Pull session from SessionHost where needed

Author: CarsonF

src/components/comments/comment.service.ts

@@ -15,6 +15,7 @@ import {
 import { isAdmin } from '~/common/session';
 import { ResourceLoader, ResourcesHost } from '~/core';
 import { type BaseNode, isBaseNode } from '~/core/database/results';
+import { SessionHost } from '../authentication';
 import { Privileges } from '../authorization';
 import { CommentRepository } from './comment.repository';
 import {
@@ -39,6 +40,7 @@ export class CommentService {
     private readonly privileges: Privileges,
     private readonly resources: ResourceLoader,
     private readonly resourcesHost: ResourcesHost,
+    private readonly sessionHost: SessionHost,
     private readonly mentionNotificationService: CommentViaMentionNotificationService,
   ) {}
 
@@ -123,6 +125,7 @@ export class CommentService {
     thread: UnsecuredDto<CommentThread>,
     session: Session,
   ): CommentThread {
+    const session = this.sessionHost.current;
     return {
       ...thread,
       firstComment: this.secureComment(thread.firstComment, session),

src/components/engagement/engagement.rules.ts

@@ -12,6 +12,7 @@ import {
 import { ILogger, Logger } from '~/core';
 import { DatabaseService } from '~/core/database';
 import { ACTIVE, INACTIVE } from '~/core/database/query';
+import { SessionHost } from '../authentication';
 import { withoutScope } from '../authorization/dto';
 import { ProjectStep } from '../project/dto';
 import {
@@ -35,6 +36,7 @@ const rolesThatCanBypassWorkflow: Role[] = [Role.Administrator];
 export class EngagementRules {
   constructor(
     private readonly db: DatabaseService,
+    private readonly sessionHost: SessionHost,
     // eslint-disable-next-line @seedcompany/no-unused-vars
     @Logger('engagement:rules') private readonly logger: ILogger,
   ) {}
@@ -317,6 +319,7 @@ export class EngagementRules {
     currentUserRoles?: Role[],
     changeset?: ID,
   ): Promise<EngagementStatusTransition[]> {
+    const session = this.sessionHost.current;
     if (session.anonymous) {
       return [];
     }
@@ -356,6 +359,7 @@ export class EngagementRules {
   }
 
   async canBypassWorkflow(session: Session) {
+    const session = this.sessionHost.current;
     const roles = session.roles.map(withoutScope);
     return intersection(rolesThatCanBypassWorkflow, roles).length > 0;
   }
@@ -368,6 +372,7 @@ export class EngagementRules {
   ) {
     // If current user's roles include a role that can bypass workflow
     // stop the check here.
+    const session = this.sessionHost.current;
     const currentUserRoles = session.roles.map(withoutScope);
     if (intersection(rolesThatCanBypassWorkflow, currentUserRoles).length > 0) {
       return;

src/components/project/project.service.ts

@@ -26,6 +26,7 @@ import { isAdmin } from '~/common/session';
 import { HandleIdLookup, IEventBus } from '~/core';
 import { Transactional } from '~/core/database';
 import { type AnyChangesOf } from '~/core/database/changes';
+import { SessionHost } from '../authentication';
 import { Privileges } from '../authorization';
 import { withoutScope } from '../authorization/dto';
 import { BudgetService } from '../budget';
@@ -90,6 +91,7 @@ export class ProjectService {
     @Inject(forwardRef(() => EngagementService))
     private readonly engagementService: EngagementService & {},
     private readonly privileges: Privileges,
+    private readonly sessionHost: SessionHost,
     private readonly eventBus: IEventBus,
     private readonly repo: ProjectRepository,
     private readonly projectChangeRequests: ProjectChangeRequestService,
@@ -140,6 +142,7 @@ export class ProjectService {
     );
 
     // Only allow admins to specify department IDs
+    const session = this.sessionHost.current;
     if (input.departmentId && !isAdmin(session.impersonator ?? session)) {
       throw UnauthorizedException.fromPrivileges(
         'edit',
@@ -267,6 +270,7 @@ export class ProjectService {
       );
 
     // Only allow admins to specify department IDs
+    const session = this.sessionHost.current;
     if (
       input.departmentId !== undefined &&
       !isAdmin(session.impersonator ?? session)

src/components/project/workflow/handlers/project-workflow-notification.handler.ts

@@ -13,7 +13,7 @@ import {
   ProjectStepChanged,
   type ProjectStepChangedProps,
 } from '~/core/email/templates/project-step-changed.template';
-import { AuthenticationService } from '../../../authentication';
+import { AuthenticationService, SessionHost } from '../../../authentication';
 import { ProjectService } from '../../../project';
 import { UserService } from '../../../user';
 import { type User } from '../../../user/dto';
@@ -31,6 +31,7 @@ export class ProjectWorkflowNotificationHandler
     private readonly users: UserService,
     private readonly projects: ProjectService,
     private readonly emailService: EmailService,
+    private readonly sessionHost: SessionHost,
     private readonly moduleRef: ModuleRef,
     @Logger('progress-report:status-change-notifier')
     private readonly logger: ILogger,
@@ -40,6 +41,8 @@ export class ProjectWorkflowNotificationHandler
     const { previousStep, next, workflowEvent, session } = event;
     const transition = typeof next !== 'string' ? next : undefined;
 
+    const session = this.sessionHost.current;
+
     // TODO on bypass: keep notifying members? add anyone else?
     const notifiers = transition?.notifiers ?? [];
 

src/components/prompts/prompt-variant-response.service.ts

@@ -18,6 +18,7 @@ import {
 } from '~/common';
 import { ResourceLoader } from '~/core';
 import { mapListResults } from '~/core/database/results';
+import { SessionHost } from '../authentication';
 import {
   Privileges,
   type UserResourcePrivileges,
@@ -53,6 +54,7 @@ export const PromptVariantResponseListService = <
   abstract class PromptVariantResponseListServiceClass {
     @Inject(Privileges)
     protected readonly privileges: Privileges;
+    @Inject() protected readonly sessionHost: SessionHost;
     @Inject(ResourceLoader)
     protected readonly resources: ResourceLoader;
     @Inject(repo)
@@ -236,6 +238,7 @@ export const PromptVariantResponseListService = <
         await this.repo.submitResponse(input, session);
       }
 
+      const session = this.sessionHost.current;
       const responses = mapKeys.fromList(
         response.responses,
         (response) => response.variant,

src/components/user/education/education.service.ts

@@ -6,6 +6,7 @@ import {
   type UnsecuredDto,
 } from '~/common';
 import { HandleIdLookup } from '~/core';
+import { SessionHost } from '../../authentication';
 import { Privileges } from '../../authorization';
 import {
   type CreateEducation,
@@ -20,6 +21,7 @@ import { EducationRepository } from './education.repository';
 export class EducationService {
   constructor(
     private readonly privileges: Privileges,
+    private readonly sessionHost: SessionHost,
     private readonly repo: EducationRepository,
   ) {}
 
@@ -56,6 +58,7 @@ export class EducationService {
     const result = await this.repo.getUserIdByEducation(input.id);
     const changes = this.repo.getActualChanges(ed, input);
     // TODO move this condition into policies
+    const session = this.sessionHost.current;
     if (result.id !== session.userId) {
       this.privileges.for(Education, ed).verifyChanges(changes);
     }

src/components/user/unavailability/unavailability.service.ts

@@ -6,6 +6,7 @@ import {
   type UnsecuredDto,
 } from '~/common';
 import { HandleIdLookup } from '~/core';
+import { SessionHost } from '../../authentication';
 import { Privileges } from '../../authorization';
 import {
   type CreateUnavailability,
@@ -20,6 +21,7 @@ import { UnavailabilityRepository } from './unavailability.repository';
 export class UnavailabilityService {
   constructor(
     private readonly privileges: Privileges,
+    private readonly sessionHost: SessionHost,
     private readonly repo: UnavailabilityRepository,
   ) {}
 
@@ -59,6 +61,7 @@ export class UnavailabilityService {
     const result = await this.repo.getUserIdByUnavailability(input.id);
     const changes = this.repo.getActualChanges(unavailability, input);
     // TODO move this condition into policies
+    const session = this.sessionHost.current;
     if (result.id !== session.userId) {
       this.privileges
         .for(Unavailability, unavailability)

src/components/user/user.service.ts

@@ -13,6 +13,7 @@ import {
 import { HandleIdLookup, ILogger, Logger } from '~/core';
 import { Transactional } from '~/core/database';
 import { property } from '~/core/database/query';
+import { SessionHost } from '../authentication/session.host';
 import { Privileges } from '../authorization';
 import { AssignableRoles } from '../authorization/dto/assignable-roles.dto';
 import { LocationService } from '../location';
@@ -62,6 +63,7 @@ export class UserService {
     private readonly privileges: Privileges,
     private readonly locationService: LocationService,
     private readonly knownLanguages: KnownLanguageRepository,
+    private readonly sessionHost: SessionHost,
     private readonly userRepo: UserRepository,
     @Logger('user:service') private readonly logger: ILogger,
   ) {}
@@ -73,8 +75,12 @@ export class UserService {
   };
 
   async create(input: CreatePerson, session?: Session): Promise<ID> {
-    if (input.roles && input.roles.length > 0 && session) {
+    if (
+      input.roles &&
+      input.roles.length > 0 &&
       // Note: session is only omitted for creating RootUser
+      this.sessionHost.currentIfInCtx
+    ) {
       this.verifyRolesAreAssignable(session, input.roles);
     }