From 64efe2a41f9b6d74d9063e9fdbad224fcb95488a Mon Sep 17 00:00:00 2001 From: Maksym Mykhailenko Date: Fri, 17 Apr 2020 13:33:56 +0300 Subject: [PATCH 1/2] fix: don't mask email in invite by email When user is invited by email he should be able to see email in his invite without mask ref issue #548 --- src/util.js | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/util.js b/src/util.js index 0a773e8d..429415be 100644 --- a/src/util.js +++ b/src/util.js @@ -653,6 +653,7 @@ _.assignIn(util, { const isAdmin = util.hasPermission({ topcoderRoles: [USER_ROLE.TOPCODER_ADMIN] }, req.authUser); const currentUserId = req.authUser.userId; + const currentUserEmail = req.authUser.email; // admins can get data as it is if (isAdmin) { @@ -669,7 +670,13 @@ _.assignIn(util, { const canSeeEmail = ( isAdmin || // admin invite.createdBy === currentUserId || // user who created invite - invite.userId === currentUserId // user who is invited + (invite.userId !== null && invite.userId === currentUserId) || // user who is invited by `handle` + ( // user who is invited by `email` (invite doesn't have `userId`) + invite.userId === null && + invite.email && + currentUserEmail && + invite.email.toLowerCase() === currentUserEmail.toLowerCase() + ) ); // mask email if user cannot see it _.assign(invite, { From 356405eca6f76cb94427a5c2b3c8970860600562 Mon Sep 17 00:00:00 2001 From: Maksym Mykhailenko Date: Fri, 17 Apr 2020 13:59:51 +0300 Subject: [PATCH 2/2] fix: unit tests for invites --- src/routes/projectMemberInvites/get.spec.js | 3 ++- src/routes/projectMemberInvites/list.spec.js | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/routes/projectMemberInvites/get.spec.js b/src/routes/projectMemberInvites/get.spec.js index 4120c1f4..50596887 100644 --- a/src/routes/projectMemberInvites/get.spec.js +++ b/src/routes/projectMemberInvites/get.spec.js @@ -227,7 +227,8 @@ describe('GET Project Member Invite', () => { should.exist(resJson); should.exist(resJson.projectId); resJson.id.should.be.eql(3); - resJson.email.should.be.eql('t***t@t***r.com'); // masked + // not masked, because user who is invited by email is the user who is calling this endpoint + resJson.email.should.be.eql('test@topcoder.com'); resJson.status.should.be.eql(INVITE_STATUS.PENDING); done(); } diff --git a/src/routes/projectMemberInvites/list.spec.js b/src/routes/projectMemberInvites/list.spec.js index 56388f2e..a19e1066 100644 --- a/src/routes/projectMemberInvites/list.spec.js +++ b/src/routes/projectMemberInvites/list.spec.js @@ -252,7 +252,8 @@ describe('GET Project Member Invites', () => { resJson.length.should.be.eql(1); // check invitations _.filter(resJson, inv => inv.id === 3).length.should.be.eql(1); - resJson[0].email.should.be.eql('t***t@t***r.com'); // masked + // not masked, because user who is invited by email is the user who is calling this endpoint + resJson[0].email.should.be.eql('test@topcoder.com'); done(); } });