Restricts what roles can be added to user discord profile (#1743)

* fix: restricts random roleid and userid.

* fix: test cases

Author: Ajeyakrishna-k

controllers/discordactions.js

@@ -4,7 +4,7 @@ const config = require("config");
 const jwt = require("jsonwebtoken");
 const discordRolesModel = require("../models/discordactions");
 const discordServices = require("../services/discordService");
-const { fetchAllUsers } = require("../models/users");
+const { fetchAllUsers, fetchUser } = require("../models/users");
 const discordDeveloperRoleId = config.get("discordDeveloperRoleId");
 const discordMavenRoleId = config.get("discordMavenRoleId");
 
@@ -23,9 +23,9 @@ const createGroupRole = async (req, res) => {
   try {
     const rolename = `group-${req.body.rolename}`;
 
-    const { wasSuccess } = await discordRolesModel.isGroupRoleExists(rolename);
+    const { roleExists } = await discordRolesModel.isGroupRoleExists({ rolename });
 
-    if (!wasSuccess) {
+    if (roleExists) {
       return res.status(400).json({
         message: "Role already exists!",
       });
@@ -109,6 +109,15 @@ const addGroupRoleToMember = async (req, res) => {
       ...req.body,
       date: admin.firestore.Timestamp.fromDate(new Date()),
     };
+    const roleExistsPromise = discordRolesModel.isGroupRoleExists({
+      roleid: memberGroupRole.roleid,
+    });
+    const userDataPromise = fetchUser({ discordId: memberGroupRole.userid });
+    const [{ roleExists }, userData] = await Promise.all([roleExistsPromise, userDataPromise]);
+
+    if (!roleExists || req.userData.id !== userData.user.id) {
+      res.boom.forbidden("Permission denied. Cannot add the role.");
+    }
 
     const { roleData, wasSuccess } = await discordRolesModel.addGroupRoleToMember(memberGroupRole);
 
@@ -146,6 +155,17 @@ const addGroupRoleToMember = async (req, res) => {
 const deleteRole = async (req, res) => {
   try {
     const { roleid, userid } = req.body;
+
+    const roleExistsPromise = discordRolesModel.isGroupRoleExists({
+      roleid,
+    });
+    const userDataPromise = fetchUser({ discordId: userid });
+    const [{ roleExists }, userData] = await Promise.all([roleExistsPromise, userDataPromise]);
+
+    if (!roleExists || req.userData.id !== userData.user.id) {
+      res.boom.forbidden("Permission denied. Cannot delete the role.");
+    }
+
     const { wasSuccess } = await discordRolesModel.removeMemberGroup(roleid, userid);
     if (wasSuccess) {
       return res.status(200).json({ message: "Role deleted successfully" });

models/discordactions.js

@@ -124,19 +124,32 @@ const updateGroupRole = async (roleData, docId) => {
 };
 /**
  *
- * @param roleData { Object }: Data of the new role
+ * @param options { Object }: Data of the new role
+ * @param options.rolename String : name of the role
+ * @param options.roleId String : id of the role
  * @returns {Promise<discordRoleModel|Object>}
  */
 
-const isGroupRoleExists = async (rolename) => {
+const isGroupRoleExists = async (options = {}) => {
   try {
-    const alreadyIsRole = await discordRoleModel.where("rolename", "==", rolename).limit(1).get();
-    if (!alreadyIsRole.empty) {
-      const oldRole = [];
-      alreadyIsRole.forEach((role) => oldRole.push(role.data()));
-      return { wasSuccess: false };
+    const { rolename = null, roleid = null } = options;
+
+    let existingRoles;
+    if (rolename && roleid) {
+      existingRoles = await discordRoleModel
+        .where("rolename", "==", rolename)
+        .where("roleid", "==", roleid)
+        .limit(1)
+        .get();
+    } else if (rolename) {
+      existingRoles = await discordRoleModel.where("rolename", "==", rolename).limit(1).get();
+    } else if (roleid) {
+      existingRoles = await discordRoleModel.where("roleid", "==", roleid).limit(1).get();
+    } else {
+      throw Error("Either rolename or roleId is required");
     }
-    return { wasSuccess: true };
+
+    return { roleExists: !existingRoles.empty };
   } catch (err) {
     logger.error("Error in getting all group-roles", err);
     throw err;

test/fixtures/discordactions/discordactions.js

@@ -1,7 +1,7 @@
 const groupData = [
-  { rolename: "Group 1", roleid: 1 },
-  { rolename: "Group 2", roleid: 2 },
-  { rolename: "Group 3", roleid: 3 },
+  { rolename: "Group 1", roleid: "1" },
+  { rolename: "Group 2", roleid: "2" },
+  { rolename: "Group 3", roleid: "3" },
 ];
 
 const groupIdle7d = { rolename: "group-idle-7d+", roleid: 4, createdBy: "1dad23q23j131j" };

test/integration/discordactions.test.js

@@ -50,7 +50,7 @@ describe("Discord actions", function () {
   let jwt;
   beforeEach(async function () {
     fetchStub = sinon.stub(global, "fetch");
-    userId = await addUser();
+    userId = await addUser(userData[0]);
     superUserId = await addUser(superUser);
     superUserAuthToken = authService.generateAuthToken({ userId: superUserId });
     jwt = authService.generateAuthToken({ userId });
@@ -190,12 +190,70 @@ describe("Discord actions", function () {
     });
   });
 
+  describe("POST /discord-actions/roles", function () {
+    let roleid;
+    beforeEach(async function () {
+      const discordRoleModelPromise = [discordRoleModel.add(groupData[0]), discordRoleModel.add(groupData[1])];
+      roleid = groupData[0].roleid;
+      await Promise.all(discordRoleModelPromise);
+    });
+
+    afterEach(async function () {
+      sinon.restore();
+      await cleanDb();
+    });
+
+    it("should allow role to be added", async function () {
+      fetchStub.returns(
+        Promise.resolve({
+          status: 200,
+          json: () => Promise.resolve({}),
+        })
+      );
+      const res = await chai
+        .request(app)
+        .post("/discord-actions/roles")
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ roleid, userid: userData[0].discordId });
+
+      expect(res).to.have.status(201);
+      expect(res.body).to.be.an("object");
+      expect(res.body.message).to.equal("Role added successfully!");
+    });
+    it("should not allow unknown role to be added to user", async function () {
+      const res = await chai
+        .request(app)
+        .post("/discord-actions/roles")
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ roleid: "randomId", userid: "abc" });
+
+      expect(res).to.have.status(403);
+      expect(res.body).to.be.an("object");
+      expect(res.body.message).to.equal("Permission denied. Cannot add the role.");
+    });
+    it("should not allow role to be added when userid does not belong to authenticated user", async function () {
+      const res = await chai
+        .request(app)
+        .post("/discord-actions/roles")
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ roleid, userid: "asdf" });
+
+      expect(res).to.have.status(403);
+      expect(res.body).to.be.an("object");
+      expect(res.body.message).to.equal("Permission denied. Cannot add the role.");
+    });
+  });
   describe("DELETE /discord-actions/roles", function () {
+    let roleid;
+
     beforeEach(async function () {
       const addRolePromises = memberGroupData.map(async (data) => {
         await memberRoleModel.add(data);
       });
-
+      const discordRoleModelPromise = [discordRoleModel.add(groupData[0]), discordRoleModel.add(groupData[1])];
+      await Promise.all(discordRoleModelPromise);
+      roleid = groupData[0].roleid;
+      await memberRoleModel.add({ roleid, userid: userData[0].discordId });
       await Promise.all(addRolePromises);
     });
 
@@ -215,7 +273,7 @@ describe("Discord actions", function () {
         .request(app)
         .delete("/discord-actions/roles")
         .set("cookie", `${cookieName}=${jwt}`)
-        .send(memberGroupData[0])
+        .send({ roleid, userid: userData[0].discordId })
         .end((err, res) => {
           if (err) {
             return done(err);
@@ -229,16 +287,34 @@ describe("Discord actions", function () {
         });
     });
 
+    it("should not allow unknown role to be deleted from user", async function () {
+      const res = await chai
+        .request(app)
+        .delete("/discord-actions/roles")
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ roleid: "randomId", userid: "abc" });
+
+      expect(res).to.have.status(403);
+      expect(res.body).to.be.an("object");
+      expect(res.body.message).to.equal("Permission denied. Cannot delete the role.");
+    });
+    it("should not allow role to be deleted when userid does not belong to authenticated user", async function () {
+      const res = await chai
+        .request(app)
+        .delete("/discord-actions/roles")
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ roleid, userid: "asdf" });
+
+      expect(res).to.have.status(403);
+      expect(res.body).to.be.an("object");
+      expect(res.body.message).to.equal("Permission denied. Cannot delete the role.");
+    });
     it("should handle internal server error", function (done) {
-      const mockdata = {
-        roleid: "mockroleid",
-        userid: "mockUserId",
-      };
       chai
         .request(app)
         .delete("/discord-actions/roles")
         .set("cookie", `${cookieName}=${jwt}`)
-        .send(mockdata)
+        .send({ roleid, userid: userData[0].discordId })
         .end((err, res) => {
           if (err) {
             return done(err);

test/unit/models/discordactions.test.js

@@ -87,51 +87,59 @@ describe("discordactions", function () {
   });
 
   describe("isGroupRoleExists", function () {
-    let getStub;
-
-    beforeEach(function () {
-      getStub = sinon.stub(discordRoleModel, "where").returns({
-        limit: sinon.stub().resolves({
-          empty: true,
-          forEach: sinon.stub(),
-        }),
-      });
+    let roleid;
+    let rolename;
+    beforeEach(async function () {
+      const discordRoleModelPromise = [discordRoleModel.add(groupData[0]), discordRoleModel.add(groupData[1])];
+      roleid = groupData[0].roleid;
+      rolename = groupData[0].rolename;
+      await Promise.all(discordRoleModelPromise);
     });
 
-    afterEach(function () {
-      getStub.restore();
+    afterEach(async function () {
+      sinon.restore();
+      await cleanDb();
     });
 
-    it("should return true if role doesn't exist in the database", async function () {
-      const result = await isGroupRoleExists("Test Role");
-      expect(result.wasSuccess).to.equal(true);
-      expect(getStub.calledOnceWith("rolename", "==", "Test Role")).to.equal(false);
+    it("should return false if rolename doesn't exist in the database", async function () {
+      const rolename = "Test Role";
+      const result = await isGroupRoleExists({ rolename });
+      expect(result.roleExists).to.equal(false);
     });
-
-    it("should return false if role already exists in the database", async function () {
-      const existingRole = { rolename: "Test Role" };
-      const callbackFunction = (role) => {
-        const roleData = role.data();
-        existingRole.push(roleData);
-      };
-
-      getStub.returns({
-        limit: sinon.stub().resolves({
-          empty: false,
-          forEach: callbackFunction,
-        }),
+    it("should return false if roleid doesn't exist in the database", async function () {
+      const roleid = "Test Role";
+      const result = await isGroupRoleExists({ roleid });
+      expect(result.roleExists).to.equal(false);
+    });
+    it("should return true if roleid exist in the database", async function () {
+      const result = await isGroupRoleExists({ roleid });
+      expect(result.roleExists).to.equal(true);
+    });
+    it("should return true if rolename exist in the database", async function () {
+      const result = await isGroupRoleExists({ rolename });
+      expect(result.roleExists).to.equal(true);
+    });
+    it("should return true if rolename and roleid exists in the database", async function () {
+      const result = await isGroupRoleExists({ rolename, roleid });
+      expect(result.roleExists).to.equal(true);
+    });
+    it("should return false if either rolename and roleid does not exist in the database", async function () {
+      const rolenameResult = await isGroupRoleExists({ rolename: "adf", roleid });
+      expect(rolenameResult.roleExists).to.equal(false);
+      const roleIdResult = await isGroupRoleExists({ rolename, roleid: "abc44" });
+      expect(roleIdResult.roleExists).to.equal(false);
+    });
+    it("should throw an error if rolename and roleid are not passed", async function () {
+      return isGroupRoleExists({}).catch((err) => {
+        expect(err).to.be.an.instanceOf(Error);
+        expect(err.message).to.equal("Either rolename or roleId is required");
       });
-
-      const errorCallback = sinon.stub();
-      const result = await isGroupRoleExists("Test Role");
-      expect(result.wasSuccess).to.equal(true);
-      expect(getStub.calledOnceWith("rolename", "==", "Test Role")).to.equal(false);
-      expect(errorCallback.calledOnce).to.equal(false);
     });
-
     it("should throw an error if getting group-roles fails", async function () {
-      getStub.rejects(new Error("Database error"));
-      return isGroupRoleExists("Test Role").catch((err) => {
+      sinon.stub(discordRoleModel, "where").rejects(new Error("Database error"));
+      const rolename = "Test Role";
+
+      return isGroupRoleExists({ rolename }).catch((err) => {
         expect(err).to.be.an.instanceOf(Error);
         expect(err.message).to.equal("Database error");
       });