Merge pull request #384 from nrotstan/bug-383-restrict-challenge-admin-visibility

nrotstan · web-flow · commit 78bd32257505 · 2018-06-08T07:31:39.000-07:00
Ensure only managers can view challenge admin.
diff --git a/src/components/AdminPane/HOCs/WithCurrentProject/WithCurrentProject.js b/src/components/AdminPane/HOCs/WithCurrentProject/WithCurrentProject.js
@@ -16,6 +16,8 @@ import { fetchProjectChallenges,
        from '../../../../services/Challenge/Challenge'
 import AppErrors from '../../../../services/Error/AppErrors'
 import { addError } from '../../../../services/Error/Error'
+import WithCurrentUser from '../../../HOCs/WithCurrentUser/WithCurrentUser'
+import AsManager from '../../../../interactions/User/AsManager'
 
 /**
  * WithCurrentProject makes available to the WrappedComponent the current
@@ -42,6 +44,9 @@ const WithCurrentProject = function(WrappedComponent, options={}) {
     routedProjectId = props =>
       parseInt(_get(props, 'match.params.projectId'), 10)
 
+    routedChallengeId = props =>
+      parseInt(_get(props, 'match.params.challengeId'), 10)
+
     currentProjectId = props => {
       let projectId = this.routedProjectId(props)
 
@@ -62,7 +67,7 @@ const WithCurrentProject = function(WrappedComponent, options={}) {
       return projectId
     }
 
-    updateProject = props => {
+    loadProject = props => {
       const projectId = this.currentProjectId(props)
 
       if (_isFinite(this.routedProjectId(props)) && projectId === null) {
@@ -80,6 +85,20 @@ const WithCurrentProject = function(WrappedComponent, options={}) {
         props.fetchProject(projectId).then(normalizedProject => {
           const project = normalizedProject.entities.projects[normalizedProject.result]
 
+          const manager = AsManager(this.props.user)
+          if (!manager.canManage(project)) {
+            // If we have a challenge id too, route to the browse url for the challenge
+            const challengeId = this.routedChallengeId(this.props)
+            if (_isFinite(challengeId)) {
+              props.history.replace(`/browse/challenges/${challengeId}`)
+            }
+            else {
+              this.props.notManagerError()
+              props.history.push('/admin/projects')
+            }
+            return
+          }
+
           if (options.includeActivity) {
             // Used for daily heatmap
             props.fetchProjectActivity(projectId, new Date(project.created)).then(() =>
@@ -114,15 +133,15 @@ const WithCurrentProject = function(WrappedComponent, options={}) {
     }
 
     componentWillMount() {
-      this.updateProject(this.props)
+      this.loadProject(this.props)
     }
 
     componentWillReceiveProps(nextProps) {
       const nextProjectId = this.currentProjectId(nextProps)
 
       if ( _isFinite(nextProjectId) &&
            nextProjectId !== this.currentProjectId(this.props)) {
-        this.updateProject(nextProps)
+        this.loadProject(nextProps)
       }
     }
 
@@ -172,4 +191,4 @@ const mapDispatchToProps = dispatch => ({
 
 export default (WrappedComponent, options) =>
   connect(mapStateToProps,
-          mapDispatchToProps)(WithCurrentProject(WrappedComponent, options))
+          mapDispatchToProps)(WithCurrentUser(WithCurrentProject(WrappedComponent, options)))
