fix: permission rule for billingAccountId

Author: Maksym Mykhailenko

docs/permissions.html

@@ -294,6 +294,29 @@ <h2 class="anchor-container">
               </div>
             </div>
           </div>
+          <div class="row border-top">
+            <div class="col py-2">
+              <div class="permission-title anchor-container">
+                <a href="#MANAGE_PROJECT_BILLING_ACCOUNT_ID" name="MANAGE_PROJECT_BILLING_ACCOUNT_ID" class="anchor"></a>Manage Project property &quot;billingAccountId&quot;
+              </div>
+              <div class="permission-variable"><small><code>MANAGE_PROJECT_BILLING_ACCOUNT_ID</code></small></div>
+              <div class="text-black-50 small-text">Who can set or update the &quot;billingAccountId&quot; property.</div>
+            </div>
+            <div class="col-9 py-2">
+              <div>
+              </div>
+
+              <div>
+                    <span class="badge badge-success" title="Allowed Topcoder Role">Connect Manager</span>
+                    <span class="badge badge-success" title="Allowed Topcoder Role">administrator</span>
+              </div>
+
+              <div>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:projects-billing-accounts</span>
+              </div>
+            </div>
+          </div>
           <div class="row border-top">
             <div class="col py-2">
               <div class="permission-title anchor-container">
@@ -332,30 +355,6 @@ <h2 class="anchor-container">
               </div>
             </div>
           </div>
-          <div class="row border-top">
-            <div class="col py-2">
-              <div class="permission-title anchor-container">
-                <a href="#MANAGE_PROJECT_BILLING_ACCOUNT_ID" name="MANAGE_PROJECT_BILLING_ACCOUNT_ID" class="anchor"></a>Manage Project property &quot;billingAccountId&quot;
-              </div>
-              <div class="permission-variable"><small><code>MANAGE_PROJECT_BILLING_ACCOUNT_ID</code></small></div>
-              <div class="text-black-50 small-text">Who can set or update the &quot;billingAccountId&quot; property.</div>
-            </div>
-            <div class="col-9 py-2">
-              <div>
-              </div>
-
-              <div>
-                    <span class="badge badge-success" title="Allowed Topcoder Role">Connect Manager</span>
-                    <span class="badge badge-success" title="Allowed Topcoder Role">administrator</span>
-              </div>
-
-              <div>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:projects</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:projects-billing-accounts</span>
-              </div>
-            </div>
-          </div>
         <div class="row">
           <div class="col pt-5 pb-2">
             <h2 class="anchor-container">

src/constants.js

@@ -268,6 +268,7 @@ export const REGEX = {
 };
 
 export const M2M_SCOPES = {
+  // for backward compatibility we should allow ALL M2M operations with `CONNECT_PROJECT_ADMIN`
   CONNECT_PROJECT_ADMIN: 'all:connect_project',
   PROJECTS: {
     ALL: 'all:projects',

src/permissions/constants.js

@@ -76,7 +76,6 @@ const SCOPES_PROJECTS_WRITE = [
 
 const SCOPES_PROJECTS_WRITE_BILLING_ACCOUNTS = [
   M2M_SCOPES.CONNECT_PROJECT_ADMIN,
-  M2M_SCOPES.PROJECTS.ALL,
   M2M_SCOPES.PROJECTS.WRITE_BILLING_ACCOUNTS,
 ];
 
@@ -161,6 +160,19 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
     scopes: SCOPES_PROJECTS_WRITE,
   },
 
+  MANAGE_PROJECT_BILLING_ACCOUNT_ID: {
+    meta: {
+      title: 'Manage Project property "billingAccountId"',
+      group: 'Project',
+      description: 'Who can set or update the "billingAccountId" property.',
+    },
+    topcoderRoles: [
+      USER_ROLE.MANAGER,
+      USER_ROLE.TOPCODER_ADMIN,
+    ],
+    scopes: SCOPES_PROJECTS_WRITE_BILLING_ACCOUNTS,
+  },
+
   DELETE_PROJECT: {
     meta: {
       title: 'Delete Project',
@@ -179,19 +191,6 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
     scopes: SCOPES_PROJECTS_WRITE,
   },
 
-  MANAGE_PROJECT_BILLING_ACCOUNT_ID: {
-    meta: {
-      title: 'Manage Project property "billingAccountId"',
-      group: 'Project',
-      description: 'Who can set or update the "billingAccountId" property.',
-    },
-    topcoderRoles: [
-      USER_ROLE.MANAGER,
-      USER_ROLE.TOPCODER_ADMIN,
-    ],
-    scopes: SCOPES_PROJECTS_WRITE_BILLING_ACCOUNTS,
-  },
-
   /*
    * Project Member
    */

src/routes/projects/update.spec.js

@@ -14,7 +14,6 @@ import {
   PROJECT_STATUS,
   BUS_API_EVENT,
   CONNECT_NOTIFICATION_EVENT,
-  M2M_SCOPES,
 } from '../../constants';
 
 const should = chai.should();
@@ -192,11 +191,11 @@ describe('Project', () => {
         });
     });
 
-    it(`should return the project using M2M token with "${M2M_SCOPES.PROJECTS.WRITE}" scope`, (done) => {
+    it('should return the project using M2M token with "write:projects" scope', (done) => {
       request(server)
         .patch(`/v5/projects/${project1.id}`)
         .set({
-          Authorization: `Bearer ${testUtil.m2m[M2M_SCOPES.PROJECTS.WRITE]}`,
+          Authorization: `Bearer ${testUtil.m2m['write:projects']}`,
         })
         .send({
           name: 'updateProject name by M2M',
@@ -664,7 +663,7 @@ describe('Project', () => {
       request(server)
         .patch(`/v5/projects/${project1.id}`)
         .set({
-          Authorization: `Bearer ${testUtil.m2m[M2M_SCOPES.PROJECTS.WRITE]}`,
+          Authorization: `Bearer ${testUtil.m2m['write:projects-billing-accounts']}`,
         })
         .send({
           billingAccountId: 123,