Merge branch 'dev' into feature/workstreams

Author: maxceem

.nvmrc

@@ -1 +1 @@
-v6.9.4
+v8.2.1

README.md

@@ -9,7 +9,7 @@ Microservice to manage CRUD operations for all things Projects.
 ### Requirements
 
 * [docker-compose](https://docs.docker.com/compose/install/) - We use docker-compose for running dependencies locally.
-* Nodejs 8.9.4 - consider using [nvm](https://github.com/creationix/nvm) or equivalent to manage your node version
+* Nodejs 8.2.1 - consider using [nvm](https://github.com/creationix/nvm) or equivalent to manage your node version
 * Install [libpg](https://www.npmjs.com/package/pg-native)
 
 ### Steps to run locally

src/constants.js

@@ -190,3 +190,5 @@ export const INVITE_STATUS = {
   REQUEST_APPROVED: 'request_approved',
   CANCELED: 'canceled',
 };
+
+export const MAX_PARALLEL_REQUEST_QTY = 10;

src/models/projectMemberInvite.js

@@ -68,7 +68,10 @@ module.exports = function defineProjectMemberInvite(sequelize, DataTypes) {
         const where = { projectId, status: INVITE_STATUS.PENDING };
 
         if (email && userId) {
-          _.assign(where, { $or: [{ email: { $eq: email } }, { userId: { $eq: userId } }] });
+          _.assign(where, { $or: [
+            { email: { $eq: email.toLowerCase() } },
+            { userId: { $eq: userId } },
+          ] });
         } else if (email) {
           _.assign(where, { email });
         } else if (userId) {

src/permissions/copilotAndAbove.js

@@ -1,18 +1,45 @@
+import _ from 'lodash';
 import util from '../util';
-import { MANAGER_ROLES, USER_ROLE } from '../constants';
+import {
+  PROJECT_MEMBER_ROLE,
+  ADMIN_ROLES,
+} from '../constants';
+import models from '../models';
 
 
 /**
- * Permission to alloow copilot and above roles to perform certain operations
+ * Permission to allow copilot and above roles to perform certain operations
+ * - User with Topcoder admins roles should be able to perform the operations.
+ * - Project members with copilot and manager Project roles should be also able to perform the operations.
  * @param {Object}    req         the express request instance
  * @return {Promise}              returns a promise
  */
 module.exports = req => new Promise((resolve, reject) => {
-  const hasAccess = util.hasRoles(req, [...MANAGER_ROLES, USER_ROLE.COPILOT]);
+  const projectId = _.parseInt(req.params.projectId);
+  const isAdmin = util.hasRoles(req, ADMIN_ROLES);
 
-  if (!hasAccess) {
-    return reject(new Error('You do not have permissions to perform this action'));
+  if (isAdmin) {
+    return resolve(true);
   }
 
-  return resolve(true);
+  return models.ProjectMember.getActiveProjectMembers(projectId)
+    .then((members) => {
+      req.context = req.context || {};
+      req.context.currentProjectMembers = members;
+      const validMemberProjectRoles = [
+        PROJECT_MEMBER_ROLE.MANAGER,
+        PROJECT_MEMBER_ROLE.COPILOT,
+      ];
+      // check if the copilot or manager has access to this project
+      const isMember = _.some(
+        members,
+m => m.userId === req.authUser.userId && validMemberProjectRoles.includes(m.role),
+      );
+
+      if (!isMember) {
+        // the copilot or manager is not a registered project member
+        return reject(new Error('You do not have permissions to perform this action'));
+      }
+      return resolve(true);
+    });
 });

src/routes/metadata/list.js

@@ -78,6 +78,14 @@ module.exports = [
       attributes: { exclude: ['deletedAt', 'deletedBy'] },
       raw: true,
     };
+    const projectProductTemplateQuery = {
+      where: {
+        deletedAt: { $eq: null },
+        disabled: false,
+      },
+      attributes: { exclude: ['deletedAt', 'deletedBy'] },
+      raw: true,
+    };
 
     // when user query with includeAllReferred, return result with all used version of
     // Form, PriceConfig, PlanConfig
@@ -97,8 +105,8 @@ module.exports = [
         }).then((latestVersionModels) => {
           latestVersion = latestVersionModels;
           return Promise.all([
-            models.ProjectTemplate.findAll(query),
-            models.ProductTemplate.findAll(query),
+            models.ProjectTemplate.findAll(projectProductTemplateQuery),
+            models.ProductTemplate.findAll(projectProductTemplateQuery),
             models.MilestoneTemplate.findAll(query),
             models.ProjectType.findAll(query),
             models.ProductCategory.findAll(query),
@@ -121,8 +129,8 @@ module.exports = [
         .catch(next);
     }
     return Promise.all([
-      models.ProjectTemplate.findAll(query),
-      models.ProductTemplate.findAll(query),
+      models.ProjectTemplate.findAll(projectProductTemplateQuery),
+      models.ProductTemplate.findAll(projectProductTemplateQuery),
       models.MilestoneTemplate.findAll(query),
       models.ProjectType.findAll(query),
       models.ProductCategory.findAll(query),

src/routes/metadata/list.spec.js

@@ -26,6 +26,7 @@ const projectTemplates = [
     priceConfig: { key: 'key1', version: 1 },
     createdBy: 1,
     updatedBy: 1,
+    disabled: false,
   },
 ];
 const productTemplates = [

src/routes/milestoneTemplates/clone.js

@@ -30,7 +30,7 @@ module.exports = [
   (req, res, next) => {
     let result;
 
-    return models.sequelize.transaction(tx =>
+    return models.sequelize.transaction(() =>
       // Find the product template
       models.MilestoneTemplate.findAll({
         where: {
@@ -48,7 +48,7 @@ module.exports = [
             milestone.createdBy = req.authUser.userId; // eslint-disable-line no-param-reassign
             milestone.updatedBy = req.authUser.userId; // eslint-disable-line no-param-reassign
           });
-          return models.MilestoneTemplate.bulkCreate(newMilestoneTemplates, { transaction: tx });
+          return models.MilestoneTemplate.bulkCreate(newMilestoneTemplates);
         })
         .then(() => { // eslint-disable-line arrow-body-style
           return models.MilestoneTemplate.findAll({

src/routes/milestoneTemplates/create.js

@@ -51,9 +51,9 @@ module.exports = [
     });
     let result;
 
-    return models.sequelize.transaction(tx =>
+    return models.sequelize.transaction(() =>
       // Create the milestone template
-      models.MilestoneTemplate.create(entity, { transaction: tx })
+      models.MilestoneTemplate.create(entity)
         .then((createdEntity) => {
           // Omit deletedAt and deletedBy
           result = _.omit(createdEntity.toJSON(), 'deletedAt', 'deletedBy');
@@ -67,7 +67,6 @@ module.exports = [
               id: { $ne: result.id },
               order: { $gte: result.order },
             },
-            transaction: tx,
           });
         }),
     )

src/routes/milestones/create.js

@@ -73,9 +73,9 @@ module.exports = [
       return next(apiErr);
     }
 
-    return models.sequelize.transaction(tx =>
+    return models.sequelize.transaction(() =>
       // Save to DB
-      models.Milestone.create(entity, { transaction: tx })
+      models.Milestone.create(entity)
         .then((createdEntity) => {
           // Omit deletedAt, deletedBy
           result = _.omit(createdEntity.toJSON(), 'deletedAt', 'deletedBy');
@@ -88,7 +88,6 @@ module.exports = [
               id: { $ne: result.id },
               order: { $gte: result.order },
             },
-            transaction: tx,
           });
         }),
     )

src/routes/milestones/delete.js

@@ -29,11 +29,10 @@ module.exports = [
       id: req.params.milestoneId,
     };
 
-    return models.sequelize.transaction(tx =>
+    return models.sequelize.transaction(() =>
       // Find the milestone
       models.Milestone.findOne({
         where,
-        transaction: tx,
       })
         .then((milestone) => {
           // Not found
@@ -44,8 +43,8 @@ module.exports = [
           }
 
           // Update the deletedBy, and soft delete
-          return milestone.update({ deletedBy: req.authUser.userId }, { transaction: tx })
-            .then(() => milestone.destroy({ transaction: tx }));
+          return milestone.update({ deletedBy: req.authUser.userId })
+            .then(() => milestone.destroy());
         }),
     )
     .then((deleted) => {

src/routes/phaseProducts/create.spec.js

@@ -177,7 +177,7 @@ describe('Phase Products', () => {
       request(server)
         .post(`/v4/projects/99999/phases/${phaseId}/products`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .send({ param: body })
         .expect('Content-Type', /json/)
@@ -188,7 +188,7 @@ describe('Phase Products', () => {
       request(server)
         .post(`/v4/projects/${projectId}/phases/99999/products`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .send({ param: body })
         .expect('Content-Type', /json/)
@@ -220,6 +220,68 @@ describe('Phase Products', () => {
         });
     });
 
+    it('should return 201 if requested by admin', (done) => {
+      request(server)
+        .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
+        })
+        .send({ param: body })
+        .expect('Content-Type', /json/)
+        .expect(201)
+        .end(done);
+    });
+
+    it('should return 201 if requested by manager which is a member', (done) => {
+      models.ProjectMember.create({
+        id: 3,
+        userId: testUtil.userIds.manager,
+        projectId,
+        role: 'manager',
+        isPrimary: false,
+        createdBy: 1,
+        updatedBy: 1,
+      }).then(() => {
+        request(server)
+          .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.manager}`,
+          })
+          .send({ param: body })
+          .expect('Content-Type', /json/)
+          .expect(201)
+          .end(done);
+      });
+    });
+
+    it('should return 403 if requested by manager which is not a member', (done) => {
+      request(server)
+        .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.manager}`,
+        })
+        .send({ param: body })
+        .expect('Content-Type', /json/)
+        .expect(403)
+        .end(done);
+    });
+
+    it('should return 403 if requested by non-member copilot', (done) => {
+      models.ProjectMember.destroy({
+        where: { userId: testUtil.userIds.copilot, projectId },
+      }).then(() => {
+        request(server)
+          .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.copilot}`,
+          })
+          .send({ param: body })
+          .expect('Content-Type', /json/)
+          .expect(403)
+          .end(done);
+      });
+    });
+
     describe('Bus api', () => {
       let createEventSpy;
       const sandbox = sinon.sandbox.create();

src/routes/phaseProducts/delete.spec.js

@@ -156,7 +156,7 @@ describe('Phase Products', () => {
       request(server)
         .delete(`/v4/projects/999/phases/${phaseId}/products/${productId}`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .expect('Content-Type', /json/)
         .expect(404, done);
@@ -166,7 +166,7 @@ describe('Phase Products', () => {
       request(server)
         .delete(`/v4/projects/${projectId}/phases/99999/products/${productId}`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .expect('Content-Type', /json/)
         .expect(404, done);
@@ -176,7 +176,7 @@ describe('Phase Products', () => {
       request(server)
         .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/99999`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .expect('Content-Type', /json/)
         .expect(404, done);
@@ -192,6 +192,60 @@ describe('Phase Products', () => {
         .end(err => expectAfterDelete(projectId, phaseId, productId, err, done));
     });
 
+    it('should return 204 if requested by admin', (done) => {
+      request(server)
+        .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
+        })
+        .expect(204)
+        .end(done);
+    });
+
+    it('should return 204 if requested by manager which is a member', (done) => {
+      models.ProjectMember.create({
+        id: 3,
+        userId: testUtil.userIds.manager,
+        projectId,
+        role: 'manager',
+        isPrimary: false,
+        createdBy: 1,
+        updatedBy: 1,
+      }).then(() => {
+        request(server)
+          .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.manager}`,
+          })
+          .expect(204)
+          .end(done);
+      });
+    });
+
+    it('should return 403 if requested by manager which is not a member', (done) => {
+      request(server)
+        .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.manager}`,
+        })
+        .expect(403)
+        .end(done);
+    });
+
+    it('should return 403 if requested by non-member copilot', (done) => {
+      models.ProjectMember.destroy({
+        where: { userId: testUtil.userIds.copilot, projectId },
+      }).then(() => {
+        request(server)
+        .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.copilot}`,
+        })
+        .expect(403)
+        .end(done);
+      });
+    });
+
     describe('Bus api', () => {
       let createEventSpy;
       const sandbox = sinon.sandbox.create();