Edit team permission now includes owner of org

Author: kamicut

app/lib/organization.js

@@ -165,6 +165,7 @@ async function createOrgTeam (organizationId, data, osmId) {
   return conn.transaction(async trx => {
     const record = await team.create(data, osmId, trx)
     await trx('organization_team').insert({ team_id: record.id, organization_id: organizationId })
+    return record
   })
 }
 

app/lib/team.js

@@ -332,6 +332,20 @@ async function isPublic (teamId) {
   return (privacy === 'public')
 }
 
+/**
+ * associatedOrg
+ *
+ * If the team is part of an org, return its associated org
+ * @param teamId - team id
+ * @returns {int} organization id or null
+ */
+async function associatedOrg (teamId) {
+  if (!teamId) throw new Error('team id is required as first argument')
+
+  const conn = await db()
+  return unpack(conn('organization_team').where('team_id', teamId).returning('organization_id'))
+}
+
 module.exports = {
   get,
   list,
@@ -349,5 +363,6 @@ module.exports = {
   isModerator,
   isMember,
   isPublic,
-  resolveMemberNames
+  resolveMemberNames,
+  associatedOrg
 }

app/manage/permissions/edit-team.js

@@ -1,17 +1,26 @@
-const { isModerator } = require('../../lib/team')
+const { isModerator, associatedOrg } = require('../../lib/team')
+const { isOwner } = require('../../lib/organization')
 
 /**
  * team:update
  *
  * To update a team, the authenticated user needs to
- * be a moderator of the team
+ * be a moderator of the team or an owner of the organization
+ * that the team is associated to
  *
  * @param {string} uid user id
  * @param {Object} params request parameters
  * @returns {boolean} can the request go through?
  */
 async function updateTeam (uid, { id }) {
-  return isModerator(id, uid)
+  // user has to be authenticated
+  if (!uid) return false
+
+  // check if user is an owner of this team through an organization
+  const org = await associatedOrg(id)
+  const ownerOfTeam = org && (await isOwner(org.organization_id, uid))
+
+  return ownerOfTeam || isModerator(id, uid)
 }
 
 module.exports = updateTeam

app/tests/permissions/update-team.test.js

@@ -17,11 +17,11 @@ test.before(async () => {
 
   // stub hydra introspect
   let introspectStub = sinon.stub(hydra, 'introspect')
-  introspectStub.withArgs('validToken').returns({
+  introspectStub.withArgs('user100').returns({
     active: true,
     sub: '100'
   })
-  introspectStub.withArgs('differentUser').returns({
+  introspectStub.withArgs('user101').returns({
     active: true,
     sub: '101'
   })
@@ -39,11 +39,11 @@ test.after.always(async () => {
 test('a team moderator can update a team', async t => {
   let res = await agent.post('/api/teams')
     .send({ name: 'road team 1' })
-    .set('Authorization', `Bearer validToken`)
+    .set('Authorization', `Bearer user100`)
     .expect(200)
 
   let res2 = await agent.put(`/api/teams/${res.body.id}`)
-    .set('Authorization', `Bearer validToken`)
+    .set('Authorization', `Bearer user100`)
     .send({ name: 'building team 1' })
 
   t.is(res2.status, 200)
@@ -52,12 +52,65 @@ test('a team moderator can update a team', async t => {
 test('a non-team moderator cannot update a team', async t => {
   let res = await agent.post('/api/teams')
     .send({ name: 'road team 2' })
-    .set('Authorization', `Bearer validToken`)
+    .set('Authorization', `Bearer user100`)
     .expect(200)
 
   let res2 = await agent.put(`/api/teams/${res.body.id}`)
-    .set('Authorization', `Bearer differentUser`)
+    .set('Authorization', `Bearer user101`)
     .send({ name: 'building team 2' })
 
   t.is(res2.status, 401)
 })
+
+test('an org team can be updated by the the org manager', async t => {
+  // Let's create an organization, user100 is the owner
+  const res = await agent.post('/api/organizations')
+    .send({ name: 'org manager can update team' })
+    .set('Authorization', `Bearer user100`)
+    .expect(200)
+
+  // Let's set user101 to be a manager of this organization and create a
+  // team in the organization
+  await agent.put(`/api/organizations/${res.body.id}/addManager/101`)
+    .set('Authorization', `Bearer user100`)
+    .expect(200)
+
+  const res2 = await agent.post(`/api/organizations/${res.body.id}/teams`)
+    .send({ name: 'org team can be updated by manager - team' })
+    .set('Authorization', `Bearer user101`)
+    .expect(200)
+
+  // Use the manager to update the team
+  const res3 = await agent.put(`/api/teams/${res2.body.id}`)
+    .send({ name: 'org team can be updated by manager - team2' })
+    .set('Authorization', `Bearer user101`)
+
+  t.is(res3.status, 200)
+})
+
+test('an org team can be updated by the owner of the org', async t => {
+  // Let's create an organization, user100 is the owner
+  const res = await agent.post('/api/organizations')
+    .send({ name: 'org owner can update team' })
+    .set('Authorization', `Bearer user100`)
+    .expect(200)
+
+  // Let's set user101 to be a manager of this organization and create a
+  // team in the organization
+  await agent.put(`/api/organizations/${res.body.id}/addManager/101`)
+    .set('Authorization', `Bearer user100`)
+    .expect(200)
+
+  const res2 = await agent.post(`/api/organizations/${res.body.id}/teams`)
+    .send({ name: 'org team can be updated by owner - team' })
+    .set('Authorization', `Bearer user101`)
+    .expect(200)
+
+  // user101 is the moderator and manager, but user100 should be able
+  // to edit this team
+  const res3 = await agent.put(`/api/teams/${res2.body.id}`)
+    .send({ name: 'org team can be updated by owner - team2' })
+    .set('Authorization', `Bearer user100`)
+
+  t.is(res3.status, 200)
+})