Merge pull request #2519 from Real-Dev-Squad/develop

Dev to Main Sync

Author: iamitprakash

controllers/progresses.js

@@ -46,7 +46,7 @@ const { PROGRESS_DOCUMENT_RETRIEVAL_SUCCEEDED, PROGRESS_DOCUMENT_CREATED_SUCCEED
  */
 
 const createProgress = async (req, res) => {
-  if (req.userData.roles.archived) {
+  if (req.userData.roles?.archived || req.userData.roles?.in_discord !== true) {
     return res.boom.forbidden(UNAUTHORIZED_WRITE);
   }
 

routes/progresses.ts

@@ -12,10 +12,8 @@ import {
   getProgressRangeData,
   getProgressBydDateController,
 } from "../controllers/progresses";
-import { disableRoute } from "../middlewares/shortCircuit";
 const router = express.Router();
-// DISABLE ROUTE FOR NOW as there is a security issue to be resolved
-router.post("/", authenticate, disableRoute, validateCreateProgressRecords, createProgress);
+router.post("/", authenticate, validateCreateProgressRecords, createProgress);
 router.get("/", validateGetProgressRecordsQuery, getProgress);
 router.get("/:type/:typeId/date/:date", validateGetDayProgressParams, getProgressBydDateController);
 router.get("/range", validateGetRangeProgressRecordsParams, getProgressRangeData);

test/integration/progressesTasks.test.js

@@ -15,6 +15,7 @@ const {
 } = require("../fixtures/progress/progresses");
 
 const userData = require("../fixtures/user/user")();
+const withDiscordMembership = require("../utils/withDiscordMembership");
 const taskData = require("../fixtures/tasks/tasks")();
 const { INTERNAL_SERVER_ERROR_MESSAGE, UNAUTHORIZED_WRITE } = require("../../constants/progresses");
 const cookieName = config.get("userToken.cookieName");
@@ -25,8 +26,7 @@ describe("Test Progress Updates API for Tasks", function () {
     await cleanDb();
   });
 
-  // eslint-disable-next-line mocha/no-skipped-tests
-  describe.skip("Verify POST Request Functionality", function () {
+  describe("Verify POST Request Functionality", function () {
     let clock;
     let userId;
     let userToken;
@@ -42,7 +42,7 @@ describe("Test Progress Updates API for Tasks", function () {
         now: new Date(Date.UTC(2023, 4, 2, 0, 25)).getTime(), // UTC time equivalent to 5:55 AM IST
         toFake: ["Date"],
       });
-      userId = await addUser(userData[1]);
+      userId = await addUser(withDiscordMembership(userData[1]));
       archivedUserId = await addUser(userData[5]);
       archivedUserToken = authService.generateAuthToken({ userId: archivedUserId });
       userToken = authService.generateAuthToken({ userId: userId });
@@ -197,8 +197,8 @@ describe("Test Progress Updates API for Tasks", function () {
     let taskId3;
 
     beforeEach(async function () {
-      userId1 = await addUser(userData[1]);
-      userId2 = await addUser(userData[2]);
+      userId1 = await addUser(withDiscordMembership(userData[1]));
+      userId2 = await addUser(withDiscordMembership(userData[2]));
       const taskObject1 = await tasks.updateTask(taskData[0]);
       taskId1 = taskObject1.taskId;
       const taskObject2 = await tasks.updateTask(taskData[1]);
@@ -394,7 +394,7 @@ describe("Test Progress Updates API for Tasks", function () {
     let taskId2;
 
     beforeEach(async function () {
-      userId = await addUser(userData[1]);
+      userId = await addUser(withDiscordMembership(userData[1]));
       taskObject1 = await tasks.updateTask(taskData[0]);
       taskId1 = taskObject1.taskId;
       taskObject2 = await tasks.updateTask(taskData[1]);
@@ -470,7 +470,7 @@ describe("Test Progress Updates API for Tasks", function () {
     let anotherTaskId;
 
     beforeEach(async function () {
-      userId = await addUser(userData[0]);
+      userId = await addUser(withDiscordMembership(userData[0]));
       const taskObject = await tasks.updateTask(taskData[0]);
       taskId = taskObject.taskId;
       const anotherTaskObject = await tasks.updateTask(taskData[0]);
@@ -557,7 +557,7 @@ describe("Test Progress Updates API for Tasks", function () {
 
   describe("GET /progresses (getPaginatedProgressDocument)", function () {
     beforeEach(async function () {
-      const userId = await addUser(userData[1]);
+      const userId = await addUser(withDiscordMembership(userData[1]));
       const taskObject1 = await tasks.updateTask(taskData[0]);
       const taskId1 = taskObject1.taskId;
       const progressData1 = stubbedModelTaskProgressData(userId, taskId1, 1683626400000, 1683590400000); // 2023-05-09

test/integration/progressesUsers.test.js

@@ -14,18 +14,17 @@ const {
 } = require("../fixtures/progress/progresses");
 
 const userData = require("../fixtures/user/user")();
-const { INTERNAL_SERVER_ERROR_MESSAGE } = require("../../constants/progresses");
+const withDiscordMembership = require("../utils/withDiscordMembership");
+const { INTERNAL_SERVER_ERROR_MESSAGE, UNAUTHORIZED_WRITE } = require("../../constants/progresses");
 const cookieName = config.get("userToken.cookieName");
 const { expect } = chai;
 
-// eslint-disable-next-line mocha/no-skipped-tests
-describe.skip("Test Progress Updates API for Users", function () {
+describe("Test Progress Updates API for Users", function () {
   afterEach(async function () {
     await cleanDb();
   });
 
-  // eslint-disable-next-line mocha/no-skipped-tests
-  describe.skip("Verify the POST progress records", function () {
+  describe("Verify the POST progress records", function () {
     let clock;
     let userId;
     let userToken;
@@ -39,9 +38,9 @@ describe.skip("Test Progress Updates API for Users", function () {
         now: new Date(Date.UTC(2023, 4, 2, 0, 25)).getTime(), // UTC time equivalent to 5:55 AM IST
         toFake: ["Date"],
       });
-      userId = await addUser(userData[1]);
+      userId = await addUser(withDiscordMembership(userData[1]));
       userToken = authService.generateAuthToken({ userId: userId });
-      anotherUserId = await addUser(userData[8]);
+      anotherUserId = await addUser(withDiscordMembership(userData[8]));
       anotherUserToken = authService.generateAuthToken({ userId: anotherUserId });
       const progressData = stubbedModelProgressData(anotherUserId, 1682935200000, 1682899200000);
       await firestore.collection("progresses").doc("anotherUserProgressDocument").set(progressData);
@@ -159,6 +158,26 @@ describe.skip("Test Progress Updates API for Users", function () {
           return done();
         });
     });
+
+    it("Returns forbidden error when user is not in discord", async function () {
+      const nonDiscordFixture = {
+        ...userData[1],
+        username: `${(userData[1].username || "user").split("-")[0]}-non-discord`,
+        github_id: `${userData[1].github_id || "github"}-non-discord-${Date.now()}`,
+        roles: { ...(userData[1].roles || {}), archived: false, in_discord: false },
+      };
+      const nonDiscordUserId = await addUser(nonDiscordFixture);
+      const nonDiscordToken = authService.generateAuthToken({ userId: nonDiscordUserId });
+
+      const res = await chai
+        .request(app)
+        .post("/progresses")
+        .set("Cookie", `${cookieName}=${nonDiscordToken}`)
+        .send(standupProgressDay1);
+
+      expect(res).to.have.status(403);
+      expect(res.body.message).to.equal(UNAUTHORIZED_WRITE);
+    });
   });
 
   describe("Verify the GET progress records", function () {
@@ -167,9 +186,9 @@ describe.skip("Test Progress Updates API for Users", function () {
     let userId3;
 
     beforeEach(async function () {
-      userId1 = await addUser(userData[0]);
-      userId2 = await addUser(userData[1]);
-      userId3 = await addUser(userData[2]);
+      userId1 = await addUser(withDiscordMembership(userData[0]));
+      userId2 = await addUser(withDiscordMembership(userData[1]));
+      userId3 = await addUser(withDiscordMembership(userData[2]));
       const progressData1 = stubbedModelProgressData(userId1, 1683957764140, 1683936000000);
       const progressData2 = stubbedModelProgressData(userId2, 1683957764140, 1683936000000);
       await firestore.collection("progresses").doc("progressDoc1").set(progressData1);
@@ -272,8 +291,8 @@ describe.skip("Test Progress Updates API for Users", function () {
     let userId2;
 
     beforeEach(async function () {
-      userId = await addUser(userData[1]);
-      userId2 = await addUser(userData[2]);
+      userId = await addUser(withDiscordMembership(userData[1]));
+      userId2 = await addUser(withDiscordMembership(userData[2]));
       const progressData1 = stubbedModelProgressData(userId, 1683626400000, 1683590400000); // 2023-05-09
       const progressData2 = stubbedModelProgressData(userId, 1683885600000, 1683849600000); // 2023-05-12
       await firestore.collection("progresses").doc("progressDoc1").set(progressData1);
@@ -344,8 +363,8 @@ describe.skip("Test Progress Updates API for Users", function () {
     let anotherUserId;
 
     beforeEach(async function () {
-      userId = await addUser(userData[0]);
-      anotherUserId = await addUser(userData[1]);
+      userId = await addUser(withDiscordMembership(userData[0]));
+      anotherUserId = await addUser(withDiscordMembership(userData[1]));
       const progressData = stubbedModelProgressData(userId, 1683072000000, 1682985600000);
       await firestore.collection("progresses").doc("progressDoc").set(progressData);
     });
@@ -427,8 +446,8 @@ describe.skip("Test Progress Updates API for Users", function () {
 
   describe("GET /progresses (getPaginatedProgressDocument)", function () {
     beforeEach(async function () {
-      const userId1 = await addUser(userData[0]);
-      const userId2 = await addUser(userData[1]);
+      const userId1 = await addUser(withDiscordMembership(userData[0]));
+      const userId2 = await addUser(withDiscordMembership(userData[1]));
       const progressData1 = stubbedModelProgressData(userId1, 1683957764140, 1683936000000);
       const progressData2 = stubbedModelProgressData(userId2, 1683957764140, 1683936000000);
       await firestore.collection("progresses").doc("progressDoc1").set(progressData1);

test/utils/withDiscordMembership.js

@@ -0,0 +1,12 @@
+/**
+ * Ensures the provided user fixture represents an active Discord member.
+ *
+ * @param {object} user - Original user fixture.
+ * @returns {object} Updated fixture with archived: false and in_discord: true.
+ */
+const withDiscordMembership = (user = {}) => ({
+  ...user,
+  roles: { ...(user.roles || {}), archived: false, in_discord: true },
+});
+
+module.exports = withDiscordMembership;