Fix copilotAndAbove permission to check that users is a member of the project

src/permissions/copilotAndAbove.js

@@ -1,18 +1,45 @@
+import _ from 'lodash';
 import util from '../util';
-import { MANAGER_ROLES, USER_ROLE } from '../constants';
+import {
+  PROJECT_MEMBER_ROLE,
+  ADMIN_ROLES,
+} from '../constants';
+import models from '../models';
 
 
 /**
- * Permission to alloow copilot and above roles to perform certain operations
+ * Permission to allow copilot and above roles to perform certain operations
+ * - User with Topcoder admins roles should be able to perform the operations.
+ * - Project members with copilot and manager Project roles should be also able to perform the operations.
  * @param {Object}    req         the express request instance
  * @return {Promise}              returns a promise
  */
 module.exports = req => new Promise((resolve, reject) => {
-  const hasAccess = util.hasRoles(req, [...MANAGER_ROLES, USER_ROLE.COPILOT]);
+  const projectId = _.parseInt(req.params.projectId);
+  const isAdmin = util.hasRoles(req, ADMIN_ROLES);
 
-  if (!hasAccess) {
-    return reject(new Error('You do not have permissions to perform this action'));
+  if (isAdmin) {
+    return resolve(true);
   }
 
-  return resolve(true);
+  return models.ProjectMember.getActiveProjectMembers(projectId)
+    .then((members) => {
+      req.context = req.context || {};
+      req.context.currentProjectMembers = members;
+      const validMemberProjectRoles = [
+        PROJECT_MEMBER_ROLE.MANAGER,
+        PROJECT_MEMBER_ROLE.COPILOT,
+      ];
+      // check if the copilot or manager has access to this project
+      const isMember = _.some(
+        members,
+m => m.userId === req.authUser.userId && validMemberProjectRoles.includes(m.role),
+      );
+
+      if (!isMember) {
+        // the copilot or manager is not a registered project member
+        return reject(new Error('You do not have permissions to perform this action'));
+      }
+      return resolve(true);
+    });
 });

src/routes/phaseProducts/create.spec.js

@@ -177,7 +177,7 @@ describe('Phase Products', () => {
       request(server)
         .post(`/v4/projects/99999/phases/${phaseId}/products`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .send({ param: body })
         .expect('Content-Type', /json/)
@@ -188,7 +188,7 @@ describe('Phase Products', () => {
       request(server)
         .post(`/v4/projects/${projectId}/phases/99999/products`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .send({ param: body })
         .expect('Content-Type', /json/)
@@ -220,6 +220,68 @@ describe('Phase Products', () => {
         });
     });
 
+    it('should return 201 if requested by admin', (done) => {
+      request(server)
+        .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
+        })
+        .send({ param: body })
+        .expect('Content-Type', /json/)
+        .expect(201)
+        .end(done);
+    });
+
+    it('should return 201 if requested by manager which is a member', (done) => {
+      models.ProjectMember.create({
+        id: 3,
+        userId: testUtil.userIds.manager,
+        projectId,
+        role: 'manager',
+        isPrimary: false,
+        createdBy: 1,
+        updatedBy: 1,
+      }).then(() => {
+        request(server)
+          .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.manager}`,
+          })
+          .send({ param: body })
+          .expect('Content-Type', /json/)
+          .expect(201)
+          .end(done);
+      });
+    });
+
+    it('should return 403 if requested by manager which is not a member', (done) => {
+      request(server)
+        .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.manager}`,
+        })
+        .send({ param: body })
+        .expect('Content-Type', /json/)
+        .expect(403)
+        .end(done);
+    });
+
+    it('should return 403 if requested by non-member copilot', (done) => {
+      models.ProjectMember.destroy({
+        where: { userId: testUtil.userIds.copilot, projectId },
+      }).then(() => {
+        request(server)
+          .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.copilot}`,
+          })
+          .send({ param: body })
+          .expect('Content-Type', /json/)
+          .expect(403)
+          .end(done);
+      });
+    });
+
     describe('Bus api', () => {
       let createEventSpy;
       const sandbox = sinon.sandbox.create();

src/routes/phaseProducts/delete.spec.js

@@ -156,7 +156,7 @@ describe('Phase Products', () => {
       request(server)
         .delete(`/v4/projects/999/phases/${phaseId}/products/${productId}`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .expect('Content-Type', /json/)
         .expect(404, done);
@@ -166,7 +166,7 @@ describe('Phase Products', () => {
       request(server)
         .delete(`/v4/projects/${projectId}/phases/99999/products/${productId}`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .expect('Content-Type', /json/)
         .expect(404, done);
@@ -176,7 +176,7 @@ describe('Phase Products', () => {
       request(server)
         .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/99999`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .expect('Content-Type', /json/)
         .expect(404, done);
@@ -192,6 +192,60 @@ describe('Phase Products', () => {
         .end(err => expectAfterDelete(projectId, phaseId, productId, err, done));
     });
 
+    it('should return 204 if requested by admin', (done) => {
+      request(server)
+        .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
+        })
+        .expect(204)
+        .end(done);
+    });
+
+    it('should return 204 if requested by manager which is a member', (done) => {
+      models.ProjectMember.create({
+        id: 3,
+        userId: testUtil.userIds.manager,
+        projectId,
+        role: 'manager',
+        isPrimary: false,
+        createdBy: 1,
+        updatedBy: 1,
+      }).then(() => {
+        request(server)
+          .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.manager}`,
+          })
+          .expect(204)
+          .end(done);
+      });
+    });
+
+    it('should return 403 if requested by manager which is not a member', (done) => {
+      request(server)
+        .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.manager}`,
+        })
+        .expect(403)
+        .end(done);
+    });
+
+    it('should return 403 if requested by non-member copilot', (done) => {
+      models.ProjectMember.destroy({
+        where: { userId: testUtil.userIds.copilot, projectId },
+      }).then(() => {
+        request(server)
+        .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.copilot}`,
+        })
+        .expect(403)
+        .end(done);
+      });
+    });
+
     describe('Bus api', () => {
       let createEventSpy;
       const sandbox = sinon.sandbox.create();

src/routes/phaseProducts/update.spec.js

@@ -51,7 +51,7 @@ describe('Phase Products', () => {
     lastName: 'lName',
     email: 'some@abc.com',
   };
-  before((done) => {
+  beforeEach((done) => {
     // mocks
     testUtil.clearDb()
         .then(() => {
@@ -144,7 +144,7 @@ describe('Phase Products', () => {
       request(server)
         .patch(`/v4/projects/999/phases/${phaseId}/products/${productId}`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .send({ param: updateBody })
         .expect('Content-Type', /json/)
@@ -155,7 +155,7 @@ describe('Phase Products', () => {
       request(server)
         .patch(`/v4/projects/${projectId}/phases/99999/products/${productId}`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.copilot}`,
         })
         .send({ param: updateBody })
         .expect('Content-Type', /json/)
@@ -166,7 +166,7 @@ describe('Phase Products', () => {
       request(server)
         .patch(`/v4/projects/${projectId}/phases/${phaseId}/products/99999`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.copilot}`,
         })
         .send({ param: updateBody })
         .expect('Content-Type', /json/)
@@ -177,7 +177,7 @@ describe('Phase Products', () => {
       request(server)
         .patch(`/v4/projects/${projectId}/phases/${phaseId}/products/99999`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.copilot}`,
         })
         .send({
           param: {
@@ -214,6 +214,68 @@ describe('Phase Products', () => {
         });
     });
 
+    it('should return 200 if requested by admin', (done) => {
+      request(server)
+        .patch(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
+        })
+        .send({ param: updateBody })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end(done);
+    });
+
+    it('should return 200 if requested by manager which is a member', (done) => {
+      models.ProjectMember.create({
+        id: 3,
+        userId: testUtil.userIds.manager,
+        projectId,
+        role: 'manager',
+        isPrimary: false,
+        createdBy: 1,
+        updatedBy: 1,
+      }).then(() => {
+        request(server)
+          .patch(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.manager}`,
+          })
+          .send({ param: updateBody })
+          .expect('Content-Type', /json/)
+          .expect(200)
+          .end(done);
+      });
+    });
+
+    it('should return 403 if requested by manager which is not a member', (done) => {
+      request(server)
+        .patch(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.manager}`,
+        })
+        .send({ param: updateBody })
+        .expect('Content-Type', /json/)
+        .expect(403)
+        .end(done);
+    });
+
+    it('should return 403 if requested by non-member copilot', (done) => {
+      models.ProjectMember.destroy({
+        where: { userId: testUtil.userIds.copilot, projectId },
+      }).then(() => {
+        request(server)
+          .patch(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.copilot}`,
+          })
+          .send({ param: updateBody })
+          .expect('Content-Type', /json/)
+          .expect(403)
+          .end(done);
+      });
+    });
+
     describe('Bus api', () => {
       let createEventSpy;
       const sandbox = sinon.sandbox.create();