fix: copilot is allowed to update project status

Author: maxceem

docs/permissions.html

@@ -259,6 +259,37 @@ <h2 class="anchor-container">
               </div>
             </div>
           </div>
+          <div class="row border-top">
+            <div class="col py-2">
+              <div class="permission-title anchor-container">
+                <a href="#UPDATE_PROJECT_STATUS" name="UPDATE_PROJECT_STATUS" class="anchor"></a>Update Project Status
+              </div>
+              <div class="permission-variable"><small><code>UPDATE_PROJECT_STATUS</code></small></div>
+              <div class="text-black-50 small-text"></div>
+            </div>
+            <div class="col-9 py-2">
+              <div>
+                    <span class="badge badge-primary" title="Allowed Project Role">manager</span>
+                    <span class="badge badge-primary" title="Allowed Project Role">account_manager</span>
+                    <span class="badge badge-primary" title="Allowed Project Role">program_manager</span>
+                    <span class="badge badge-primary" title="Allowed Project Role">account_executive</span>
+                    <span class="badge badge-primary" title="Allowed Project Role">solution_architect</span>
+                    <span class="badge badge-primary" title="Allowed Project Role">project_manager</span>
+                    <span class="badge badge-primary" title="Allowed Project Role">copilot</span>
+              </div>
+
+              <div>
+                    <span class="badge badge-success" title="Allowed Topcoder Role">Connect Admin</span>
+                    <span class="badge badge-success" title="Allowed Topcoder Role">administrator</span>
+              </div>
+
+              <div>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:connect_project</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">all:projects</span>
+                  <span class="badge badge-dark" title="Allowed Topcoder Role">write:projects</span>
+              </div>
+            </div>
+          </div>
           <div class="row border-top">
             <div class="col py-2">
               <div class="permission-title anchor-container">

src/permissions/constants.js

@@ -195,6 +195,19 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
     scopes: SCOPES_PROJECTS_WRITE,
   },
 
+  UPDATE_PROJECT_STATUS: {
+    meta: {
+      title: 'Update Project Status',
+      group: 'Project',
+    },
+    topcoderRoles: TOPCODER_ROLES_ADMINS,
+    projectRoles: [
+      ...PROJECT_ROLES_MANAGEMENT,
+      PROJECT_MEMBER_ROLE.COPILOT,
+    ],
+    scopes: SCOPES_PROJECTS_WRITE,
+  },
+
   MANAGE_PROJECT_DIRECT_PROJECT_ID: {
     meta: {
       title: 'Manage Project property "directProjectId"',

src/routes/projects/update.js

@@ -7,7 +7,6 @@ import {
 import models from '../../models';
 import {
   PROJECT_STATUS,
-  PROJECT_MEMBER_ROLE,
   EVENT,
   RESOURCES,
   REGEX,
@@ -224,23 +223,14 @@ module.exports = [
           });
           return Promise.reject(err);
         }
-        // Only project manager (user with manager role assigned) or topcoder
-        // admin should be allowed to transition project status to 'active'.
-        const members = req.context.currentProjectMembers;
-        const validRoles = [
-          PROJECT_MEMBER_ROLE.MANAGER,
-          PROJECT_MEMBER_ROLE.PROGRAM_MANAGER,
-          PROJECT_MEMBER_ROLE.PROJECT_MANAGER,
-          PROJECT_MEMBER_ROLE.SOLUTION_ARCHITECT,
-        ].map(x => x.toLowerCase());
-        const matchRole = role => _.indexOf(validRoles, role.toLowerCase()) >= 0;
-        if (updatedProps.status === PROJECT_STATUS.ACTIVE &&
-          !util.hasAdminRole(req) &&
-          _.isUndefined(_.find(members,
-            m => m.userId === req.authUser.userId && matchRole(m.role)))
+
+        // check if user has permissions to update project status
+        if (
+          updatedProps.status &&
+          updatedProps.status !== project.status &&
+          !util.hasPermissionByReq(PERMISSION.UPDATE_PROJECT_STATUS, req)
         ) {
-          const err = new Error('Only assigned topcoder-managers or topcoder admins should be allowed ' +
-            'to launch a project');
+          const err = new Error('You are not allowed to update project status.');
           err.status = 403;
           return Promise.reject(err);
         }

src/routes/projects/update.spec.js

@@ -148,28 +148,6 @@ describe('Project', () => {
         });
     });
 
-    it('should return 403 if invalid user will update a project', (done) => {
-      request(server)
-        .patch(`/v5/projects/${project1.id}`)
-        .set({
-          Authorization: `Bearer ${testUtil.jwts.copilot}`,
-        })
-        .send({
-          status: 'active',
-        })
-        .expect('Content-Type', /json/)
-        .expect(403)
-        .end((err, res) => {
-          if (err) {
-            done(err);
-          } else {
-            res.body.message.should.equal('Only assigned topcoder-managers or topcoder admins' +
-              ' should be allowed to launch a project');
-            done();
-          }
-        });
-    });
-
     it('should return 200 if topcoder manager user will update a project', (done) => {
       request(server)
         .patch(`/v5/projects/${project1.id}`)
@@ -495,43 +473,6 @@ describe('Project', () => {
         });
     });
 
-    it('should return 403, copilot is not allowed to transition project out of cancel status', (done) => {
-      models.Project.update({
-        status: PROJECT_STATUS.CANCELLED,
-      }, {
-        where: {
-          id: project1.id,
-        },
-      })
-        .then(() => {
-          const mbody = {
-            name: 'updatedProject name',
-            status: PROJECT_STATUS.ACTIVE,
-
-          };
-          request(server)
-            .patch(`/v5/projects/${project1.id}`)
-            .set({
-              Authorization: `Bearer ${testUtil.jwts.copilot}`,
-            })
-            .send(mbody)
-            .expect('Content-Type', /json/)
-            .expect(403)
-            .end((err, res) => {
-              if (err) {
-                done(err);
-              } else {
-                res
-                  .body
-                  .message
-                  .should
-                  .equal('Only assigned topcoder-managers or topcoder admins should be allowed to launch a project');
-                done();
-              }
-            });
-        });
-    });
-
     it('should return 200 and project history should not be updated', (done) => {
       request(server)
         .patch(`/v5/projects/${project1.id}`)