Validate field region/zone director roles (#3445)

Author: CarsonF

src/components/field-region/events/field-region-updated.event.ts

@@ -0,0 +1,10 @@
+import { type UnsecuredDto } from '~/common';
+import { type FieldRegion, type UpdateFieldRegion } from '../dto';
+
+export class FieldRegionUpdatedEvent {
+  constructor(
+    readonly updated: UnsecuredDto<FieldRegion>,
+    readonly previous: UnsecuredDto<FieldRegion>,
+    readonly input: UpdateFieldRegion,
+  ) {}
+}

src/components/field-region/field-region.gel.repository.ts

@@ -1,6 +1,6 @@
 import { Injectable } from '@nestjs/common';
-import { type PublicOf } from '~/common';
-import { RepoFor } from '~/core/gel';
+import { type ID, type PublicOf } from '~/common';
+import { e, RepoFor } from '~/core/gel';
 import { FieldRegion } from './dto';
 import { type FieldRegionRepository } from './field-region.repository';
 
@@ -13,4 +13,16 @@ export class FieldRegionGelRepository
       fieldZone: true,
     }),
   })
-  implements PublicOf<FieldRegionRepository> {}
+  implements PublicOf<FieldRegionRepository>
+{
+  async readAllByDirector(id: ID<'User'>) {
+    return await this.db.run(this.readAllByDirectorQuery, { id });
+  }
+  private readonly readAllByDirectorQuery = e.params({ id: e.uuid }, ($) => {
+    const director = e.cast(e.User, $.id);
+    return e.select(e.FieldRegion, (region) => ({
+      filter: e.op(region.director, '=', director),
+      ...this.hydrate(region),
+    }));
+  });
+}

src/components/field-region/field-region.module.ts

@@ -8,6 +8,7 @@ import { FieldRegionLoader } from './field-region.loader';
 import { FieldRegionRepository } from './field-region.repository';
 import { FieldRegionResolver } from './field-region.resolver';
 import { FieldRegionService } from './field-region.service';
+import { RestrictRegionDirectorRemovalHandler } from './handlers/restrict-region-director-removal.handler';
 
 @Module({
   imports: [
@@ -20,6 +21,7 @@ import { FieldRegionService } from './field-region.service';
     FieldRegionService,
     splitDb(FieldRegionRepository, FieldRegionGelRepository),
     FieldRegionLoader,
+    RestrictRegionDirectorRemovalHandler,
   ],
   exports: [FieldRegionService],
 })

src/components/field-region/field-region.repository.ts

@@ -115,4 +115,17 @@ export class FieldRegionRepository extends DtoRepository(FieldRegion) {
       .first();
     return result!; // result from paginate() will always have 1 row.
   }
+
+  async readAllByDirector(id: ID<'User'>) {
+    return await this.db
+      .query()
+      .match([
+        node('node', 'FieldRegion'),
+        relation('out', '', 'director', ACTIVE),
+        node('', 'User', { id }),
+      ])
+      .apply(this.hydrate())
+      .map('dto')
+      .run();
+  }
 }

src/components/field-region/field-region.service.ts

@@ -1,30 +1,38 @@
 import { Injectable } from '@nestjs/common';
 import {
   type ID,
+  InputException,
+  NotFoundException,
   type ObjectView,
   ServerException,
   type UnsecuredDto,
 } from '~/common';
 import { HandleIdLookup } from '~/core';
+import { IEventBus } from '~/core/events';
 import { Privileges } from '../authorization';
+import { UserService } from '../user';
 import {
   type CreateFieldRegion,
   FieldRegion,
   type FieldRegionListInput,
   type FieldRegionListOutput,
   type UpdateFieldRegion,
 } from './dto';
+import { FieldRegionUpdatedEvent } from './events/field-region-updated.event';
 import { FieldRegionRepository } from './field-region.repository';
 
 @Injectable()
 export class FieldRegionService {
   constructor(
     private readonly privileges: Privileges,
+    private readonly events: IEventBus,
+    private readonly users: UserService,
     private readonly repo: FieldRegionRepository,
   ) {}
 
   async create(input: CreateFieldRegion): Promise<FieldRegion> {
     this.privileges.for(FieldRegion).verifyCan('create');
+    await this.validateDirectorRole(input.directorId);
     const dto = await this.repo.create(input);
     return this.secure(dto);
   }
@@ -50,10 +58,44 @@ export class FieldRegionService {
     const changes = this.repo.getActualChanges(fieldRegion, input);
     this.privileges.for(FieldRegion, fieldRegion).verifyChanges(changes);
 
+    if (changes.directorId) {
+      await this.validateDirectorRole(changes.directorId);
+    }
+
+    if (Object.keys(changes).length === 0) {
+      return this.secure(fieldRegion);
+    }
+
     const updated = await this.repo.update({ id: input.id, ...changes });
+
+    const event = new FieldRegionUpdatedEvent(fieldRegion, updated, {
+      id: input.id,
+      ...changes,
+    });
+    await this.events.publish(event);
+
     return this.secure(updated);
   }
 
+  private async validateDirectorRole(directorId: ID<'User'>) {
+    let director;
+    try {
+      director = await this.users.readOneUnsecured(directorId);
+    } catch (e) {
+      if (e instanceof NotFoundException) {
+        throw e.withField('fieldRegion.directorId');
+      }
+      throw e;
+    }
+    if (!director.roles.includes('RegionalDirector')) {
+      throw new InputException(
+        'User does not have the Regional Director role',
+        'fieldRegion.directorId',
+      );
+    }
+    return director;
+  }
+
   async delete(id: ID): Promise<void> {
     const object = await this.readOne(id);
 

src/components/field-region/handlers/restrict-region-director-removal.handler.ts

@@ -0,0 +1,29 @@
+import { InputException } from '~/common';
+import { EventsHandler } from '~/core/events';
+import { UserUpdatedEvent } from '../../user/events/user-updated.event';
+import { FieldRegionRepository } from '../field-region.repository';
+
+@EventsHandler(UserUpdatedEvent)
+export class RestrictRegionDirectorRemovalHandler {
+  constructor(private readonly repo: FieldRegionRepository) {}
+
+  async handle(event: UserUpdatedEvent) {
+    if (!event.updated.roles) {
+      return;
+    }
+    const roleRemoved =
+      event.previous.roles.includes('RegionalDirector') &&
+      !event.updated.roles.includes('RegionalDirector');
+    if (!roleRemoved) {
+      return;
+    }
+
+    const regions = await this.repo.readAllByDirector(event.updated.id);
+    if (regions.length > 0) {
+      throw new InputException(
+        'User is still a director for these field regions:\n' +
+          regions.map((z) => `  - ${z.name}`).join('\n'),
+      );
+    }
+  }
+}

src/components/field-zone/events/field-zone-updated.event.ts

@@ -0,0 +1,10 @@
+import { type UnsecuredDto } from '~/common';
+import { type FieldZone, type UpdateFieldZone } from '../dto';
+
+export class FieldZoneUpdatedEvent {
+  constructor(
+    readonly updated: UnsecuredDto<FieldZone>,
+    readonly previous: UnsecuredDto<FieldZone>,
+    readonly input: UpdateFieldZone,
+  ) {}
+}

src/components/field-zone/field-zone.gel.repository.ts

@@ -1,6 +1,6 @@
 import { Injectable } from '@nestjs/common';
-import { type PublicOf } from '~/common';
-import { RepoFor } from '~/core/gel';
+import { type ID, type PublicOf } from '~/common';
+import { e, RepoFor } from '~/core/gel';
 import { FieldZone } from './dto';
 import { type FieldZoneRepository } from './field-zone.repository';
 
@@ -12,4 +12,16 @@ export class FieldZoneGelRepository
       director: true,
     }),
   })
-  implements PublicOf<FieldZoneRepository> {}
+  implements PublicOf<FieldZoneRepository>
+{
+  async readAllByDirector(id: ID<'User'>) {
+    return await this.db.run(this.readAllByDirectorQuery, { id });
+  }
+  private readonly readAllByDirectorQuery = e.params({ id: e.uuid }, ($) => {
+    const director = e.cast(e.User, $.id);
+    return e.select(e.FieldZone, (zone) => ({
+      filter: e.op(zone.director, '=', director),
+      ...this.hydrate(zone),
+    }));
+  });
+}

src/components/field-zone/field-zone.module.ts

@@ -7,6 +7,7 @@ import { FieldZoneLoader } from './field-zone.loader';
 import { FieldZoneRepository } from './field-zone.repository';
 import { FieldZoneResolver } from './field-zone.resolver';
 import { FieldZoneService } from './field-zone.service';
+import { RestrictZoneDirectorRemovalHandler } from './handlers/restrict-zone-director-removal.handler';
 
 @Module({
   imports: [
@@ -18,6 +19,7 @@ import { FieldZoneService } from './field-zone.service';
     FieldZoneService,
     splitDb(FieldZoneRepository, FieldZoneGelRepository),
     FieldZoneLoader,
+    RestrictZoneDirectorRemovalHandler,
   ],
   exports: [FieldZoneService],
 })

src/components/field-zone/field-zone.repository.ts

@@ -133,4 +133,17 @@ export class FieldZoneRepository extends DtoRepository(FieldZone) {
       .first();
     return result!; // result from paginate() will always have 1 row.
   }
+
+  async readAllByDirector(id: ID<'User'>) {
+    return await this.db
+      .query()
+      .match([
+        node('node', 'FieldZone'),
+        relation('out', '', 'director', ACTIVE),
+        node('', 'User', { id }),
+      ])
+      .apply(this.hydrate())
+      .map('dto')
+      .run();
+  }
 }