Merge pull request #2394 from Real-Dev-Squad/fix/progresses-post-route

Restrict archived users to write progress of a task

Author: pankajjs

constants/progresses.ts

@@ -22,6 +22,8 @@ const PROGRESSES_SIZE = 20;
 const PROGRESSES_PAGE_SIZE = 0;
 const VALID_PROGRESS_TYPES = ["task", "user"];
 
+const UNAUTHORIZED_WRITE = "Unauthorized to write progress of task";
+
 module.exports = {
   PROGRESSES_RESPONSE_MESSAGES,
   MILLISECONDS_IN_DAY,
@@ -31,4 +33,5 @@ module.exports = {
   PROGRESS_VALID_SORT_FIELDS,
   PROGRESSES_SIZE,
   PROGRESSES_PAGE_SIZE,
+  UNAUTHORIZED_WRITE,
 };

controllers/progresses.js

@@ -5,6 +5,7 @@ const {
   INTERNAL_SERVER_ERROR_MESSAGE,
   PROGRESSES_SIZE,
   PROGRESSES_PAGE_SIZE,
+  UNAUTHORIZED_WRITE,
 } = require("../constants/progresses");
 const { sendTaskUpdate } = require("../utils/sendTaskUpdate");
 const { PROGRESS_DOCUMENT_RETRIEVAL_SUCCEEDED, PROGRESS_DOCUMENT_CREATED_SUCCEEDED } = PROGRESSES_RESPONSE_MESSAGES;
@@ -45,6 +46,10 @@ const { PROGRESS_DOCUMENT_RETRIEVAL_SUCCEEDED, PROGRESS_DOCUMENT_CREATED_SUCCEED
  */
 
 const createProgress = async (req, res) => {
+  if (req.userData.roles.archived) {
+    return res.boom.forbidden(UNAUTHORIZED_WRITE);
+  }
+
   const {
     body: { type, completed, planned, blockers, taskId },
   } = req;

test/integration/progressesTasks.test.js

@@ -16,7 +16,7 @@ const {
 
 const userData = require("../fixtures/user/user")();
 const taskData = require("../fixtures/tasks/tasks")();
-const { INTERNAL_SERVER_ERROR_MESSAGE } = require("../../constants/progresses");
+const { INTERNAL_SERVER_ERROR_MESSAGE, UNAUTHORIZED_WRITE } = require("../../constants/progresses");
 const cookieName = config.get("userToken.cookieName");
 const { expect } = chai;
 
@@ -32,6 +32,8 @@ describe("Test Progress Updates API for Tasks", function () {
     let taskId1;
     let taskId2;
     let fetchMock;
+    let archivedUserId;
+    let archivedUserToken;
 
     beforeEach(async function () {
       fetchMock = sinon.stub(global, "fetch");
@@ -40,6 +42,8 @@ describe("Test Progress Updates API for Tasks", function () {
         toFake: ["Date"],
       });
       userId = await addUser(userData[1]);
+      archivedUserId = await addUser(userData[5]);
+      archivedUserToken = authService.generateAuthToken({ userId: archivedUserId });
       userToken = authService.generateAuthToken({ userId: userId });
       const taskObject1 = await tasks.updateTask(taskData[0]);
       taskId1 = taskObject1.taskId;
@@ -165,6 +169,22 @@ describe("Test Progress Updates API for Tasks", function () {
           return done();
         });
     });
+
+    it("should return forbidden response when user is not in discord", function (done) {
+      chai
+        .request(app)
+        .post("/progresses")
+        .set("Cookie", `${cookieName}=${archivedUserToken}`)
+        .send(taskProgressDay1("1111"))
+        .end((err, res) => {
+          if (err) {
+            return done(err);
+          }
+          expect(res.statusCode).to.equal(403);
+          expect(res.body.message).to.equal(UNAUTHORIZED_WRITE);
+          return done();
+        });
+    });
   });
 
   describe("Verify the GET progress records", function () {