2024-10-23 - feedback - external reviewer - server-side

Luch76 · Luch76 · commit 2429ca3a85e7 · 2024-10-24T09:18:17.000-04:00
diff --git a/server/src/main/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestServicesImpl.java b/server/src/main/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestServicesImpl.java
@@ -336,6 +336,14 @@ public void delete(UUID id) {
 
     @Override
     public FeedbackRequest getById(UUID id) {
+        MemberProfile currentUser;
+
+        try {
+            currentUser = currentUserServices.getCurrentUser();
+        } catch (NotFoundException notFoundException) {
+            currentUser = null;
+        }
+
         final Optional<FeedbackRequest> feedbackReq = feedbackReqRepository.findById(id);
         if (feedbackReq.isEmpty()) {
             throw new NotFoundException("No feedback req with id " + id);
@@ -344,8 +352,9 @@ public FeedbackRequest getById(UUID id) {
         final UUID requesteeId = feedbackReq.get().getRequesteeId();
         final UUID recipientId = feedbackReq.get().getRecipientId();
         final UUID externalRecipientId = feedbackReq.get().getExternalRecipientId();
-        if (recipientId != null) {
-            if (!getIsPermitted(requesteeId, recipientId, sendDate)) {
+        final UUID recipientOrExternalRecipientId = (recipientId != null) ? recipientId : externalRecipientId;
+        if (currentUser != null) {
+            if (!getIsPermitted(requesteeId, recipientOrExternalRecipientId, sendDate)) {
                 throw new PermissionException(NOT_AUTHORIZED_MSG);
             }
         } else {
@@ -420,14 +429,16 @@ private boolean createIsPermitted(UUID requesteeId) {
 
     private boolean getIsPermitted(UUID requesteeId, UUID recipientOrExternalRecipientId, LocalDate sendDate) {
         LocalDate today = LocalDate.now();
+        boolean getIsPermittedReturn;
         final UUID currentUserId = currentUserServices.getCurrentUser().getId();
 
         // The recipient can only access the feedback request after it has been sent
         if (sendDate.isAfter(today) && currentUserId.equals(recipientOrExternalRecipientId)) {
             throw new PermissionException("You are not permitted to access this request before the send date.");
         }
 
-        return createIsPermitted(requesteeId) || currentUserId.equals(recipientOrExternalRecipientId);
+        getIsPermittedReturn = createIsPermitted(requesteeId) || currentUserId.equals(recipientOrExternalRecipientId);
+        return getIsPermittedReturn;
     }
 
     private boolean getIsPermittedForExternalRecipient(UUID requesteeId, LocalDate sendDate) {
diff --git a/server/src/test/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestControllerTest.java b/server/src/test/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestControllerTest.java
@@ -805,11 +805,10 @@ void testGetFeedbackRequestByUnassignedPdlToExternalRecipient() {
         //get feedback request
         final HttpRequest<?> request = HttpRequest.GET(String.format("%s", feedbackRequest.getId()))
                 .basicAuth(unrelatedPdl.getWorkEmail(), RoleType.Constants.PDL_ROLE);
-        final HttpResponse<FeedbackRequestResponseDTO> response = client.toBlocking().exchange(request, FeedbackRequestResponseDTO.class);
+        final HttpClientResponseException responseException = assertThrows(HttpClientResponseException.class, () ->
+                client.toBlocking().exchange(request, Map.class));
 
-        assertEquals(HttpStatus.OK, response.getStatus());
-        assertTrue(response.getBody().isPresent());
-        assertResponseEqualsEntity(feedbackRequest, response.getBody().get());
+        assertUnauthorized(responseException);
     }
 
     @Test
@@ -843,11 +842,11 @@ void testGetFeedbackRequestByRequesteeToExternalRecipient() {
         //get feedback request
         final HttpRequest<?> request = HttpRequest.GET(String.format("%s", feedbackRequest.getId()))
                 .basicAuth(memberProfile2.getWorkEmail(), RoleType.Constants.MEMBER_ROLE);
-        final HttpResponse<FeedbackRequestResponseDTO> response = client.toBlocking().exchange(request, FeedbackRequestResponseDTO.class);
+        final HttpClientResponseException responseException = assertThrows(HttpClientResponseException.class, () ->
+                client.toBlocking().exchange(request, Map.class));
 
-        assertEquals(HttpStatus.OK, response.getStatus());
-        assertTrue(response.getBody().isPresent());
-        assertResponseEqualsEntity(feedbackRequest, response.getBody().get());
+        // requestee should not be able to get the feedback request about them
+        assertUnauthorized(responseException);
     }
 
     @Test
@@ -878,9 +877,8 @@ void testGetFeedbackRequestByExternalRecipient() {
         FeedbackRequest feedbackRequest = saveFeedbackRequest(pdlMemberProfile, requestee, externalRecipient);
 
         //get feedback request
-        final HttpRequest<?> request = HttpRequest.GET(String.format("%s", feedbackRequest.getId()))
-                .basicAuth(externalRecipient.getEmail(), RoleType.Constants.MEMBER_ROLE);
-        final HttpResponse<FeedbackRequestResponseDTO> response = client.toBlocking().exchange(request, FeedbackRequestResponseDTO.class);
+        final HttpRequest<?> request = HttpRequest.GET(String.format("%s", feedbackRequest.getId()));
+        final HttpResponse<FeedbackRequestResponseDTO> response = clientExternalRecipient.toBlocking().exchange(request, FeedbackRequestResponseDTO.class);
 
         // recipient must be able to get the feedback request
         assertEquals(HttpStatus.OK, response.getStatus());
@@ -2365,7 +2363,7 @@ void testRecipientGetBeforeSendDateNotAuthorizedToExternalRecipient() {
     }
 
     @Test
-    void testRecipientGetBeforeSendDateAsAdminAuthorized() {
+    void testRecipientGetBeforeSendDateAsAdminAuthorizedToRecipient() {
         MemberProfile pdlMemberProfile = createADefaultMemberProfile();
         MemberProfile requestee = createADefaultMemberProfileForPdl(pdlMemberProfile);
         MemberProfile recipient = createADefaultRecipient();
@@ -2388,6 +2386,30 @@ void testRecipientGetBeforeSendDateAsAdminAuthorized() {
         assertResponseEqualsEntity(feedbackRequest, response.getBody().get());
     }
 
+    @Test
+    void testRecipientGetBeforeSendDateAsAdminAuthorizedToExternalRecipient() {
+        MemberProfile pdlMemberProfile = createADefaultMemberProfile();
+        MemberProfile requestee = createADefaultMemberProfileForPdl(pdlMemberProfile);
+        final FeedbackExternalRecipient externalRecipient01 = createADefaultFeedbackExternalRecipient();
+        MemberProfile adminUser = createAThirdDefaultMemberProfile();
+        assignAdminRole(adminUser);
+
+        // Save feedback request with send date in the future
+        FeedbackRequest feedbackRequest = createFeedbackRequest(pdlMemberProfile, requestee, externalRecipient01);
+        feedbackRequest.setSendDate(LocalDate.now().plusDays(1));
+        getFeedbackRequestRepository().save(feedbackRequest);
+
+        //get feedback request
+        final HttpRequest<?> request = HttpRequest.GET(String.format("%s", feedbackRequest.getId()))
+                .basicAuth(adminUser.getWorkEmail(), RoleType.Constants.ADMIN_ROLE);
+        final HttpResponse<FeedbackRequestResponseDTO> response = client.toBlocking().exchange(request, FeedbackRequestResponseDTO.class);
+
+        // the sendDate must be before the sent date unless its an admin
+        assertEquals(HttpStatus.OK, response.getStatus());
+        assertTrue(response.getBody().isPresent());
+        assertResponseEqualsEntity(feedbackRequest, response.getBody().get());
+    }
+
     @Test
     void testRecipientGetBeforeSendDateAsPdlAuthorized() {
         MemberProfile pdlMemberProfile = createADefaultMemberProfile();
