Merge pull request #1363 from Real-Dev-Squad/feat/issue1314

Author: iamitprakash

constants/userDataLevels.js

@@ -0,0 +1,21 @@
+const ACCESS_LEVEL = {
+  PUBLIC: "public",
+  INTERNAL: "internal",
+  PRIVATE: "private",
+  CONFIDENTIAL: "confidential",
+};
+
+const ROLE_LEVEL = {
+  private: ["super_user"],
+  internal: ["super_user"],
+  confidential: ["super_user"],
+};
+
+const KEYS_NOT_ALLOWED = {
+  public: ["email", "phone", "chaincode"],
+  internal: ["phone", "chaincode"],
+  private: ["chaincode"],
+  confidential: [],
+};
+
+module.exports = { ACCESS_LEVEL, KEYS_NOT_ALLOWED, ROLE_LEVEL };

constants/users.js

@@ -4,8 +4,6 @@ const profileStatus = {
   NOT_APPROVED: "NOT APPROVED",
 };
 
-const USER_SENSITIVE_DATA = ["phone", "email", "chaincode", "tokens"];
-
 const USER_STATUS = {
   OOO: "ooo",
   IDLE: "idle",
@@ -23,5 +21,4 @@ module.exports = {
   profileStatus,
   USER_STATUS,
   ALLOWED_FILTER_PARAMS,
-  USER_SENSITIVE_DATA,
 };

controllers/users.js

@@ -101,9 +101,10 @@ const getUsers = async (req, res) => {
     }
 
     const data = await dataAccess.retrieveUsers({ query: req.query });
+
     return res.json({
       message: "Users returned successfully!",
-      users: data.allUsers,
+      users: data.users,
       links: {
         next: data.nextId ? getPaginationLink(req.query, "next", data.nextId) : "",
         prev: data.prevId ? getPaginationLink(req.query, "prev", data.prevId) : "",
@@ -205,10 +206,9 @@ const getUsernameAvailabilty = async (req, res) => {
 const getSelfDetails = async (req, res) => {
   try {
     if (req.userData) {
-      if (req.query.private) {
-        return res.send(req.userData);
-      }
-      const user = await dataAccess.retrieveUsers({ userdata: req.userData });
+      const user = await dataAccess.retrieveUsers({
+        userdata: req.userData,
+      });
       return res.send(user);
     }
     return res.boom.notFound("User doesn't exist");
@@ -407,6 +407,7 @@ const updateUser = async (req, res) => {
 const generateChaincode = async (req, res) => {
   try {
     const { id } = req.userData;
+
     const chaincode = await chaincodeQuery.storeChaincode(id);
     await userQuery.addOrUpdate({ chaincode }, id);
     return res.json({

middlewares/authenticate.js

@@ -1,5 +1,5 @@
 const authService = require("../services/authService");
-const users = require("../models/users");
+const dataAccess = require("../services/dataAccessLayer");
 
 /**
  * Middleware to check if the user has been restricted. If user is restricted,
@@ -54,7 +54,7 @@ module.exports = async (req, res, next) => {
     const { userId } = authService.verifyAuthToken(token);
 
     // add user data to `req.userData` for further use
-    const userData = await users.fetchUser({ userId });
+    const userData = await dataAccess.retrieveUsers({ id: userId });
     req.userData = userData.user;
 
     return checkRestricted(req, res, next);
@@ -79,8 +79,7 @@ module.exports = async (req, res, next) => {
         });
 
         // add user data to `req.userData` for further use
-        req.userData = await users.fetchUser({ userId });
-
+        req.userData = await dataAccess.retrieveUsers({ id: userId });
         return checkRestricted(req, res, next);
       } else {
         return res.boom.unauthorized("Unauthenticated User");

services/dataAccessLayer.js

@@ -1,13 +1,15 @@
 const userQuery = require("../models/users");
 const members = require("../models/members");
-const { USER_SENSITIVE_DATA } = require("../constants/users");
+const { ROLE_LEVEL, KEYS_NOT_ALLOWED, ACCESS_LEVEL } = require("../constants/userDataLevels");
 
 const retrieveUsers = async ({
   id = null,
   username = null,
   usernames = null,
   query = null,
   userdata,
+  level = ACCESS_LEVEL.PUBLIC,
+  role = null,
   userIds = [],
 }) => {
   if (id || username) {
@@ -17,79 +19,93 @@ const retrieveUsers = async ({
     } else {
       result = await userQuery.fetchUser({ username: username });
     }
-    removeSensitiveInfo(result.user);
+    const user = levelSpecificAccess(result.user, level, role);
+    result.user = user;
     return result;
   } else if (usernames) {
     const { users } = await userQuery.fetchUsers(usernames);
-    users.forEach((element) => {
-      removeSensitiveInfo(element);
+    const result = [];
+    users.forEach((userdata) => {
+      const user = levelSpecificAccess(userdata, level, role);
+      result.push(user);
     });
-    return users;
+    return result;
   } else if (userIds.length > 0) {
     const userDetails = await userQuery.fetchUserByIds(userIds);
-
     Object.keys(userDetails).forEach((userId) => {
       removeSensitiveInfo(userDetails[userId]);
     });
-
     return userDetails;
   } else if (query) {
     const { allUsers, nextId, prevId } = await userQuery.fetchPaginatedUsers(query);
-    allUsers.forEach((element) => {
-      removeSensitiveInfo(element);
+    const users = [];
+    allUsers.forEach((userdata) => {
+      const user = levelSpecificAccess(userdata, level, role);
+      users.push(user);
     });
-    return { allUsers, nextId, prevId };
+    return { users, nextId, prevId };
   } else {
-    removeSensitiveInfo(userdata);
-    return userdata;
+    const result = await userQuery.fetchUser({ userId: userdata.id });
+    return levelSpecificAccess(result.user, level, role);
   }
 };
 
-const retrieveDiscordUsers = async () => {
+const retrieveDiscordUsers = async (level = ACCESS_LEVEL.PUBLIC, role = null) => {
   const users = await userQuery.getDiscordUsers();
-  users.forEach((element) => {
-    removeSensitiveInfo(element);
+  const usersData = [];
+  users.forEach((userdata) => {
+    const user = levelSpecificAccess(userdata, level, role);
+    usersData.push(user);
   });
-  return users;
+  return usersData;
 };
 
 const retreiveFilteredUsers = async (query) => {
   const users = await userQuery.getUsersBasedOnFilter(query);
-  users.forEach((element) => {
-    removeSensitiveInfo(element);
+  users.forEach((userdata) => {
+    removeSensitiveInfo(userdata);
   });
   return users;
 };
 
 const retrieveMembers = async (query) => {
   const allUsers = await members.fetchUsers(query);
-  allUsers.forEach((element) => {
-    removeSensitiveInfo(element);
+  allUsers.forEach((userdata) => {
+    removeSensitiveInfo(userdata);
   });
   return allUsers;
 };
 
 const retrieveUsersWithRole = async (role) => {
   const users = await members.fetchUsersWithRole(role);
-  users.forEach((element) => {
-    removeSensitiveInfo(element);
+  users.forEach((userdata) => {
+    removeSensitiveInfo(userdata);
   });
   return users;
 };
 
-const removeSensitiveInfo = function (obj) {
-  for (let i = 0; i < USER_SENSITIVE_DATA.length; i++) {
-    if (Object.prototype.hasOwnProperty.call(obj, USER_SENSITIVE_DATA[i])) {
-      delete obj[USER_SENSITIVE_DATA[i]];
+const removeSensitiveInfo = function (obj, level = ACCESS_LEVEL.PUBLIC) {
+  for (let i = 0; i < KEYS_NOT_ALLOWED[level].length; i++) {
+    if (Object.prototype.hasOwnProperty.call(obj, KEYS_NOT_ALLOWED[level][i])) {
+      delete obj[KEYS_NOT_ALLOWED[level][i]];
     }
   }
 };
 
+const levelSpecificAccess = (user, level = ACCESS_LEVEL.PUBLIC, role = null) => {
+  if (level === ACCESS_LEVEL.PUBLIC || ROLE_LEVEL[level].includes(role)) {
+    removeSensitiveInfo(user, level);
+    return user;
+  }
+  return "unauthorized";
+};
+
 module.exports = {
   retrieveUsers,
   removeSensitiveInfo,
   retrieveDiscordUsers,
   retrieveMembers,
   retrieveUsersWithRole,
   retreiveFilteredUsers,
+  levelSpecificAccess,
 };

test/fixtures/user/user.js

@@ -267,12 +267,6 @@ module.exports = () => {
       linkedin_id: "testuser1",
       github_id: "testuser1",
       github_display_name: "Test User",
-      phone: "1234567890",
-      email: "[email protected]",
-      chaincode: "1234",
-      tokens: {
-        githubAccessToken: "githubAccessToken",
-      },
       roles: {
         member: true,
       },
@@ -329,6 +323,29 @@ module.exports = () => {
       twitter_id: "ramsingh123",
       linkedin_id: "ramsingh123",
     },
+    {
+      username: "testuser3",
+      first_name: "test3",
+      last_name: "user3",
+      yoe: 1,
+      img: "./img.png",
+      linkedin_id: "testuser1",
+      github_id: "testuser",
+      github_display_name: "Test User 3",
+      phone: "1234567890",
+      email: "[email protected]",
+      chaincode: "12345",
+      tokens: {
+        githubAccessToken: "githubAccessToken",
+      },
+      roles: {
+        member: true,
+      },
+      picture: {
+        publicId: "profile/mtS4DhUvNYsKqI7oCWVB/aenklfhtjldc5ytei3ar",
+        url: "https://res.cloudinary.com/realdevsquad/image/upload/v1667685133/profile/mtS4DhUvNYsKqI7oCWVB/aenklfhtjldc5ytei3ar.jpg",
+      },
+    },
     {
       username: "sahsisunny",
       first_name: "sunny",

test/integration/tasks.test.js

@@ -767,7 +767,7 @@ describe("Tasks", function () {
     });
 
     it("Should return Forbidden error if task is not assigned to self", async function () {
-      const { userId } = await addUser(userData[0]);
+      const userId = await addUser(userData[0]);
       const jwt = authService.generateAuthToken({ userId });
 
       const res = await chai.request(app).patch(`/tasks/self/${taskId1}`).set("cookie", `${cookieName}=${jwt}`);

test/integration/users.test.js

@@ -290,7 +290,6 @@ describe("Users", function () {
           expect(res.body.users).to.be.a("array");
           expect(res.body.users[0]).to.not.have.property("phone");
           expect(res.body.users[0]).to.not.have.property("email");
-          expect(res.body.users[0]).to.not.have.property("tokens");
           expect(res.body.users[0]).to.not.have.property("chaincode");
 
           return done();
@@ -315,7 +314,6 @@ describe("Users", function () {
           });
           expect(res.body.users[0]).to.not.have.property("phone");
           expect(res.body.users[0]).to.not.have.property("email");
-          expect(res.body.users[0]).to.not.have.property("tokens");
           expect(res.body.users[0]).to.not.have.property("chaincode");
           return done();
         });
@@ -341,7 +339,6 @@ describe("Users", function () {
           expect(res.body.users.length).to.equal(1);
           expect(res.body.users[0]).to.not.have.property("phone");
           expect(res.body.users[0]).to.not.have.property("email");
-          expect(res.body.users[0]).to.not.have.property("tokens");
           expect(res.body.users[0]).to.not.have.property("chaincode");
           return done();
         });
@@ -552,31 +549,11 @@ describe("Users", function () {
           expect(res.body).to.be.a("object");
           expect(res.body).to.not.have.property("phone");
           expect(res.body).to.not.have.property("email");
-          expect(res.body).to.not.have.property("tokens");
           expect(res.body).to.not.have.property("chaincode");
           return done();
         });
     });
 
-    it("Should return details with phone and email when query 'private' is true", function (done) {
-      chai
-        .request(app)
-        .get("/users/self")
-        .query({ private: true })
-        .set("cookie", `${cookieName}=${jwt}`)
-        .end((err, res) => {
-          if (err) {
-            return done();
-          }
-
-          expect(res).to.have.status(200);
-          expect(res.body).to.be.a("object");
-          expect(res.body).to.have.property("phone");
-          expect(res.body).to.have.property("email");
-          return done();
-        });
-    });
-
     it("Should return 401 if not logged in", function (done) {
       chai
         .request(app)
@@ -616,7 +593,6 @@ describe("Users", function () {
           expect(res.body.user).to.be.a("object");
           expect(res.body.user).to.not.have.property("phone");
           expect(res.body.user).to.not.have.property("email");
-          expect(res.body.user).to.not.have.property("tokens");
           expect(res.body.user).to.not.have.property("chaincode");
           return done();
         });
@@ -658,7 +634,6 @@ describe("Users", function () {
           expect(res.body.user).to.be.a("object");
           expect(res.body.user).to.not.have.property("phone");
           expect(res.body.user).to.not.have.property("email");
-          expect(res.body.user).to.not.have.property("tokens");
           expect(res.body.user).to.not.have.property("chaincode");
           return done();
         });

test/integration/usersFilter.test.js

@@ -365,7 +365,6 @@ describe("Filter Users", function () {
           res.body.users.forEach((user) => {
             expect(user).to.not.have.property("phone");
             expect(user).to.not.have.property("email");
-            expect(user).to.not.have.property("tokens");
           });
           return done();
         });

test/unit/models/users.test.js

@@ -94,7 +94,7 @@ describe("users", function () {
     });
 
     it("It should have created_At and updated_At fields", async function () {
-      const userData = userDataArray[14];
+      const userData = userDataArray[15];
       await users.addOrUpdate(userData);
       const githubUsername = "sahsisunny";
       const { user, userExists } = await users.fetchUser({ githubUsername });
@@ -279,7 +279,7 @@ describe("users", function () {
     });
     it("returns users with member role", async function () {
       const members = await users.getUsersByRole("member");
-      expect(members.length).to.be.equal(6);
+      expect(members.length).to.be.equal(7);
       members.forEach((member) => {
         expect(member.roles.member).to.be.equal(true);
       });