Merge branch 'develop' into feat/user-ooo-approve-reject

Author: surajmaity1

constants/progresses.ts

@@ -22,6 +22,8 @@ const PROGRESSES_SIZE = 20;
 const PROGRESSES_PAGE_SIZE = 0;
 const VALID_PROGRESS_TYPES = ["task", "user"];
 
+const UNAUTHORIZED_WRITE = "Unauthorized to write progress of task";
+
 module.exports = {
   PROGRESSES_RESPONSE_MESSAGES,
   MILLISECONDS_IN_DAY,
@@ -31,4 +33,5 @@ module.exports = {
   PROGRESS_VALID_SORT_FIELDS,
   PROGRESSES_SIZE,
   PROGRESSES_PAGE_SIZE,
+  UNAUTHORIZED_WRITE,
 };

controllers/extensionRequests.js

@@ -204,20 +204,21 @@ const getSelfExtensionRequests = async (req, res) => {
 const updateExtensionRequest = async (req, res) => {
   const { dev } = req.query;
   const isDev = dev === "true";
+  const isSuperUser = req.userData?.roles.super_user;
   try {
     const extensionRequest = await extensionRequestsQuery.fetchExtensionRequest(req.params.id);
     if (!extensionRequest.extensionRequestData) {
       return res.boom.notFound("Extension Request not found");
     }
 
-    if (
-      isDev &&
-      !req.userData?.roles.super_user &&
-      extensionRequest.extensionRequestData.status !== EXTENSION_REQUEST_STATUS.PENDING
-    ) {
+    if (isDev && !isSuperUser && extensionRequest.extensionRequestData.status !== EXTENSION_REQUEST_STATUS.PENDING) {
       return res.boom.badRequest("Only pending extension request can be updated");
     }
 
+    if (isDev && !isSuperUser && extensionRequest.extensionRequestData.assigneeId !== req.userData.id) {
+      return res.boom.forbidden("You don't have permission to update the extension request");
+    }
+
     if (req.body.assignee) {
       const { taskData: task } = await tasks.fetchTask(extensionRequest.extensionRequestData.taskId);
       if (task.assignee !== (await getUsername(req.body.assignee))) {

controllers/progresses.js

@@ -5,6 +5,7 @@ const {
   INTERNAL_SERVER_ERROR_MESSAGE,
   PROGRESSES_SIZE,
   PROGRESSES_PAGE_SIZE,
+  UNAUTHORIZED_WRITE,
 } = require("../constants/progresses");
 const { sendTaskUpdate } = require("../utils/sendTaskUpdate");
 const { PROGRESS_DOCUMENT_RETRIEVAL_SUCCEEDED, PROGRESS_DOCUMENT_CREATED_SUCCEEDED } = PROGRESSES_RESPONSE_MESSAGES;
@@ -45,6 +46,10 @@ const { PROGRESS_DOCUMENT_RETRIEVAL_SUCCEEDED, PROGRESS_DOCUMENT_CREATED_SUCCEED
  */
 
 const createProgress = async (req, res) => {
+  if (req.userData.roles.archived) {
+    return res.boom.forbidden(UNAUTHORIZED_WRITE);
+  }
+
   const {
     body: { type, completed, planned, blockers, taskId },
   } = req;

test/integration/extensionRequests.test.js

@@ -22,7 +22,7 @@ const user = userData[6];
 const appOwner = userData[3];
 const superUser = userData[4];
 
-let appOwnerjwt, superUserJwt, jwt, superUserId, extensionRequestId5;
+let appOwnerjwt, superUserJwt, jwt, user2Jwt, superUserId, extensionRequestId5;
 
 describe("Extension Requests", function () {
   let taskId0,
@@ -40,13 +40,15 @@ describe("Extension Requests", function () {
 
   before(async function () {
     const userId = await addUser(user);
+    const userId2 = await addUser(userData[5]);
     user.id = userId;
     const appOwnerUserId = await addUser(appOwner);
     appOwner.id = appOwnerUserId;
     superUserId = await addUser(superUser);
     appOwnerjwt = authService.generateAuthToken({ userId: appOwnerUserId });
     superUserJwt = authService.generateAuthToken({ userId: superUserId });
     jwt = authService.generateAuthToken({ userId: userId });
+    user2Jwt = authService.generateAuthToken({ userId: userId2 });
 
     const taskData = [
       {
@@ -1094,6 +1096,26 @@ describe("Extension Requests", function () {
         });
     });
 
+    it("should return forbidden response if superuser or request owner does not update the request when dev is enabled", function (done) {
+      chai
+        .request(app)
+        .patch(`/extension-requests/${extensionRequestId4}?dev=true`)
+        .set("cookie", `${cookieName}=${user2Jwt}`)
+        .send({
+          title: "new-title",
+        })
+        .end((err, res) => {
+          if (err) {
+            return done(err);
+          }
+          expect(res).to.have.status(403);
+          expect(res.body)
+            .to.have.property("message")
+            .that.equals("You don't have permission to update the extension request");
+          return done();
+        });
+    });
+
     it("Should return 400 if assignee of the extensionrequest is upated with a different user", function (done) {
       chai
         .request(app)

test/integration/progressesTasks.test.js

@@ -16,7 +16,7 @@ const {
 
 const userData = require("../fixtures/user/user")();
 const taskData = require("../fixtures/tasks/tasks")();
-const { INTERNAL_SERVER_ERROR_MESSAGE } = require("../../constants/progresses");
+const { INTERNAL_SERVER_ERROR_MESSAGE, UNAUTHORIZED_WRITE } = require("../../constants/progresses");
 const cookieName = config.get("userToken.cookieName");
 const { expect } = chai;
 
@@ -32,6 +32,8 @@ describe("Test Progress Updates API for Tasks", function () {
     let taskId1;
     let taskId2;
     let fetchMock;
+    let archivedUserId;
+    let archivedUserToken;
 
     beforeEach(async function () {
       fetchMock = sinon.stub(global, "fetch");
@@ -40,6 +42,8 @@ describe("Test Progress Updates API for Tasks", function () {
         toFake: ["Date"],
       });
       userId = await addUser(userData[1]);
+      archivedUserId = await addUser(userData[5]);
+      archivedUserToken = authService.generateAuthToken({ userId: archivedUserId });
       userToken = authService.generateAuthToken({ userId: userId });
       const taskObject1 = await tasks.updateTask(taskData[0]);
       taskId1 = taskObject1.taskId;
@@ -165,6 +169,22 @@ describe("Test Progress Updates API for Tasks", function () {
           return done();
         });
     });
+
+    it("should return forbidden response when user is not in discord", function (done) {
+      chai
+        .request(app)
+        .post("/progresses")
+        .set("Cookie", `${cookieName}=${archivedUserToken}`)
+        .send(taskProgressDay1("1111"))
+        .end((err, res) => {
+          if (err) {
+            return done(err);
+          }
+          expect(res.statusCode).to.equal(403);
+          expect(res.body.message).to.equal(UNAUTHORIZED_WRITE);
+          return done();
+        });
+    });
   });
 
   describe("Verify the GET progress records", function () {