Merge pull request #1692 from CVEProject/cb_1612_conversation_updates

Conversation Edits

Author: david-rocca

schemas/conversation/conversation.json

@@ -46,6 +46,15 @@
       "format": "date-time",
       "description": "Timestamp when the message was posted"
     },
+    "edited_at": {
+      "type": "string",
+      "format": "date-time",
+      "description": "Timestamp when the message was last edited"
+    },
+    "editor_id": {
+      "type": "string",
+      "description": "UUID of the user who last edited the message"
+    },
     "last_updated": {
       "type": "string",
       "format": "date-time",

schemas/conversation/update-conversation-response.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://cve.mitre.org/schema/conversation/update-conversation-response.json",
+  "type": "object",
+  "title": "Update Conversation Response",
+  "description": "JSON Schema for the response when updating a conversation",
+  "properties": {
+    "message": {
+      "type": "string",
+      "description": "Response message"
+    },
+    "conversation": {
+      "$ref": "conversation.json",
+      "description": "The updated conversation message"
+    }
+  }
+}

src/controller/org.controller/index.js

@@ -1078,6 +1078,81 @@ router.post('/registry/org/:shortname/user/:username/revoke-role',
   registryUserController.REVOKE_ROLE
 )
 
+router.put('/registry/org/:shortname/conversation/:index',
+  /*
+  #swagger.tags = ['Registry Organization']
+  #swagger.operationId = 'registryUserUpdateConversation'
+  #swagger.summary = "Update the conversation at the given index for the given organization (accessible to Secretariat or Org Admin)"
+  #swagger.description = "
+        <h2>Access Control</h2>
+        <p>User must belong to an organization with the <b>Secretariat</b> role or be an <b>Admin</b> of the organization</p>
+        <h2>Expected Behavior</h2>
+        <p><b>Admin User:</b> Allowed to update only the message body of any conversation posted by them</p>
+        <p><b>Secretariat:</b> Allowed to update the message body and/or visibility of any conversation</p>"
+  #swagger.parameters['shortname'] = { description: 'The shortname of the organization' }
+  #swagger.parameters['index'] = { description: 'The index of the conversation to update' }
+  #swagger.parameters['$ref'] = [
+    '#/components/parameters/apiEntityHeader',
+    '#/components/parameters/apiUserHeader',
+    '#/components/parameters/apiSecretHeader'
+  ]
+  #swagger.responses[200] = {
+    description: 'Returns the updated conversation',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/conversation/update-conversation-response.json' }
+      }
+    }
+  }
+  #swagger.responses[400] = {
+    description: 'Bad Request',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/errors/bad-request.json' }
+      }
+    }
+  }
+  #swagger.responses[401] = {
+    description: 'Not Authenticated',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/errors/generic.json' }
+      }
+    }
+  }
+  #swagger.responses[403] = {
+    description: 'Forbidden',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/errors/generic.json' }
+      }
+    }
+  }
+  #swagger.responses[404] = {
+    description: 'Not Found',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/errors/generic.json' }
+      }
+    }
+  }
+  #swagger.responses[500] = {
+    description: 'Internal Server Error',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/errors/generic.json' }
+      }
+    }
+  }
+  */
+  mw.useRegistry(),
+  mw.validateUser,
+  mw.onlyOrgWithPartnerRole,
+  parseError,
+  parsePostParams,
+  registryOrgController.EDIT_CONVERSATION
+)
+
 router.get('/org',
   /*
   #swagger.tags = ['Organization']

src/controller/registry-org.controller/error.js

@@ -92,6 +92,27 @@ class RegistryOrgControllerError extends idrErr.IDRError {
     return err
   }
 
+  conversationDne (shortname, index) {
+    const err = {}
+    err.error = 'CONVERSATION_DNE'
+    err.message = `The conversation at index ${index} does not exist for the ${shortname} organization.`
+    return err
+  }
+
+  notAllowedToEditConversation () {
+    const err = {}
+    err.error = 'NOT_ALLOWED_TO_EDIT_CONVERSATION'
+    err.message = 'You must be the original author or Secretariat to edit this conversation.'
+    return err
+  }
+
+  notAllowedToChangeConversationVisibility () {
+    const err = {}
+    err.error = 'NOT_ALLOWED_TO_CHANGE_CONVERSATION_VISIBILITY'
+    err.message = 'Only the Secretariat is allowed to change the visibility of a conversation.'
+    return err
+  }
+
   invalidConversationObject () {
     const err = {}
     err.error = 'BAD_INPUT'

src/controller/registry-org.controller/registry-org.controller.js

@@ -594,12 +594,97 @@ async function createUserByOrg (req, res, next) {
   }
 }
 
+/**
+ * Updates the conversation at the provided index for the given organization.
+ *
+ * @async
+ * @function editConversationForOrg
+ * @param {object} req - The Express request object, containing the organization shortname in `req.ctx.params.shortname` and conversation updates in `req.ctx.body`.
+ * @param {object} res - The Express response object.
+ * @param {function} next - The next middleware function.
+ * @returns {Promise<void>} - A promise that resolves when the response is sent.
+ * @description User must be the original author of the conversation or the Secretariat role.
+ *              The original author is allowed to update the conversation message body.
+ *              Secretariat is allowed to update the conversation message body and visibility.
+ *              Called by PUT /api/registry/org/:shortname/conversation/:index
+ */
+async function editConversationForOrg (req, res, next) {
+  const orgRepo = req.ctx.repositories.getBaseOrgRepository()
+  const userRepo = req.ctx.repositories.getBaseUserRepository()
+  const conversationRepo = req.ctx.repositories.getConversationRepository()
+  const requesterUsername = req.ctx.user
+  const orgShortName = req.ctx.params.shortname
+  const index = req.params.index
+  const incomingParameters = req.ctx.body
+  let returnValue
+
+  const session = await mongoose.startSession({ causalConsistency: false })
+  try {
+    // Check if org exists
+    const orgUUID = await orgRepo.getOrgUUID(orgShortName, {}, false)
+    if (!orgUUID) {
+      logger.info({ uuid: req.ctx.uuid, message: 'The conversation could not be edited because ' + orgShortName + ' organization does not exist.' })
+      return res.status(404).json(error.orgDnePathParam(orgShortName))
+    }
+
+    try {
+      session.startTransaction()
+      // Fetch conversation
+      const conversation = await conversationRepo.findByTargetUUIDAndIndex(orgUUID, index, { session })
+      if (!conversation) {
+        logger.info({ uuid: req.ctx.uuid, message: `The conversation at index ${index} does not exist for the ${orgShortName} organization.` })
+        return res.status(404).json(error.conversationDne(orgShortName, index))
+      }
+
+      // Check if user has permissions to edit conversation
+      const isSecretariat = await orgRepo.isSecretariatByShortName(req.ctx.org, { session })
+      const userUUID = await userRepo.getUserUUID(requesterUsername, req.ctx.org, { session })
+      if (conversation.author_id !== userUUID && !isSecretariat) {
+        logger.info({ uuid: req.ctx.uuid, message: 'The user does not have permission to edit this conversation.' })
+        return res.status(403).json(error.notAllowedToEditConversation())
+      }
+
+      // Check if user has permission to change visibility of conversation
+      if (incomingParameters.visibility && !isSecretariat) {
+        logger.info({ uuid: req.ctx.uuid, message: 'Only the Secretariat is allowed to change the visibility of a conversation.' })
+        return res.status(403).json(error.notAllowedToChangeConversationVisibility())
+      }
+
+      // Make the edit
+      returnValue = await conversationRepo.editConversation(conversation.UUID, incomingParameters, userUUID, { session })
+      await session.commitTransaction()
+    } catch (error) {
+      await session.abortTransaction()
+      throw error
+    } finally {
+      await session.endSession()
+    }
+
+    const responseMessage = {
+      message: 'The conversation was successfully updated.',
+      updated: returnValue
+    }
+
+    const payload = {
+      action: 'update_org_conversation',
+      change: `Conversation at index ${index} for org ${orgShortName} was successfully updated.`,
+      req_UUID: req.ctx.uuid,
+      org_UUID: orgUUID
+    }
+    logger.info(JSON.stringify(payload))
+    return res.status(200).json(responseMessage)
+  } catch (err) {
+    next(err)
+  }
+}
+
 module.exports = {
   ALL_ORGS: getAllOrgs,
   SINGLE_ORG: getOrg,
   CREATE_ORG: createOrg,
   UPDATE_ORG: updateOrg,
   DELETE_ORG: deleteOrg,
   USER_ALL: getUsers,
-  USER_CREATE_SINGLE: createUserByOrg
+  USER_CREATE_SINGLE: createUserByOrg,
+  EDIT_CONVERSATION: editConversationForOrg
 }

src/model/conversation.js

@@ -12,7 +12,9 @@ const schema = {
   author_role: String,
   visibility: String,
   body: String,
-  posted_at: Date
+  posted_at: Date,
+  edited_at: Date,
+  editor_id: String
 }
 
 const ConversationSchema = new mongoose.Schema(schema, { collection: 'Conversation', timestamps: { createdAt: 'posted_at', updatedAt: 'last_updated' } })

src/repositories/conversationRepository.js

@@ -36,10 +36,27 @@ class ConversationRepository extends BaseRepository {
   }
 
   async getAllByTargetUUID (targetUUID, isSecretariat, options = {}) {
-    const conversations = await ConversationModel.find({ target_uuid: targetUUID }, null, options)
+    const conversations = await ConversationModel.find({ target_uuid: targetUUID }, null, {
+      ...options,
+      sort: {
+        posted_at: 1,
+        UUID: 1
+      }
+    })
     return conversations.map(convo => convo.toObject()).filter(conv => isSecretariat || conv.visibility === 'public')
   }
 
+  async findByTargetUUIDAndIndex (targetUUID, index, options = {}) {
+    const conversation = await ConversationModel.find({ target_uuid: targetUUID }, null, {
+      ...options,
+      sort: {
+        posted_at: 1,
+        UUID: 1
+      }
+    }).skip(index).limit(1)
+    return conversation[0]
+  }
+
   async createConversation (targetUUID, body, user, isSecretariat, options = {}) {
     const { getUserFullName } = require('../utils/utils')
     const newUUID = uuid.v4()
@@ -57,13 +74,29 @@ class ConversationRepository extends BaseRepository {
       author_id: user.UUID,
       author_name: getUserFullName(user),
       author_role: isSecretariat ? 'Secretariat' : 'Partner',
+      editor_id: null,
+      edited_at: null,
       visibility: !isSecretariat ? 'public' : (['public', 'private'].includes(body.visibility?.toLowerCase()) ? body.visibility.toLowerCase() : 'private'),
       body: body.body
     }
     const newConversation = new ConversationModel(conversationObj)
     const result = await newConversation.save(options)
     return result.toObject()
   }
+
+  async editConversation (UUID, incomingParameters, userUUID, options = {}) {
+    const conversation = await this.findOneByUUID(UUID, options)
+    if (incomingParameters?.body) {
+      conversation.body = incomingParameters.body
+    }
+    if (incomingParameters?.visibility) {
+      conversation.visibility = incomingParameters.visibility
+    }
+    conversation.editor_id = userUUID
+    conversation.edited_at = Date.now()
+    const result = await conversation.save(options)
+    return result.toObject()
+  }
 }
 
 module.exports = ConversationRepository