Bug : Added checks to validate user groups (#1942)

Author: joyguptaa

controllers/discordactions.js

@@ -115,7 +115,14 @@ const addGroupRoleToMember = async (req, res) => {
     const [{ roleExists, existingRoles }, userData] = await Promise.all([roleExistsPromise, userDataPromise]);
 
     if (!roleExists || req.userData.id !== userData.user.id) {
-      res.boom.forbidden("Permission denied. Cannot add the role.");
+      return res.boom.forbidden("Permission denied. Cannot add the role.");
+    }
+
+    if (existingRoles.docs.length > 0) {
+      const roleDetails = existingRoles.docs[0].data();
+      if (roleDetails.rolename && !roleDetails.rolename.startsWith("group-")) {
+        return res.boom.forbidden("Cannot use rolename that is not a group role");
+      }
     }
 
     const { roleData, wasSuccess } = await discordRolesModel.addGroupRoleToMember(memberGroupRole);
@@ -163,7 +170,7 @@ const deleteRole = async (req, res) => {
     const [{ roleExists }, userData] = await Promise.all([roleExistsPromise, userDataPromise]);
 
     if (!roleExists || req.userData.id !== userData.user.id) {
-      res.boom.forbidden("Permission denied. Cannot delete the role.");
+      return res.boom.forbidden("Permission denied. Cannot delete the role.");
     }
     await discordServices.removeRoleFromUser(roleid, userid, req.userData);
 

test/fixtures/discordactions/discordactions.js

@@ -2,6 +2,7 @@ const groupData = [
   { rolename: "Group 1", roleid: "1" },
   { rolename: "Group 2", roleid: "2" },
   { rolename: "Group 3", roleid: "3" },
+  { rolename: "admin", roleid: "4" },
 ];
 
 const groupIdle7d = { rolename: "group-idle-7d+", roleid: 4, createdBy: "1dad23q23j131j" };

test/integration/discordactions.test.js

@@ -210,7 +210,11 @@ describe("Discord actions", function () {
   describe("POST /discord-actions/roles", function () {
     let roleid;
     beforeEach(async function () {
-      const discordRoleModelPromise = [discordRoleModel.add(groupData[0]), discordRoleModel.add(groupData[1])];
+      const discordRoleModelPromise = [
+        discordRoleModel.add(groupData[0]),
+        discordRoleModel.add(groupData[1]),
+        discordRoleModel.add(groupData[3]),
+      ];
       roleid = groupData[0].roleid;
       await Promise.all(discordRoleModelPromise);
     });
@@ -219,7 +223,39 @@ describe("Discord actions", function () {
       sinon.restore();
       await cleanDb();
     });
+    it("should not be able to add role if it is not a group type role", async function () {
+      const fetchStub = sinon.stub(discordRolesModel, "isGroupRoleExists");
+
+      fetchStub.returns(
+        {
+          roleExists: true,
+          existingRoles: {
+            docs: [
+              {
+                data: () => ({
+                  date: new Date().toISOString(),
+                  createdBy: "CzI06Da1zPwciLcyIwU4",
+                  roleid: "1214641424516124823",
+                  rolename: "admin",
+                }),
+              },
+            ],
+          },
+        },
+        { user: userData[0] }
+      );
 
+      const res = await chai
+        .request(app)
+        .post("/discord-actions/roles")
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ roleid, userid: userData[0].discordId });
+      expect(res).to.have.status(403);
+      expect(res.body).to.be.an("object");
+      expect(res.body.message).to.equal("Cannot use rolename that is not a group role");
+
+      fetchStub.restore();
+    });
     it("should allow role to be added", async function () {
       fetchStub.returns(
         Promise.resolve({