refactor: allow "email" field instead of disallow

we had the logic which removed "email" field from the allowed fields for non-admins
this logic has been rewritten to add "email" field to the allowed fields for admins to avoid accidental "email" leaking

Author: maxceem

src/routes/projects/get.js

@@ -22,8 +22,12 @@ const ES_PROJECT_TYPE = config.get('elasticsearchConfig.docType');
 // var permissions = require('tc-core-library-js').middleware.permissions
 const permissions = tcMiddleware.permissions;
 const PROJECT_ATTRIBUTES = _.without(_.keys(models.Project.rawAttributes), 'utm', 'deletedAt');
-const PROJECT_MEMBER_ATTRIBUTES = _.concat(_.without(_.keys(models.ProjectMember.rawAttributes), 'deletedAt'),
-  ['firstName', 'lastName', 'handle', 'email']);
+const PROJECT_MEMBER_ATTRIBUTES = _.concat(_.without(_.keys(models.ProjectMember.rawAttributes), 'deletedAt'));
+// project members has some additional fields stored in ES index, which we don't have in DB
+const PROJECT_MEMBER_ATTRIBUTES_ES = _.concat(
+  PROJECT_MEMBER_ATTRIBUTES,
+  ['firstName', 'lastName', 'handle'], // 'email' can be added when allowed by `addEmailFieldIfAllowed`
+);
 const PROJECT_MEMBER_INVITE_ATTRIBUTES = _.without(_.keys(models.ProjectMemberInvite.rawAttributes), 'deletedAt');
 const PROJECT_ATTACHMENT_ATTRIBUTES = _.without(_.keys(models.ProjectAttachment.rawAttributes), 'deletedAt');
 const PROJECT_PHASE_ATTRIBUTES = _.without(
@@ -102,16 +106,13 @@ const retrieveProjectFromES = (projectId, req) => {
   fields = fields ? fields.split(',') : [];
   fields = util.parseFields(fields, {
     projects: PROJECT_ATTRIBUTES,
-    project_members: PROJECT_MEMBER_ATTRIBUTES,
+    project_members: util.addEmailFieldIfAllowed(PROJECT_MEMBER_ATTRIBUTES_ES, req),
     project_member_invites: PROJECT_MEMBER_INVITE_ATTRIBUTES,
     project_phases: PROJECT_PHASE_ATTRIBUTES,
     project_phases_products: PROJECT_PHASE_PRODUCTS_ATTRIBUTES,
     attachments: PROJECT_ATTACHMENT_ATTRIBUTES,
   });
 
-  // if user is not admin, ignore email field for project_members
-  fields = util.ignoreEmailField(req, fields);
-
   const searchCriteria = parseElasticSearchCriteria(projectId, fields) || {};
   return new Promise((accept, reject) => {
     const es = util.getElasticSearchClient();

src/routes/projects/list.js

@@ -26,10 +26,12 @@ const PROJECT_ATTRIBUTES = _.without(_.keys(models.Project.rawAttributes),
    'utm',
    'deletedAt',
 );
-const PROJECT_MEMBER_ATTRIBUTES = _.concat(_.without(
-  _.keys(models.ProjectMember.rawAttributes),
-  'deletedAt',
-), ['firstName', 'lastName', 'handle', 'email']);
+const PROJECT_MEMBER_ATTRIBUTES = _.without(_.keys(models.ProjectMember.rawAttributes));
+// project members has some additional fields stored in ES index, which we don't have in DB
+const PROJECT_MEMBER_ATTRIBUTES_ES = _.concat(
+  PROJECT_MEMBER_ATTRIBUTES,
+  ['firstName', 'lastName', 'handle'], // 'email' can be added when allowed by `addEmailFieldIfAllowed`
+);
 const PROJECT_MEMBER_INVITE_ATTRIBUTES = _.without(
   _.keys(models.ProjectMemberInvite.rawAttributes),
   'deletedAt',
@@ -551,17 +553,13 @@ const retrieveProjects = (req, criteria, sort, ffields) => {
     // parse the fields string to determine what fields are to be returned
   fields = util.parseFields(fields, {
     projects: PROJECT_ATTRIBUTES,
-    project_members: PROJECT_MEMBER_ATTRIBUTES,
+    project_members: util.addEmailFieldIfAllowed(PROJECT_MEMBER_ATTRIBUTES_ES, req),
     project_member_invites: PROJECT_MEMBER_INVITE_ATTRIBUTES,
     project_phases: PROJECT_PHASE_ATTRIBUTES,
     project_phases_products: PROJECT_PHASE_PRODUCTS_ATTRIBUTES,
     attachments: PROJECT_ATTACHMENT_ATTRIBUTES,
   });
 
-
-  // if user is not admin, ignore email field for project_members
-  fields = util.ignoreEmailField(req, fields);
-
   // make sure project.id is part of fields
   if (_.indexOf(fields.projects, 'id') < 0) {
     fields.projects.push('id');

src/util.js

@@ -262,27 +262,24 @@ _.assignIn(util, {
     }
     return fields;
   },
+
   /**
-   * Remove email field for PROJECT_MEMBER_ATTRIBUTES, if user is not admin
-   * @param  {object} req          request object
-   * @param  {object} fields       fields object
-   * @return {object}                       the parsed array
+   * Add `email` field to the list of field, if it's allowed to a user who made the request
+   *
+   * @param  {Array}  fields fields list
+   * @param  {Object} req    request object
+   *
+   * @return {Array} fields list with 'email' if allowed
    */
-  ignoreEmailField: (req, fields) => {
-    if (!fields.project_members) {
-      return fields;
-    }
-
-    // Only Topcoder Admins can get all the fields
+  addEmailFieldIfAllowed: (fields, req) => {
+    // Only Topcoder Admins can get email
     if (util.hasPermission({ topcoderRoles: [USER_ROLE.TOPCODER_ADMIN] }, req.authUser)) {
-      return fields;
+      return _.concat(fields, ['email']);
     }
 
-    // for non topcoder admins remove emails from the field list
-    _.assign(fields, { project_members: _.filter(fields.project_members, f => f !== 'email') });
-
     return fields;
   },
+
   /**
    * Parse the query filters
    * @param  {String}   fqueryFilter        the query filter string