feat: allow non-admin set dates

allow non-admin users to set "completionDate" and "actualStartDate" during milestone updating if they are not yet set

Author: maxceem

src/routes/milestones/bulkUpdate.spec.js

@@ -165,6 +165,8 @@ describe('BULK UPDATE Milestones', () => {
                     name: 'Milestone 2',
                     duration: 3,
                     startDate: '2018-05-14T00:00:00.000Z',
+                    actualStartDate: '2018-05-14T00:00:00.000Z',
+                    completionDate: '2018-05-15T00:00:00.000Z',
                     status: 'reviewed',
                     type: 'type2',
                     order: 2,
@@ -302,7 +304,7 @@ describe('BULK UPDATE Milestones', () => {
 
     it('should return 403 for non-admin member updating the completionDate', (done) => {
       const newBody = _.cloneDeep(body);
-      newBody.id = 1;
+      newBody.id = 2;
       newBody.completionDate = '2019-01-16T00:00:00.000Z';
       request(server)
         .patch('/v5/timelines/1/milestones')
@@ -316,7 +318,7 @@ describe('BULK UPDATE Milestones', () => {
     it('should return 403 for non-admin member updating the actualStartDate', (done) => {
       const newBody = _.cloneDeep(body);
       newBody.actualStartDate = '2018-05-15T00:00:00.000Z';
-      newBody.id = 1;
+      newBody.id = 2;
       request(server)
         .patch('/v5/timelines/1/milestones')
         .set({

src/routes/milestones/commonHelper.js

@@ -113,9 +113,17 @@ async function updateMilestone(authUser, timelineId, data, transaction, item) {
     }
     entityToUpdate.status = statusHistory[1].status;
   }
-  if ((entityToUpdate.completionDate || entityToUpdate.actualStartDate) &&
-      !util.hasPermission({ topcoderRoles: ADMIN_ROLES }, authUser)) {
-    const apiErr = new Error('You are not authorised to perform this action');
+
+  // only admins can update values of 'completionDate' and 'actualStartDate' if they are already set
+  const isUpdatedCompletionDate = milestone.completionDate && entityToUpdate.completionDate
+    && milestone.completionDate !== entityToUpdate.completionDate;
+  const isUpdatedActualStartDate = milestone.actualStartDate && entityToUpdate.actualStartDate
+    && milestone.actualStartDate !== entityToUpdate.actualStartDate;
+  if (
+    (isUpdatedCompletionDate || isUpdatedActualStartDate)
+    && !util.hasPermission({ topcoderRoles: ADMIN_ROLES }, authUser)
+  ) {
+    const apiErr = new Error('You are not allowed to perform this action.');
     apiErr.status = 403;
     throw apiErr;
   }

src/routes/milestones/update.spec.js

@@ -166,6 +166,7 @@ describe('UPDATE Milestone', () => {
                     name: 'Milestone 2',
                     duration: 3,
                     startDate: '2018-05-14T00:00:00.000Z',
+                    actualStartDate: '2018-05-14T00:00:00.000Z',
                     status: 'reviewed',
                     type: 'type2',
                     order: 2,
@@ -317,14 +318,38 @@ describe('UPDATE Milestone', () => {
       const newBody = _.cloneDeep(body);
       newBody.actualStartDate = '2018-05-15T00:00:00.000Z';
       request(server)
-        .patch('/v5/timelines/1/milestones/1')
+        .patch('/v5/timelines/1/milestones/2')
         .set({
           Authorization: `Bearer ${testUtil.jwts.manager}`,
         })
         .send(newBody)
         .expect(403, done);
     });
 
+    it('should return 200 for non-admin member setting the completionDate', (done) => {
+      const newBody = _.cloneDeep(body);
+      newBody.completionDate = '2019-01-16T00:00:00.000Z';
+      request(server)
+        .patch('/v5/timelines/1/milestones/2')
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.manager}`,
+        })
+        .send(newBody)
+        .expect(200, done);
+    });
+
+    it('should return 200 for non-admin member setting the actualStartDate', (done) => {
+      const newBody = _.cloneDeep(body);
+      newBody.actualStartDate = '2018-05-15T00:00:00.000Z';
+      request(server)
+        .patch('/v5/timelines/1/milestones/1')
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.manager}`,
+        })
+        .send(newBody)
+        .expect(200, done);
+    });
+
     it('should return 404 for non-existed timeline', (done) => {
       request(server)
         .patch('/v5/timelines/1234/milestones/1')