#488 Project List endpoint returns member email for some projects

Author: yoution

src/routes/projects/get.js

@@ -22,7 +22,8 @@ const ES_PROJECT_TYPE = config.get('elasticsearchConfig.docType');
 // var permissions = require('tc-core-library-js').middleware.permissions
 const permissions = tcMiddleware.permissions;
 const PROJECT_ATTRIBUTES = _.without(_.keys(models.Project.rawAttributes), 'utm', 'deletedAt');
-const PROJECT_MEMBER_ATTRIBUTES = _.without(_.keys(models.ProjectMember.rawAttributes), 'deletedAt');
+const PROJECT_MEMBER_ATTRIBUTES = _.concat(_.without(_.keys(models.ProjectMember.rawAttributes), 'deletedAt'),
+  ['firstName', 'lastName', 'handle', 'email']);
 const PROJECT_MEMBER_INVITE_ATTRIBUTES = _.without(_.keys(models.ProjectMemberInvite.rawAttributes), 'deletedAt');
 const PROJECT_ATTACHMENT_ATTRIBUTES = _.without(_.keys(models.ProjectAttachment.rawAttributes), 'deletedAt');
 
@@ -58,7 +59,7 @@ const parseElasticSearchCriteria = (projectId, fields) => {
   }
 
   if (sourceInclude) {
-    searchCriteria._sourceInclude = sourceInclude;        // eslint-disable-line no-underscore-dangle
+    searchCriteria._sourceIncludes = sourceInclude;        // eslint-disable-line no-underscore-dangle
   }
 
 
@@ -90,6 +91,9 @@ const retrieveProjectFromES = (projectId, req) => {
     attachments: PROJECT_ATTACHMENT_ATTRIBUTES,
   });
 
+  // if user is not admin, ignore email field for project_members
+  fields = util.ignoreEmailField(req, fields);
+
   const searchCriteria = parseElasticSearchCriteria(projectId, fields) || {};
   return new Promise((accept, reject) => {
     const es = util.getElasticSearchClient();
@@ -108,6 +112,7 @@ const retrieveProjectFromDB = (projectId, req) => {
     projects: PROJECT_ATTRIBUTES,
     project_members: PROJECT_MEMBER_ATTRIBUTES,
   });
+
   return models.Project
     .findOne({
       where: { id: projectId },

src/routes/projects/get.spec.js

@@ -23,7 +23,8 @@ const data = [
     billingAccountId: 1,
     name: 'test1',
     description: 'es_project',
-    status: 'active',
+    cancelReason: 'price/cost',
+    status: 'draft',
     details: {
       utm: {
         code: 'code1',
@@ -42,6 +43,7 @@ const data = [
         firstName: 'es_member_1_firstName',
         lastName: 'Lastname',
         handle: 'test_tourist_handle',
+        email: 'test@test.com',
         isPrimary: true,
         createdBy: 1,
         updatedBy: 1,
@@ -80,6 +82,7 @@ describe('GET Project', () => {
         .then(() => testUtil.clearES())
         .then(() => {
           const p1 = models.Project.create({
+            id: 5,
             type: 'generic',
             billingAccountId: 1,
             name: 'test1',
@@ -98,6 +101,10 @@ describe('GET Project', () => {
               projectId: project1.id,
               role: 'customer',
               isPrimary: true,
+              firstName: 'Firstname',
+              lastName: 'Lastname',
+              handle: 'test_tourist_handle',
+              email: 'test@test.com',
               createdBy: 1,
               updatedBy: 1,
             });
@@ -343,5 +350,115 @@ describe('GET Project', () => {
             });
       });
     });
+
+    describe('URL Query fields', () => {
+      it('should not return "email" for project members when "fields" query param is not defined (to non-admin users)', (done) => {
+        request(server)
+        .get(`/v5/projects/${project1.id}?fields=members.handle`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.member}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body;
+            should.exist(resJson);
+            resJson.members[0].should.have.property('handle');
+            resJson.members[0].should.not.have.property('email');
+            done();
+          }
+        });
+      });
+
+      it('should not return "email" for project members even if it\'s defined in "fields" query param (to non-admin users)', (done) => {
+        request(server)
+        .get(`/v5/projects/${project1.id}?fields=members.email,members.handle`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.member}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body;
+            should.exist(resJson);
+            resJson.members[0].should.have.property('handle');
+            resJson.members[0].should.not.have.property('email');
+            done();
+          }
+        });
+      });
+
+
+      it('should not return "cancelReason" if it is not listed in "fields" query param ', (done) => {
+        request(server)
+        .get(`/v5/projects/${project1.id}?fields=description`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.member}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body;
+            should.exist(resJson);
+            resJson.should.have.property('description');
+            resJson.description.should.be.eq('es_project');
+            resJson.should.not.have.property('cancelReason');
+            done();
+          }
+        });
+      });
+
+      it('should not return "email" for project members when "fields" query param is not defined (to admin users)', (done) => {
+        request(server)
+          .get(`/v5/projects/${project1.id}?fields=description,members.id`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.admin}`,
+          })
+          .expect('Content-Type', /json/)
+          .expect(200)
+          .end((err, res) => {
+            if (err) {
+              done(err);
+            } else {
+              const resJson = res.body;
+              should.exist(resJson);
+              resJson.members.should.have.lengthOf(2);
+              resJson.members[0].should.not.have.property('email');
+              done();
+            }
+          });
+      });
+
+      it('should return "email" for project members if it\'s defined in "fields" query param (to admin users', (done) => {
+        request(server)
+          .get(`/v5/projects/${project1.id}?fields=description,members.id,members.email`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.admin}`,
+          })
+          .expect('Content-Type', /json/)
+          .expect(200)
+          .end((err, res) => {
+            if (err) {
+              done(err);
+            } else {
+              const resJson = res.body;
+              should.exist(resJson);
+              resJson.members.should.have.lengthOf(2);
+              resJson.members[0].should.have.property('email');
+              resJson.members[0].email.should.be.eq('test@test.com');
+              done();
+            }
+          });
+      });
+    });
   });
 });

src/routes/projects/list.js

@@ -26,10 +26,10 @@ const PROJECT_ATTRIBUTES = _.without(_.keys(models.Project.rawAttributes),
    'utm',
    'deletedAt',
 );
-const PROJECT_MEMBER_ATTRIBUTES = _.without(
+const PROJECT_MEMBER_ATTRIBUTES = _.concat(_.without(
   _.keys(models.ProjectMember.rawAttributes),
   'deletedAt',
-);
+), ['firstName', 'lastName', 'handle', 'email']);
 const PROJECT_MEMBER_INVITE_ATTRIBUTES = _.without(
   _.keys(models.ProjectMemberInvite.rawAttributes),
   'deletedAt',
@@ -301,7 +301,7 @@ const parseElasticSearchCriteria = (criteria, fields, order) => {
   }
 
   if (sourceInclude) {
-    searchCriteria._sourceInclude = sourceInclude;        // eslint-disable-line no-underscore-dangle
+    searchCriteria._sourceIncludes = sourceInclude;        // eslint-disable-line no-underscore-dangle
   }
   // prepare the elasticsearch filter criteria
   const boolQuery = [];
@@ -462,6 +462,8 @@ const retrieveProjectsFromDB = (req, criteria, sort, ffields) => {
     projects: PROJECT_ATTRIBUTES,
     project_members: PROJECT_MEMBER_ATTRIBUTES,
   });
+
+
   // make sure project.id is part of fields
   if (_.indexOf(fields.projects, 'id') < 0) fields.projects.push('id');
   const retrieveAttachments = !req.query.fields || req.query.fields.indexOf('attachments') > -1;
@@ -529,6 +531,11 @@ const retrieveProjects = (req, criteria, sort, ffields) => {
     project_phases_products: PROJECT_PHASE_PRODUCTS_ATTRIBUTES,
     attachments: PROJECT_ATTACHMENT_ATTRIBUTES,
   });
+
+
+  // if user is not admin, ignore email field for project_members
+  fields = util.ignoreEmailField(req, fields);
+
   // make sure project.id is part of fields
   if (_.indexOf(fields.projects, 'id') < 0) {
     fields.projects.push('id');

src/routes/projects/list.spec.js

@@ -1,6 +1,7 @@
 /* eslint-disable no-unused-expressions */
 /* eslint-disable max-len */
 import chai from 'chai';
+import _ from 'lodash';
 import request from 'supertest';
 // import sleep from 'sleep';
 import config from 'config';
@@ -29,6 +30,7 @@ const data = [
     },
     createdBy: 1,
     updatedBy: 1,
+    cancelReason: 'price/cost',
     lastActivityAt: 1,
     lastActivityUserId: '1',
     members: [
@@ -40,6 +42,7 @@ const data = [
         firstName: 'Firstname',
         lastName: 'Lastname',
         handle: 'test_tourist_handle',
+        email: 'test@test.com',
         isPrimary: true,
         createdBy: 1,
         updatedBy: 1,
@@ -396,7 +399,7 @@ describe('LIST Project', () => {
 
     it('should return the project for administrator with field description and billingAccountId', (done) => {
       request(server)
-        .get('/v5/projects/?fields=description,billingAccountId&sort=id asc')
+        .get('/v5/projects/?fields=description,billingAccountId,attachments&sort=id asc')
         .set({
           Authorization: `Bearer ${testUtil.jwts.admin}`,
         })
@@ -893,5 +896,120 @@ describe('LIST Project', () => {
           });
       });
     });
+
+    describe('URL Query fields', () => {
+      it('should not return "email" for project members when "fields" query param is not defined (to non-admin users)', (done) => {
+        request(server)
+        .get('/v5/projects/')
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.member2}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body;
+            should.exist(resJson);
+            resJson.should.have.lengthOf(1);
+            resJson[0].members[0].should.not.have.property('email');
+            done();
+          }
+        });
+      });
+
+
+      it('should not return "email" for project members even if it\'s defined in "fields" query param (to non-admin users)', (done) => {
+        request(server)
+        .get('/v5/projects/?fields=members.email,members.id')
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.member2}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body;
+            should.exist(resJson);
+            resJson.should.have.lengthOf(1);
+            resJson[0].members[0].should.not.have.property('email');
+            done();
+          }
+        });
+      });
+
+
+      it('should not return "cancelReason" if it is not listed in "fields" query param ', (done) => {
+        request(server)
+        .get('/v5/projects/?fields=description')
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.member2}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body;
+            should.exist(resJson);
+            resJson.should.have.lengthOf(1);
+            resJson[0].should.have.property('description');
+            resJson[0].should.not.have.property('cancelReason');
+            resJson[0].description.should.be.eq('test project1');
+            done();
+          }
+        });
+      });
+
+      it('should not return "email" for project members when "fields" query param is not defined (to admin users)', (done) => {
+        request(server)
+        .get('/v5/projects/?fields=description,members.id')
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.admin}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body;
+            should.exist(resJson);
+            const project = _.find(resJson, p => p.id === 1);
+            const member = _.find(project.members, m => m.id === 1);
+            member.should.not.have.property('email');
+            done();
+          }
+        });
+      });
+
+
+      it('should return "email" for project members if it\'s defined in "fields" query param (to admin users', (done) => {
+        request(server)
+        .get('/v5/projects/?fields=description,members.id,members.email')
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.admin}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body;
+            should.exist(resJson);
+            const project = _.find(resJson, p => p.id === 1);
+            const member = _.find(project.members, m => m.id === 1);
+            member.should.have.property('email');
+            member.email.should.be.eq('test@test.com');
+            done();
+          }
+        });
+      });
+    });
   });
 });