- change maskInviteEmails to postProcessInvites which will be post-processing on invite(s) with following constraints:

  1. email field will be omitted from invite if the invite has defined userId
  2. email field (if existed) will be masked UNLESS current user has admin permissions OR current user created this invite
- also apply this post-processing when creating invite.

Author: gets0ul

src/routes/projectMemberInvites/create.js

@@ -395,9 +395,9 @@ module.exports = [
             })
         ))
         .then((values) => {
-          const response = _.assign({}, { success: values });
+          const response = _.assign({}, { success: util.postProcessInvites('$[*]', values, req) });
           if (failed.length) {
-            res.status(403).json(_.assign({}, response, { failed }));
+            res.status(403).json(_.assign({}, response, { failed: util.postProcessInvites('$[*]', failed, req) }));
           } else {
             res.status(201).json(response);
           }

src/routes/projectMemberInvites/create.spec.js

@@ -393,7 +393,7 @@ describe('Project Member Invite create', () => {
             should.exist(resJson);
             resJson.role.should.equal('customer');
             resJson.projectId.should.equal(project2.id);
-            resJson.email.should.equal('hello@world.com');
+            resJson.email.should.equal('h***o@w***d.com');
             resJson.hashEmail.should.equal(md5('hello@world.com'));
             server.services.pubsub.publish.calledWith('project.member.invite.created').should.be.true;
             done();
@@ -446,8 +446,8 @@ describe('Project Member Invite create', () => {
             resJson.role.should.equal('customer');
             resJson.projectId.should.equal(project2.id);
             resJson.userId.should.equal(12345);
-            resJson.email.should.equal('hello@world.com');
-            resJson.hashEmail.should.equal(md5('hello@world.com'));
+            should.not.exist(resJson.email);
+            should.not.exist(resJson.hashEmail);
             server.services.pubsub.publish.calledWith('project.member.invite.created').should.be.true;
             done();
           }
@@ -563,7 +563,7 @@ describe('Project Member Invite create', () => {
           } else {
             const resJson = res.body.failed;
             should.exist(resJson);
-            resJson[0].email.should.equal('romit.choudhary@rivigo.com');
+            resJson[0].email.should.equal('r***y@r***o.com');
             resJson[0].message.should.equal('User with such email is already a member of the team.');
             resJson.length.should.equal(1);
             server.services.pubsub.publish.neverCalledWith('project.member.invite.created').should.be.true;
@@ -802,7 +802,7 @@ describe('Project Member Invite create', () => {
           } else {
             const resJson = res.body.failed;
             should.exist(resJson);
-            resJson[0].email.should.equal('duplicate_lowercase@test.com');
+            resJson[0].email.should.equal('d***e@t***t.com');
             resJson[0].message.should.equal('User with such email is already invited to this project.');
             resJson.length.should.equal(1);
             done();
@@ -828,7 +828,7 @@ describe('Project Member Invite create', () => {
           } else {
             const resJson = res.body.failed;
             should.exist(resJson);
-            resJson[0].email.should.equal('DUPLICATE_UPPERCASE@test.com'); // email is masked
+            resJson[0].email.should.equal('D***E@t***t.com'); // email is masked
             resJson[0].message.should.equal('User with such email is already invited to this project.');
             resJson.length.should.equal(1);
             done();

src/routes/projectMemberInvites/get.js

@@ -114,7 +114,7 @@ module.exports = [
           return invite;
         })
     ))
-    .then(invite => res.json(util.maskInviteEmails('$[*].email', invite, req)))
+    .then(invite => res.json(util.postProcessInvites('$.email', invite, req)))
     .catch(next);
   },
 ];

src/routes/projectMemberInvites/get.spec.js

@@ -55,7 +55,7 @@ describe('GET Project Member Invite', () => {
           const invite2 = models.ProjectMemberInvite.create({
             id: 2,
             userId: testUtil.userIds.copilot,
-            email: null,
+            email: 'test@topcoder.com',
             projectId: project1.id,
             role: 'copilot',
             createdBy: 1,
@@ -80,6 +80,15 @@ describe('GET Project Member Invite', () => {
         }).then((p) => {
           project2 = p;
 
+          // create members
+          const pm2 = models.ProjectMember.create({
+            userId: testUtil.userIds.romit,
+            projectId: project2.id,
+            role: 'copilot',
+            isPrimary: true,
+            createdBy: 1,
+            updatedBy: 1,
+          });
           // create invite 3
           const invite3 = models.ProjectMemberInvite.create({
             id: 3,
@@ -104,7 +113,7 @@ describe('GET Project Member Invite', () => {
             status: INVITE_STATUS.ACCEPTED,
           });
 
-          return Promise.all([invite3, invite4]);
+          return Promise.all([pm2, invite3, invite4]);
         });
         return Promise.all([p1, p2])
             .then(() => done());
@@ -206,6 +215,7 @@ describe('GET Project Member Invite', () => {
             const resJson = res.body;
             should.exist(resJson);
             should.exist(resJson.projectId);
+            should.not.exist(resJson.email);                                
             resJson.id.should.be.eql(2);
             resJson.userId.should.be.eql(testUtil.userIds.copilot);
             resJson.status.should.be.eql(INVITE_STATUS.PENDING);
@@ -237,5 +247,28 @@ describe('GET Project Member Invite', () => {
           }
         });
     });
+
+    it('should return the invite with masked email if user get not his/her own invitation by email', (done) => {
+      request(server)
+        .get(`/v5/projects/${project2.id}/invites/3`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.romit}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body;
+            should.exist(resJson);
+            should.exist(resJson.projectId);
+            resJson.id.should.be.eql(3);
+            resJson.email.should.be.eql('t***t@t***r.com');
+            resJson.status.should.be.eql(INVITE_STATUS.PENDING);
+            done();
+          }
+        });
+    });
   });
 });

src/routes/projectMemberInvites/list.js

@@ -103,7 +103,7 @@ module.exports = [
             return invites;
           })
       ))
-      .then(invites => res.json(util.maskInviteEmails('$[*].email', invites, req)))
+      .then(invites => res.json(util.postProcessInvites('$[*]', invites, req)))
       .catch(next);
   },
 ];

src/routes/projectMemberInvites/list.spec.js

@@ -81,6 +81,16 @@ describe('GET Project Member Invites', () => {
         }).then((p) => {
           project2 = p;
 
+          // create members
+          const pm2 = models.ProjectMember.create({
+            userId: testUtil.userIds.romit,
+            projectId: project2.id,
+            role: 'copilot',
+            isPrimary: true,
+            createdBy: 1,
+            updatedBy: 1,
+          });
+
           // create invite 3
           const invite3 = models.ProjectMemberInvite.create({
             id: 3,
@@ -105,7 +115,7 @@ describe('GET Project Member Invites', () => {
             status: INVITE_STATUS.ACCEPTED,
           });
 
-          return Promise.all([invite3, invite4]);
+          return Promise.all([pm2, invite3, invite4]);
         });
         return Promise.all([p1, p2])
             .then(() => done());
@@ -209,6 +219,7 @@ describe('GET Project Member Invites', () => {
             resJson.length.should.be.eql(1);
             // check invitations
             _.filter(resJson, inv => inv.id === 2).length.should.be.eql(1);
+            should.not.exist(resJson[0].email);
             done();
           }
         });
@@ -253,6 +264,31 @@ describe('GET Project Member Invites', () => {
             resJson.length.should.be.eql(1);
             // check invitations
             _.filter(resJson, inv => inv.id === 3).length.should.be.eql(1);
+            resJson[0].email.should.be.eql('test@topcoder.com');
+            done();
+          }
+        });
+    });
+
+    it('should return the invite with masked email if user get not his/her own invitation by email', (done) => {
+      request(server)
+        .get(`/v5/projects/${project2.id}/invites`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.romit}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body;
+            should.exist(resJson);
+            resJson.should.be.an('array');
+            resJson.length.should.be.eql(1);
+            // check invitations
+            _.filter(resJson, inv => inv.id === 3).length.should.be.eql(1);
+            resJson[0].email.should.be.eql('t***t@t***r.com');
             done();
           }
         });

src/routes/projectMemberInvites/update.js

@@ -122,11 +122,11 @@ module.exports = [
                   };
                   return util
                     .addUserToProject(req, member)
-                    .then(() => res.json(util.maskInviteEmails('$.email', updatedInvite, req)))
+                    .then(() => res.json(util.postProcessInvites('$.email', updatedInvite, req)))
                     .catch(err => next(err));
                 });
             }
-            return res.json(util.maskInviteEmails('$.email', updatedInvite, req));
+            return res.json(util.postProcessInvites('$.email', updatedInvite, req));
           });
       })
       .catch(next);

src/routes/projects/get.js

@@ -186,7 +186,7 @@ module.exports = [
       req.log.debug('Project found in ES');
       return result;
     }).then((project) => {
-      res.status(200).json(util.maskInviteEmails('$.invites[?(@.email)]', project, req));
+      res.status(200).json(util.postProcessInvites('$.invites[?(@.email)]', project, req));
     })
       .catch(err => next(err));
   },

src/routes/projects/get.spec.js

@@ -526,6 +526,28 @@ describe('GET Project', () => {
         });
       });
 
+      it('should not return "email" for any invite which has userId field', (done) => {
+        request(server)
+        .get(`/v5/projects/${project1.id}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.member}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body;
+            should.exist(resJson);
+            resJson.invites.length.should.be.eql(1);
+            resJson.invites[0].should.have.property('userId');
+            should.not.exist(resJson.invites[0].email);
+            done();
+          }
+        });
+      });
+
       it('should only return "members.role" field, when it\'s the only field listed in "fields" query param', (done) => {
         request(server)
         .get(`/v5/projects/${project1.id}?fields=members.role`)

src/routes/projects/list.js

@@ -629,15 +629,18 @@ module.exports = [
           // so we don't want DB to return unrelated data, ref issue #450
           if (_.intersection(_.keys(filters), SUPPORTED_FILTERS).length > 0) {
             req.log.debug('Don\'t fallback to DB because some filters are defined.');
-            return util.setPaginationHeaders(req, res, util.maskInviteEmails('$[*].invites[?(@.email)]', result, req));
+            return util.setPaginationHeaders(req, res,
+              util.postProcessInvites('$.rows[*].invites[?(@.email)]', result, req));
           }
 
           return retrieveProjectsFromDB(req, criteria, sort, req.query.fields)
-            .then(r => util.setPaginationHeaders(req, res, util.maskInviteEmails('$[*].invites[?(@.email)]', r, req)));
+            .then(r => util.setPaginationHeaders(req, res,
+              util.postProcessInvites('$.rows[*].invites[?(@.email)]', r, req)));
         }
         req.log.debug('Projects found in ES');
         // set header
-        return util.setPaginationHeaders(req, res, util.maskInviteEmails('$[*].invites[?(@.email)]', result, req));
+        return util.setPaginationHeaders(req, res,
+          util.postProcessInvites('$.rows[*].invites[?(@.email)]', result, req));
       })
         .catch(err => next(err));
     }
@@ -655,14 +658,17 @@ module.exports = [
           // so we don't want DB to return unrelated data, ref issue #450
           if (_.intersection(_.keys(filters), SUPPORTED_FILTERS).length > 0) {
             req.log.debug('Don\'t fallback to DB because some filters are defined.');
-            return util.setPaginationHeaders(req, res, util.maskInviteEmails('$[*].invites[?(@.email)]', result, req));
+            return util.setPaginationHeaders(req, res,
+              util.postProcessInvites('$.rows[*].invites[?(@.email)]', result, req));
           }
 
           return retrieveProjectsFromDB(req, criteria, sort, req.query.fields)
-            .then(r => util.setPaginationHeaders(req, res, util.maskInviteEmails('$[*].invites[?(@.email)]', r, req)));
+            .then(r => util.setPaginationHeaders(req, res,
+              util.postProcessInvites('$.rows[*].invites[?(@.email)]', r, req)));
         }
         req.log.debug('Projects found in ES');
-        return util.setPaginationHeaders(req, res, util.maskInviteEmails('$[*].invites[?(@.email)]', result, req));
+        return util.setPaginationHeaders(req, res,
+          util.postProcessInvites('$.rows[*].invites[?(@.email)]', result, req));
       })
       .catch(err => next(err));
   },

src/routes/projects/list.spec.js

@@ -173,8 +173,8 @@ describe('LIST Project', () => {
   let project1;
   let project2;
   let project3;
-  before(function inner(done) {
-    this.timeout(10000);
+  before((done) => {
+    // this.timeout(10000);
     testUtil.clearDb()
       .then(() => testUtil.clearES())
       .then(() => {
@@ -376,6 +376,10 @@ describe('LIST Project', () => {
               const resJson = res.body;
               should.exist(resJson);
               resJson.should.have.lengthOf(2);
+              resJson[0].invites[0].should.have.property('userId');
+              should.not.exist(resJson[0].invites[0].email);
+              resJson[1].invites[0].should.have.property('userId');
+              should.not.exist(resJson[1].invites[0].email);
               done();
             }
           });
@@ -1070,6 +1074,9 @@ describe('LIST Project', () => {
               should.exist(resJson);
               resJson.should.have.lengthOf(1);
               resJson[0].name.should.equal('test1');
+              resJson[0].invites.should.have.lengthOf(1);
+              resJson[0].invites[0].should.have.property('userId');
+              should.not.exist(resJson[0].invites[0].email);
               done();
             }
           });