merge branch 'LED4MEMBERS' into Request-Button4LEDSIGN

Embotic-Wayne · Embotic-Wayne · commit 6acd302fe880 · 2026-01-01T22:28:08.000-08:00
th
diff --git a/api/main_endpoints/models/PermissionRequest.js b/api/main_endpoints/models/PermissionRequest.js
@@ -8,11 +8,10 @@ const PermissionRequestSchema = new Schema(
       type: Schema.Types.ObjectId,
       ref: 'User',
       required: true,
-      index: true,
     },
     type: {
       type: String,
-      enum: Object.keys(PermissionRequestTypes),
+      enum: Object.values(PermissionRequestTypes),
       required: true,
     },
     deletedAt: {
@@ -24,7 +23,7 @@ const PermissionRequestSchema = new Schema(
 );
 
 // Compound unique index prevents duplicate active requests per user+type
-PermissionRequestSchema.index({ userId: 1, type: 1 }, { unique: true });
+PermissionRequestSchema.index({ userId: 1, type: 1 }, { unique: true, partialFilterExpression: { deletedAt: null }});
 
 module.exports = mongoose.model('PermissionRequest', PermissionRequestSchema);
 
diff --git a/api/main_endpoints/routes/PermissionRequest.js b/api/main_endpoints/routes/PermissionRequest.js
@@ -1,7 +1,7 @@
 const express = require('express');
 const router = express.Router();
 const PermissionRequest = require('../models/PermissionRequest');
-const { OK, UNAUTHORIZED, SERVER_ERROR, NOT_FOUND, BAD_REQUEST } = require('../../util/constants').STATUS_CODES;
+const { OK, UNAUTHORIZED, FORBIDDEN, SERVER_ERROR, NOT_FOUND, BAD_REQUEST, CONFLICT } = require('../../util/constants').STATUS_CODES;
 const membershipState = require('../../util/constants.js').MEMBERSHIP_STATE;
 const { decodeToken } = require('../util/token-functions.js');
 const logger = require('../../util/logger');
@@ -17,69 +17,84 @@ router.post('/create', async (req, res) => {
   }
 
   try {
-    const permissionRequest = await PermissionRequest.create({
+    await PermissionRequest.create({
       userId: decoded.token._id,
       type,
     });
-    const populated = await PermissionRequest.findById(permissionRequest._id)
-      .populate('userId', 'firstName lastName email');
-    res.status(OK).send(populated);
+    res.sendStatus(OK);
   } catch (error) {
-    if (error.code === 11000) return res.status(BAD_REQUEST).send({ error: 'Request already exists' });
+    if (error.code === 11000) return res.sendStatus(CONFLICT);
     logger.error('Failed to create permission request:', error);
     res.sendStatus(SERVER_ERROR);
   }
 });
 
-router.get('/getAll', async (req, res) => {
-  const decoded = await decodeToken(req, membershipState.OFFICER);
+router.get('/get', async (req, res) => {
+  const decoded = await decodeToken(req, membershipState.MEMBER);
   if (decoded.status !== OK) return res.sendStatus(decoded.status);
 
+  const { userId: queryUserId, type } = req.query;
+  const isOfficer = decoded.token.accessLevel >= membershipState.OFFICER;
+
   try {
-    const requests = await PermissionRequest.find({ deletedAt: null })
+    const query = { deletedAt: null };
+
+    // If theres no userId, return all for officers and admins
+    if (!queryUserId) {
+      if (!isOfficer) {
+        return res.sendStatus(UNAUTHORIZED);
+      }
+    } else {
+      // If there is a userId, check their perms
+      if (!isOfficer && queryUserId !== decoded.token._id.toString()) {
+        return res.sendStatus(FORBIDDEN);
+      }
+      query.userId = queryUserId;
+    }
+
+    // If there is a type, filter by it
+    if (type && Object.keys(PermissionRequestTypes).includes(type)) {
+      query.type = type;
+    }
+
+    const requests = await PermissionRequest.find(query)
       .populate('userId', 'firstName lastName email')
       .sort({ createdAt: -1 });
+
     res.status(OK).send(requests);
   } catch (error) {
     logger.error('Failed to get permission requests:', error);
     res.sendStatus(SERVER_ERROR);
   }
 });
 
-router.get('/get', async (req, res) => {
-  const decoded = await decodeToken(req, membershipState.MEMBER);
-  if (decoded.status !== OK) return res.sendStatus(decoded.status);
-
-  try {
-    const request = await PermissionRequest.findOne({
-      userId: decoded.token._id,
-      type: req.query.type,
-      deletedAt: null,
-    }).populate('userId', 'firstName lastName email');
-
-    if (!request) return res.sendStatus(NOT_FOUND);
-    res.status(OK).send(request);
-  } catch (error) {
-    logger.error('Failed to get permission request:', error);
-    res.sendStatus(SERVER_ERROR);
-  }
-});
-
 router.post('/delete', async (req, res) => {
   const decoded = await decodeToken(req, membershipState.MEMBER);
   if (decoded.status !== OK) return res.sendStatus(decoded.status);
 
-  const { type } = req.body;
+  const { type, _id } = req.body;
   if (!type || !Object.keys(PermissionRequestTypes).includes(type)) {
     return res.status(BAD_REQUEST).send({ error: 'Invalid type' });
   }
 
   try {
-    const request = await PermissionRequest.findOne({
-      userId: decoded.token._id,
-      type,
-      deletedAt: null,
-    });
+    let request;
+    // Officers or admins can delete any request by id
+    if (decoded.token.accessLevel >= membershipState.OFFICER && _id) {
+      request = await PermissionRequest.findOne({
+        _id,
+        type,
+        deletedAt: null,
+      });
+    } else {
+      // Members can delete their own requests and officers can delete their own requests without id
+      request = await PermissionRequest.findOne({
+        userId: decoded.token._id,
+        type,
+        deletedAt: null,
+      });
+    }
+
     if (!request) return res.sendStatus(NOT_FOUND);
     request.deletedAt = new Date();
     await request.save();
diff --git a/test/api/PermissionRequest.js b/test/api/PermissionRequest.js
@@ -63,20 +63,22 @@ describe('PermissionRequest', () => {
   });
 
   describe('/GET get', () => {
-    it('Should return 404 when request does not exist', async () => {
+    it('Should return empty array when request does not exist', async () => {
       const userId = new mongoose.Types.ObjectId();
       setTokenStatus(true, { _id: userId, email: 'test@test.com', accessLevel: 'MEMBER' });
-      const res = await test.sendGetRequest('/api/PermissionRequest/get?type=' + PermissionRequestTypes.LED_SIGN);
-      expect(res).to.have.status(NOT_FOUND);
+      const res = await test.sendGetRequest('/api/PermissionRequest/get?userId=' + userId + '&type=' + PermissionRequestTypes.LED_SIGN);
+      expect(res).to.have.status(OK);
+      expect(res.body).to.be.an('array').that.is.empty;
     });
 
     it('Should return permission request when it exists', async () => {
       const userId = new mongoose.Types.ObjectId();
       setTokenStatus(true, { _id: userId, email: 'test@test.com', accessLevel: 'MEMBER' });
       await new PermissionRequest({ userId, type: PermissionRequestTypes.LED_SIGN }).save();
-      const res = await test.sendGetRequest('/api/PermissionRequest/get?type=' + PermissionRequestTypes.LED_SIGN);
+      const res = await test.sendGetRequest('/api/PermissionRequest/get?userId=' + userId + '&type=' + PermissionRequestTypes.LED_SIGN);
       expect(res).to.have.status(OK);
-      expect(res.body.type).to.equal(PermissionRequestTypes.LED_SIGN);
+      expect(res.body).to.be.an('array').with.length(1);
+      expect(res.body[0].type).to.equal(PermissionRequestTypes.LED_SIGN);
     });
   });
 
