[$150] Fix copilotAndAbove permission to check that users is a member of the project

[maxceem]

From @vikasrohit

API for adding phases to a project endpoint does not validate if the caller is a member of the project or not. So, a copilot of one project can add phases to any other project in Connect. I am not sure if this is the case with other phase or other entities options as well.

I see that permission copilotAndAbove doesn't check if the user is a member of a project or no, only user role of Topcoder, see https://github.com/topcoder-platform/tc-project-service/blob/challenge%2F30095006/src/permissions/copilotAndAbove.js#L11

This rule is used for all the CRUD endpoints for phases and products, see https://github.com/topcoder-platform/tc-project-service/blob/challenge%2F30095006/src/permissions/index.js#L43-L48

@vikasrohit

1. Should managers only be able to update projects which are they member of or no?

[vikasrohit]

Connect Manager s should also be restricted to add phases to the projects they are part of. They can always join the project at their will, but this restriction would prevent any accidental modification of the plan.

[maxceem]

@vikasrohit last question, what about admins? Should they also be members of the project to add phases?

[vikasrohit]

No, Connect Admin and administrators can do any change to any project.

[maxceem]

To sum up:

1. We should fix the permission checking method copilotAndAbove so:
   1. User with Topcoder admins roles should be able to perform operations. See example of checking Topcoder roles.
   2. Project members with copilot and manager Project roles should be also able to perform the operations. See example of checking Project roles.
2. We should add unit tests for each endpoint which is used by copilotAndAbove permission method and test the next cases:
   1. Users with admin Topcoder roles can do actions even they are not project members
   2. Users with Project copilot roles can do actions
   3. Users with Topcoder Connect Copilot roles cannot do actions when they are NOT members
   4. Users with Project manager roles can do actions
   5. Users with Topcoder Connect Manager roles cannot do actions when they are NOT members
   6. Users with Project account_manager cannot do actions

[PrakashDurlabhji]

@maxceem will it be open soon?

[maxceem]

@vikasrohit to confirm, should account mangers be able to add phases and so on when they are members of the project?

[maxceem]

@PrakashDurlabhji yes, it will be opened as soon as all the details are clarified. Note, as per this Bug Bash rules we do not allow to reserve issues. As soon as this issue is open for pick up, the first who comments will take it.

[PrakashDurlabhji]

@maxceem sure i understand, whoever comments first when it is opened, issue goes to them

[vikasrohit]

should account mangers be able to add phases and so on when they are members of the project?

No, they are restricted to manage the projecgt plan.

[maxceem]

This issue is now open for pick up.

Issue summary is provided at the comment #332 (comment).

[romitgit]

Please assign to me

[PrakashDurlabhji]

give to me thanks