups; diff --git a/src/services/ChallengeService.js b/src/services/ChallengeService.js index 9b0fd8da..eed62efb 100644 --- a/src/services/ChallengeService.js +++ b/src/services/ChallengeService.js @@ -910,6 +910,24 @@ searchChallenges.schema = { }) .unknown(true), }; +/** + * Validate Challenge groups. + * @param {Object} groups the group of a challenge + */ +async function validateGroups(groups) { + const promises = []; + _.each(groups, (g) => { + promises.push( + (async () => { + const group = await helper.getGroupById(g); + if (!group || group.status !== "active") { + throw new errors.BadRequestError("The groups provided are invalid " + g); + } + })() + ); + }); + await Promise.all(promises); +} /** * Create challenge. @@ -921,6 +939,15 @@ searchChallenges.schema = { async function createChallenge(currentUser, challenge, userToken) { await challengeHelper.validateCreateChallengeRequest(currentUser, challenge); + //Validate the groups if Valid or Not + if ( + challenge.groups && + challenge.groups.length > 0 && + (currentUser.isMachine || hasAdminRole(currentUser)) + ) { + await validateGroups(challenge.groups); + } + if (challenge.legacy.selfService) { // if self-service, create a new project (what about if projectId is provided in the payload? confirm with business!) if (!challenge.projectId) { @@ -1443,6 +1470,15 @@ async function updateChallenge(currentUser, challengeId, data) { await validateChallengeUpdateRequest(currentUser, challenge, data); + //Validate the groups if Valid or Not + if ( + data.groups && + data.groups.length > 0 && + (currentUser.isMachine || hasAdminRole(currentUser)) + ) { + await validateGroups(data.groups); + } + let sendActivationEmail = false; let sendSubmittedEmail = false; let sendCompletedEmail = false; From 2cf3744507d9872ed1c084d0da4f7eca9af2f43f Mon Sep 17 00:00:00 2001 From: sarojbehera1 Date: Wed, 11 Oct 2023 13:59:01 +0530 Subject: [PATCH 3/3] Moving code to challenge-helper --- src/common/challenge-helper.js | 35 ++++++++++++++++++++++++++++--- src/services/ChallengeService.js | 36 -------------------------------- 2 files changed, 32 insertions(+), 39 deletions(-) diff --git a/src/common/challenge-helper.js b/src/common/challenge-helper.js index aef2bd1a..485bc179 100644 --- a/src/common/challenge-helper.js +++ b/src/common/challenge-helper.js @@ -80,6 +80,25 @@ class ChallengeHelper { } } + /** + * Validate Challenge groups. + * @param {Object} groups the group of a challenge + */ + async validateGroups(groups) { + const promises = []; + _.each(groups, (g) => { + promises.push( + (async () => { + const group = await helper.getGroupById(g); + if (!group || group.status !== "active") { + throw new errors.BadRequestError("The groups provided are invalid " + g); + } + })() + ); + }); + await Promise.all(promises); + } + async validateCreateChallengeRequest(currentUser, challenge) { // projectId is required for non self-service challenges if (challenge.legacy.selfService == null && challenge.projectId == null) { @@ -98,7 +117,13 @@ class ChallengeHelper { // helper.ensureNoDuplicateOrNullElements(challenge.events, 'events') // check groups authorization - await helper.ensureAccessibleByGroupsAccess(currentUser, challenge); + if (challenge.groups && challenge.groups.length > 0) { + if (currentUser.isMachine || hasAdminRole(currentUser)) { + await this.validateGroups(challenge.groups); + } else { + await helper.ensureAccessibleByGroupsAccess(currentUser, challenge); + } + } if (challenge.constraints) { await ChallengeHelper.validateChallengeConstraints(challenge.constraints); @@ -118,8 +143,12 @@ class ChallengeHelper { } // check groups access to be updated group values - if (data.groups) { - await ensureAcessibilityToModifiedGroups(currentUser, data, challenge); + if (data.groups && data.groups.length > 0) { + if (currentUser.isMachine || hasAdminRole(currentUser)) { + await this.validateGroups(data.groups); + } else { + await ensureAcessibilityToModifiedGroups(currentUser, data, challenge); + } } // Ensure descriptionFormat is either 'markdown' or 'html' diff --git a/src/services/ChallengeService.js b/src/services/ChallengeService.js index eed62efb..9b0fd8da 100644 --- a/src/services/ChallengeService.js +++ b/src/services/ChallengeService.js @@ -910,24 +910,6 @@ searchChallenges.schema = { }) .unknown(true), }; -/** - * Validate Challenge groups. - * @param {Object} groups the group of a challenge - */ -async function validateGroups(groups) { - const promises = []; - _.each(groups, (g) => { - promises.push( - (async () => { - const group = await helper.getGroupById(g); - if (!group || group.status !== "active") { - throw new errors.BadRequestError("The groups provided are invalid " + g); - } - })() - ); - }); - await Promise.all(promises); -} /** * Create challenge. @@ -939,15 +921,6 @@ async function validateGroups(groups) { async function createChallenge(currentUser, challenge, userToken) { await challengeHelper.validateCreateChallengeRequest(currentUser, challenge); - //Validate the groups if Valid or Not - if ( - challenge.groups && - challenge.groups.length > 0 && - (currentUser.isMachine || hasAdminRole(currentUser)) - ) { - await validateGroups(challenge.groups); - } - if (challenge.legacy.selfService) { // if self-service, create a new project (what about if projectId is provided in the payload? confirm with business!) if (!challenge.projectId) { @@ -1470,15 +1443,6 @@ async function updateChallenge(currentUser, challengeId, data) { await validateChallengeUpdateRequest(currentUser, challenge, data); - //Validate the groups if Valid or Not - if ( - data.groups && - data.groups.length > 0 && - (currentUser.isMachine || hasAdminRole(currentUser)) - ) { - await validateGroups(data.groups); - } - let sendActivationEmail = false; let sendSubmittedEmail = false; let sendCompletedEmail = false;