- use separate scope for invites

- return project with empty invites if user doesn't have enough permission

Author: gets0ul

docs/permissions.html

@@ -636,8 +636,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">read:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">read:project-invites</span>
               </div>
             </div>
           </div>
@@ -670,8 +670,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">read:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">read:project-invites</span>
               </div>
             </div>
           </div>
@@ -704,8 +704,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-invites</span>
               </div>
             </div>
           </div>
@@ -734,8 +734,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-invites</span>
               </div>
             </div>
           </div>
@@ -759,8 +759,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-invites</span>
               </div>
             </div>
           </div>
@@ -782,8 +782,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-invites</span>
               </div>
             </div>
           </div>
@@ -806,8 +806,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-invites</span>
               </div>
             </div>
           </div>
@@ -831,8 +831,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-invites</span>
               </div>
             </div>
           </div>
@@ -854,8 +854,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-invites</span>
               </div>
             </div>
           </div>
@@ -879,8 +879,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-invites</span>
               </div>
             </div>
           </div>
@@ -909,8 +909,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-invites</span>
               </div>
             </div>
           </div>
@@ -934,8 +934,8 @@ <h2 class="anchor-container">
 
               <div>
                   <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-members</span>
-                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-members</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:project-invites</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:project-invites</span>
               </div>
             </div>
           </div>

src/constants.js

@@ -281,6 +281,11 @@ export const M2M_SCOPES = {
     READ: 'read:project-members',
     WRITE: 'write:project-members',
   },
+  PROJECT_INVITES: {
+    ALL: 'all:project-invites',
+    READ: 'read:project-invites',
+    WRITE: 'write:project-invites',
+  },
 };
 
 export const TIMELINE_REFERENCES = {

src/permissions/constants.js

@@ -91,6 +91,18 @@ const SCOPES_PROJECT_MEMBERS_WRITE = [
   M2M_SCOPES.PROJECT_MEMBERS.WRITE,
 ];
 
+const SCOPES_PROJECT_INVITES_READ = [
+  M2M_SCOPES.CONNECT_PROJECT_ADMIN,
+  M2M_SCOPES.PROJECT_INVITES.ALL,
+  M2M_SCOPES.PROJECT_INVITES.READ,
+];
+
+const SCOPES_PROJECT_INVITES_WRITE = [
+  M2M_SCOPES.CONNECT_PROJECT_ADMIN,
+  M2M_SCOPES.PROJECT_INVITES.ALL,
+  M2M_SCOPES.PROJECT_INVITES.WRITE,
+];
+
 export const PERMISSION = { // eslint-disable-line import/prefer-default-export
   /*
    * Project
@@ -303,7 +315,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
       description: 'Who can view own invite.',
     },
     topcoderRoles: ALL,
-    scopes: SCOPES_PROJECT_MEMBERS_READ,
+    scopes: SCOPES_PROJECT_INVITES_READ,
   },
 
   READ_PROJECT_INVITE_NOT_OWN: {
@@ -314,7 +326,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
     },
     topcoderRoles: TOPCODER_ROLES_MANAGERS_AND_ADMINS,
     projectRoles: ALL,
-    scopes: SCOPES_PROJECT_MEMBERS_READ,
+    scopes: SCOPES_PROJECT_INVITES_READ,
   },
 
   CREATE_PROJECT_INVITE_CUSTOMER: {
@@ -325,7 +337,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
     },
     topcoderRoles: TOPCODER_ROLES_MANAGERS_AND_ADMINS,
     projectRoles: ALL,
-    scopes: SCOPES_PROJECT_MEMBERS_WRITE,
+    scopes: SCOPES_PROJECT_INVITES_WRITE,
   },
 
   CREATE_PROJECT_INVITE_NON_CUSTOMER: {
@@ -336,7 +348,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
     },
     topcoderRoles: TOPCODER_ROLES_ADMINS,
     projectRoles: PROJECT_ROLES_MANAGEMENT,
-    scopes: SCOPES_PROJECT_MEMBERS_WRITE,
+    scopes: SCOPES_PROJECT_INVITES_WRITE,
   },
 
   CREATE_PROJECT_INVITE_COPILOT_DIRECTLY: {
@@ -349,7 +361,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
       ...TOPCODER_ROLES_ADMINS,
       USER_ROLE.COPILOT_MANAGER,
     ],
-    scopes: SCOPES_PROJECT_MEMBERS_WRITE,
+    scopes: SCOPES_PROJECT_INVITES_WRITE,
   },
 
   UPDATE_PROJECT_INVITE_OWN: {
@@ -359,7 +371,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
       description: 'Who can update own invite.',
     },
     topcoderRoles: ALL,
-    scopes: SCOPES_PROJECT_MEMBERS_WRITE,
+    scopes: SCOPES_PROJECT_INVITES_WRITE,
   },
 
   UPDATE_PROJECT_INVITE_NOT_OWN: {
@@ -369,7 +381,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
       description: 'Who can update invites for other members.',
     },
     topcoderRoles: TOPCODER_ROLES_ADMINS,
-    scopes: SCOPES_PROJECT_MEMBERS_WRITE,
+    scopes: SCOPES_PROJECT_INVITES_WRITE,
   },
 
   UPDATE_PROJECT_INVITE_REQUESTED: {
@@ -382,7 +394,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
       ...TOPCODER_ROLES_ADMINS,
       USER_ROLE.COPILOT_MANAGER,
     ],
-    scopes: SCOPES_PROJECT_MEMBERS_WRITE,
+    scopes: SCOPES_PROJECT_INVITES_WRITE,
   },
 
   DELETE_PROJECT_INVITE_OWN: {
@@ -392,7 +404,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
       description: 'Who can delete own invite.',
     },
     topcoderRoles: ALL,
-    scopes: SCOPES_PROJECT_MEMBERS_WRITE,
+    scopes: SCOPES_PROJECT_INVITES_WRITE,
   },
 
   DELETE_PROJECT_INVITE_NOT_OWN_CUSTOMER: {
@@ -403,7 +415,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
     },
     topcoderRoles: TOPCODER_ROLES_ADMINS,
     projectRoles: ALL,
-    scopes: SCOPES_PROJECT_MEMBERS_WRITE,
+    scopes: SCOPES_PROJECT_INVITES_WRITE,
   },
 
   DELETE_PROJECT_INVITE_NOT_OWN_NON_CUSTOMER: {
@@ -414,7 +426,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
     },
     topcoderRoles: TOPCODER_ROLES_ADMINS,
     projectRoles: PROJECT_ROLES_MANAGEMENT,
-    scopes: SCOPES_PROJECT_MEMBERS_WRITE,
+    scopes: SCOPES_PROJECT_INVITES_WRITE,
   },
 
   DELETE_PROJECT_INVITE_REQUESTED: {
@@ -427,7 +439,7 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
       ...TOPCODER_ROLES_ADMINS,
       USER_ROLE.COPILOT_MANAGER,
     ],
-    scopes: SCOPES_PROJECT_MEMBERS_WRITE,
+    scopes: SCOPES_PROJECT_INVITES_WRITE,
   },
 
   /**

src/routes/projects/get.js

@@ -3,6 +3,7 @@ import config from 'config';
 import { middleware as tcMiddleware } from 'tc-core-library-js';
 import models from '../../models';
 import util from '../../util';
+import { PERMISSION } from '../../permissions/constants';
 
 const ES_PROJECT_INDEX = config.get('elasticsearchConfig.indexName');
 const ES_PROJECT_TYPE = config.get('elasticsearchConfig.docType');
@@ -115,7 +116,23 @@ const retrieveProjectFromES = (projectId, req) => {
     const es = util.getElasticSearchClient();
     es.search(searchCriteria).then((docs) => {
       const rows = _.map(docs.hits.hits, single => single._source);     // eslint-disable-line no-underscore-dangle
-      accept(rows[0]);
+      const project = rows[0];
+      if (project && project.invites) {
+        if (!util.hasPermissionByReq(PERMISSION.READ_PROJECT_INVITE_NOT_OWN, req)) {
+          let invites;
+          if (util.hasPermissionByReq(PERMISSION.READ_PROJECT_INVITE_OWN, req)) {
+            // only include own invites
+            const currentUserId = req.authUser.userId;
+            const email = req.authUser.email;
+            invites = _.filter(project.invites, invite => invite.userId === currentUserId || invite.email === email);
+          } else {
+            // return empty invites
+            invites = [];
+          }
+          _.set(project, 'invites', invites);
+        }
+      }
+      accept(project);
     }).catch(reject);
   });
 };
@@ -156,7 +173,17 @@ const retrieveProjectFromDB = (projectId, req) => {
         if (attachments) {
           project.attachments = attachments;
         }
-        return models.ProjectMemberInvite.getPendingAndReguestedInvitesForProject(projectId);
+        if (util.hasPermissionByReq(PERMISSION.READ_PROJECT_INVITE_NOT_OWN, req)) {
+          // include all invites
+          return models.ProjectMemberInvite.getPendingAndReguestedInvitesForProject(projectId);
+        } else if (util.hasPermissionByReq(PERMISSION.READ_PROJECT_INVITE_OWN, req)) {
+          // include only own invites
+          const currentUserId = req.authUser.userId;
+          const email = req.authUser.email;
+          return models.ProjectMemberInvite.getPendingOrRequestedProjectInvitesForUser(projectId, email, currentUserId);
+        }
+        // empty
+        return Promise.resolve([]);
       })
       .then((invites) => {
         project.invites = invites;

src/routes/projects/get.spec.js

@@ -274,6 +274,26 @@ describe('GET Project', () => {
           });
     });
 
+    it('should return the project with empty invites using M2M token without "read:project-invites" scope', (done) => {
+      request(server)
+          .get(`/v5/projects/${project1.id}`)
+          .set({
+            Authorization: `Bearer ${testUtil.m2m['read:projects']}`,
+          })
+          .expect('Content-Type', /json/)
+          .expect(200)
+          .end((err, res) => {
+            if (err) {
+              done(err);
+            } else {
+              const resJson = res.body;
+              should.exist(resJson);
+              resJson.invites.should.be.empty;
+              done();
+            }
+          });
+    });
+
     it('should return project with "members", "invites", and "attachments" by default when data comes from ES', (done) => {
       request(server)
           .get(`/v5/projects/${data[0].id}`)

src/routes/projects/list.js

@@ -568,6 +568,24 @@ const retrieveProjects = (req, criteria, sort, ffields) => {
     const es = util.getElasticSearchClient();
     es.search(searchCriteria).then((docs) => {
       const rows = _.map(docs.hits.hits, single => single._source);     // eslint-disable-line no-underscore-dangle
+      if (rows) {
+        if (!util.hasPermissionByReq(PERMISSION.READ_PROJECT_INVITE_NOT_OWN, req)) {
+          if (util.hasPermissionByReq(PERMISSION.READ_PROJECT_INVITE_OWN, req)) {
+            // only include own invites
+            const currentUserId = req.authUser.userId;
+            const email = req.authUser.email;
+            _.forEach(rows, (fp) => {
+              const invites = _.filter(fp.invites, invite => invite.userId === currentUserId || invite.email === email);
+              _.set(fp, 'invites', invites);
+            });
+          } else {
+            // return empty invites
+            _.forEach(rows, (fp) => {
+              _.set(fp, 'invites', []);
+            });
+          }
+        }
+      }
       accept({ rows, count: docs.hits.total, pageSize: criteria.limit, page: criteria.page });
     }).catch(reject);
   });