Fix: Allow Only Super Users or Request Owners to Edit Extension Requests (#2398)

* fix: allow only super users or request owners to edit request

* refactor: extract isSuperUser variable to improve readability

* refactor/test name

* refactor/jwt-token-name

* fix:test-case-fail

* refactor/uneccessay-change

---------

Co-authored-by: Achintya Chatterjee <[email protected]>

Author: AnujChhikara

controllers/extensionRequests.js

@@ -204,20 +204,21 @@ const getSelfExtensionRequests = async (req, res) => {
 const updateExtensionRequest = async (req, res) => {
   const { dev } = req.query;
   const isDev = dev === "true";
+  const isSuperUser = req.userData?.roles.super_user;
   try {
     const extensionRequest = await extensionRequestsQuery.fetchExtensionRequest(req.params.id);
     if (!extensionRequest.extensionRequestData) {
       return res.boom.notFound("Extension Request not found");
     }
 
-    if (
-      isDev &&
-      !req.userData?.roles.super_user &&
-      extensionRequest.extensionRequestData.status !== EXTENSION_REQUEST_STATUS.PENDING
-    ) {
+    if (isDev && !isSuperUser && extensionRequest.extensionRequestData.status !== EXTENSION_REQUEST_STATUS.PENDING) {
       return res.boom.badRequest("Only pending extension request can be updated");
     }
 
+    if (isDev && !isSuperUser && extensionRequest.extensionRequestData.assigneeId !== req.userData.id) {
+      return res.boom.forbidden("You don't have permission to update the extension request");
+    }
+
     if (req.body.assignee) {
       const { taskData: task } = await tasks.fetchTask(extensionRequest.extensionRequestData.taskId);
       if (task.assignee !== (await getUsername(req.body.assignee))) {

test/integration/extensionRequests.test.js

@@ -22,7 +22,7 @@ const user = userData[6];
 const appOwner = userData[3];
 const superUser = userData[4];
 
-let appOwnerjwt, superUserJwt, jwt, superUserId, extensionRequestId5;
+let appOwnerjwt, superUserJwt, jwt, user2Jwt, superUserId, extensionRequestId5;
 
 describe("Extension Requests", function () {
   let taskId0,
@@ -40,13 +40,15 @@ describe("Extension Requests", function () {
 
   before(async function () {
     const userId = await addUser(user);
+    const userId2 = await addUser(userData[5]);
     user.id = userId;
     const appOwnerUserId = await addUser(appOwner);
     appOwner.id = appOwnerUserId;
     superUserId = await addUser(superUser);
     appOwnerjwt = authService.generateAuthToken({ userId: appOwnerUserId });
     superUserJwt = authService.generateAuthToken({ userId: superUserId });
     jwt = authService.generateAuthToken({ userId: userId });
+    user2Jwt = authService.generateAuthToken({ userId: userId2 });
 
     const taskData = [
       {
@@ -1094,6 +1096,26 @@ describe("Extension Requests", function () {
         });
     });
 
+    it("should return forbidden response if superuser or request owner does not update the request when dev is enabled", function (done) {
+      chai
+        .request(app)
+        .patch(`/extension-requests/${extensionRequestId4}?dev=true`)
+        .set("cookie", `${cookieName}=${user2Jwt}`)
+        .send({
+          title: "new-title",
+        })
+        .end((err, res) => {
+          if (err) {
+            return done(err);
+          }
+          expect(res).to.have.status(403);
+          expect(res.body)
+            .to.have.property("message")
+            .that.equals("You don't have permission to update the extension request");
+          return done();
+        });
+    });
+
     it("Should return 400 if assignee of the extensionrequest is upated with a different user", function (done) {
       chai
         .request(app)