2024-10-23 - feedback - external reviewer - server-side

Author: Luch76

server/src/main/java/com/objectcomputing/checkins/services/feedback_external_recipient/FeedbackExternalRecipientController.java

@@ -67,6 +67,23 @@ public HttpResponse<FeedbackRequestResponseDTO> update(@Body @Valid @NotNull Fee
                 .headers(headers -> headers.location(URI.create("/feedback_request/" + savedFeedback.getId())));
     }
 
+    /**
+     * Get feedback request by ID
+     *
+     * @param id {@link UUID} ID of the request
+     * @return {@link FeedbackRequestResponseDTO}
+     */
+    //@Secured(SecurityRule.IS_ANONYMOUS)
+    @Get("/{id}")
+    public HttpResponse<FeedbackRequestResponseDTO> getById(UUID id) {
+        FeedbackRequest feedbackRequest = feedbackReqServices.getById(id);
+        if (feedbackRequest.getExternalRecipientId() == null) {
+            throw new BadArgException("Missing required parameter: externalRecipientId");
+        }
+        return feedbackRequest == null ? HttpResponse.notFound() : HttpResponse.ok(fromEntity(feedbackRequest))
+                .headers(headers -> headers.location(URI.create("/feedback_request" + feedbackRequest.getId())));
+    }
+
     private FeedbackRequestResponseDTO fromEntity(FeedbackRequest feedbackRequest) {
         FeedbackRequestResponseDTO dto = new FeedbackRequestResponseDTO();
         dto.setId(feedbackRequest.getId());

server/src/main/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestServicesImpl.java

@@ -351,9 +351,12 @@ public FeedbackRequest getById(UUID id) {
         } else {
             if (externalRecipientId == null) {
                 throw new PermissionException(NOT_AUTHORIZED_MSG);
+            } else {
+                if (!getIsPermittedForExternalRecipient(requesteeId, sendDate)) {
+                    throw new PermissionException(NOT_AUTHORIZED_MSG);
+                }
             }
         }
-
         return feedbackReq.get();
     }
 
@@ -427,6 +430,17 @@ private boolean getIsPermitted(UUID requesteeId, UUID recipientOrExternalRecipie
         return createIsPermitted(requesteeId) || currentUserId.equals(recipientOrExternalRecipientId);
     }
 
+    private boolean getIsPermittedForExternalRecipient(UUID requesteeId, LocalDate sendDate) {
+        LocalDate today = LocalDate.now();
+
+        // The recipient can only access the feedback request after it has been sent
+        if (sendDate.isAfter(today)) {
+            throw new PermissionException("You are not permitted to access this request before the send date.");
+        }
+
+        return true;
+    }
+
     private boolean updateDueDateIsPermitted(FeedbackRequest feedbackRequest) {
         return isCurrentUserAdminOrOwner(feedbackRequest);
     }