2024-10-23 - feedback - external reviewer - server-side

Author: Luch76

server/src/main/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestController.java

@@ -1,5 +1,6 @@
 package com.objectcomputing.checkins.services.feedback_request;
 
+import com.nimbusds.jose.proc.SecurityContext;
 import com.objectcomputing.checkins.services.feedback_external_recipient.FeedbackExternalRecipient;
 import com.objectcomputing.checkins.services.feedback_external_recipient.FeedbackExternalRecipientServices;
 import com.objectcomputing.checkins.services.permissions.Permission;
@@ -15,12 +16,16 @@
 import io.micronaut.http.annotation.Post;
 import io.micronaut.http.annotation.Put;
 import io.micronaut.http.annotation.Status;
+import io.micronaut.http.exceptions.HttpStatusException;
 import io.micronaut.scheduling.TaskExecutors;
 import io.micronaut.scheduling.annotation.ExecuteOn;
 import io.micronaut.security.annotation.Secured;
+import io.micronaut.security.authentication.Authentication;
 import io.micronaut.security.rules.SecurityRule;
+import io.micronaut.security.utils.SecurityService;
 import io.micronaut.validation.Validated;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.inject.Inject;
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotNull;
 
@@ -38,6 +43,8 @@ public class FeedbackRequestController {
 
     private final FeedbackRequestServices feedbackReqServices;
     private final FeedbackExternalRecipientServices feedbackExternalRecipientServices;
+    @Inject
+    SecurityService securityService;
 
     public FeedbackRequestController(FeedbackRequestServices feedbackReqServices, FeedbackExternalRecipientServices feedbackExternalRecipientServices) {
         this.feedbackReqServices = feedbackReqServices;
@@ -116,9 +123,9 @@ public HttpResponse<FeedbackRequestResponseDTO> getById(UUID id) {
      * @return list of {@link FeedbackRequestResponseDTO}
      */
     @RequiredPermission(Permission.CAN_VIEW_FEEDBACK_REQUEST)
-    @Get("/{?creatorId,requesteeId,recipientId,oldestDate,reviewPeriodId,templateId,requesteeIds}")
-    public List<FeedbackRequestResponseDTO> findByValues(@Nullable UUID creatorId, @Nullable UUID requesteeId, @Nullable UUID recipientId, @Nullable @Format("yyyy-MM-dd") LocalDate oldestDate, @Nullable UUID reviewPeriodId, @Nullable UUID templateId, @Nullable List<UUID> requesteeIds, @Nullable UUID externalRecipientId) {
-        return feedbackReqServices.findByValues(creatorId, requesteeId, recipientId, oldestDate, reviewPeriodId, templateId, requesteeIds, externalRecipientId)
+    @Get("/{?creatorId,requesteeId,recipientId,oldestDate,reviewPeriodId,templateId,externalRecipientId,requesteeIds}")
+    public List<FeedbackRequestResponseDTO> findByValues(@Nullable UUID creatorId, @Nullable UUID requesteeId, @Nullable UUID recipientId, @Nullable @Format("yyyy-MM-dd") LocalDate oldestDate, @Nullable UUID reviewPeriodId, @Nullable UUID templateId, @Nullable UUID externalRecipientId, @Nullable List<UUID> requesteeIds) {
+        return feedbackReqServices.findByValues(creatorId, requesteeId, recipientId, oldestDate, reviewPeriodId, templateId, externalRecipientId, requesteeIds)
                 .stream()
                 .map(this::fromEntity)
                 .toList();

server/src/main/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestServices.java

@@ -13,5 +13,5 @@ public interface FeedbackRequestServices {
 
     FeedbackRequest getById(UUID id);
 
-    List<FeedbackRequest> findByValues(UUID creatorId, UUID requesteeId, UUID recipientId, LocalDate oldestDate, UUID reviewPeriodId, UUID templateId, List<UUID> requesteeIds, UUID externalRecipientId);
+    List<FeedbackRequest> findByValues(UUID creatorId, UUID requesteeId, UUID recipientId, LocalDate oldestDate, UUID reviewPeriodId, UUID templateId, UUID externalRecipientId, List<UUID> requesteeIds);
 }

server/src/main/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestServicesImpl.java

@@ -346,7 +346,7 @@ public FeedbackRequest getById(UUID id) {
     }
 
     @Override
-    public List<FeedbackRequest> findByValues(UUID creatorId, UUID requesteeId, UUID recipientId, LocalDate oldestDate, UUID reviewPeriodId, UUID templateId, List<UUID> requesteeIds, UUID externalRecipientId) {
+    public List<FeedbackRequest> findByValues(UUID creatorId, UUID requesteeId, UUID recipientId, LocalDate oldestDate, UUID reviewPeriodId, UUID templateId, UUID externalRecipientId, List<UUID> requesteeIds) {
         final UUID currentUserId = currentUserServices.getCurrentUser().getId();
         if (currentUserId == null) {
             throw new PermissionException(NOT_AUTHORIZED_MSG);
@@ -369,8 +369,9 @@ public List<FeedbackRequest> findByValues(UUID creatorId, UUID requesteeId, UUID
             } else if (request != null) {
                 if (currentUserId.equals(request.getCreatorId())) visible = true;
                 if (isSupervisor(request.getRequesteeId(), currentUserId)) visible = true;
-                recipientIdLocal = request.getRecipientId() != null ? request.getRecipientId() : request.getExternalRecipientId();
+                recipientIdLocal = request.getRecipientId();
                 if (currentUserId.equals(recipientIdLocal)) visible = true;
+                if (request.getExternalRecipientId() != null) visible = true;
             }
             return visible;
         }).toList();

server/src/test/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestControllerTest.java

@@ -1085,7 +1085,7 @@ void testGetByCreatorIdPermittedMultipleReqsToExternalRecipients() {
     }
 
     @Test
-    void testGetByCreatorRequesteeIdPermitted() {
+    void testGetByCreatorRequesteeIdPermittedToRecipients() {
         //create two employee-PDL relationships
         MemberProfile pdlMemberProfile = createADefaultMemberProfile();
         assignPdlRole(pdlMemberProfile);
@@ -1113,7 +1113,35 @@ void testGetByCreatorRequesteeIdPermitted() {
     }
 
     @Test
-    void testGetByCreatorRequesteeIdNotPermitted() {
+    void testGetByCreatorRequesteeIdPermittedToExternalRecipients() {
+        //create two employee-PDL relationships
+        MemberProfile pdlMemberProfile = createADefaultMemberProfile();
+        assignPdlRole(pdlMemberProfile);
+        MemberProfile memberOne = createADefaultMemberProfileForPdl(pdlMemberProfile);
+        MemberProfile pdlMemberProfileTwo = createASecondDefaultMemberProfile();
+        assignPdlRole(pdlMemberProfileTwo);
+        MemberProfile memberTwo = createASecondDefaultMemberProfileForPdl(pdlMemberProfileTwo);
+        final FeedbackExternalRecipient externalRecipient01 = createADefaultFeedbackExternalRecipient();
+        final FeedbackExternalRecipient externalRecipient02 = createASecondDefaultFeedbackExternalRecipient();
+
+        //create two sample feedback requests by the same PDL
+        final FeedbackRequest feedbackReq = saveFeedbackRequest(pdlMemberProfile, memberOne, externalRecipient01);
+        saveFeedbackRequest(pdlMemberProfileTwo, memberTwo, externalRecipient02);
+
+        //search for feedback requests by a specific creator, requestee, and template
+        final HttpRequest<?> request = HttpRequest.GET(String.format("/?creatorId=%s&requesteeId=%s", feedbackReq.getCreatorId(), feedbackReq.getRequesteeId()))
+                .basicAuth(pdlMemberProfile.getWorkEmail(), RoleType.Constants.PDL_ROLE);
+        final HttpResponse<List<FeedbackRequestResponseDTO>> response = client.toBlocking()
+                .exchange(request, Argument.listOf(FeedbackRequestResponseDTO.class));
+
+        assertTrue(response.getBody().isPresent());
+        assertEquals(1, response.getBody().get().size());
+        assertResponseEqualsEntity(feedbackReq, response.getBody().get().get(0));
+        assertEquals(HttpStatus.OK, response.getStatus());
+    }
+
+    @Test
+    void testGetByCreatorRequesteeIdNotPermittedToRecipients() {
         //create two employee-PDL relationships
         MemberProfile pdlMemberProfile = createADefaultMemberProfile();
         assignPdlRole(pdlMemberProfile);
@@ -1142,7 +1170,36 @@ void testGetByCreatorRequesteeIdNotPermitted() {
     }
 
     @Test
-    void testGetByCreatorRecipientIdPermitted() {
+    void testGetByCreatorRequesteeIdNotPermittedToExternalRecipients() {
+        //create two employee-PDL relationships
+        MemberProfile pdlMemberProfile = createADefaultMemberProfile();
+        assignPdlRole(pdlMemberProfile);
+        MemberProfile memberOne = createADefaultMemberProfileForPdl(pdlMemberProfile);
+        MemberProfile pdlMemberProfileTwo = createASecondDefaultMemberProfile();
+        assignPdlRole(pdlMemberProfileTwo);
+        MemberProfile memberTwo = createASecondDefaultMemberProfileForPdl(pdlMemberProfileTwo);
+        final FeedbackExternalRecipient externalRecipient01 = createADefaultFeedbackExternalRecipient();
+        final FeedbackExternalRecipient externalRecipient02 = createASecondDefaultFeedbackExternalRecipient();
+
+        //create two sample feedback requests by the same PDL
+        final FeedbackRequest feedbackReq = saveFeedbackRequest(pdlMemberProfile, memberOne, externalRecipient01);
+        saveFeedbackRequest(pdlMemberProfileTwo, memberTwo, externalRecipient02);
+
+        //search for feedback requests by a specific creator, requestee, and template
+        final HttpRequest<?> request = HttpRequest.GET(String.format("/?creatorId=%s&requesteeId=%s", feedbackReq.getCreatorId(), feedbackReq.getRequesteeId()))
+                .basicAuth(externalRecipient02.getEmail(), RoleType.Constants.MEMBER_ROLE);
+        ;
+
+        final HttpResponse<List<FeedbackRequestResponseDTO>> response = client.toBlocking()
+                .exchange(request, Argument.listOf(FeedbackRequestResponseDTO.class));
+
+        assertTrue(response.getBody().isPresent());
+        assertEquals(0, response.getBody().get().size());
+        assertEquals(HttpStatus.OK, response.getStatus());
+    }
+
+    @Test
+    void testGetByCreatorRecipientIdPermittedToRecipients() {
         MemberProfile pdlMemberProfile = createADefaultMemberProfile();
         assignPdlRole(pdlMemberProfile);
         MemberProfile requestee = createADefaultMemberProfileForPdl(pdlMemberProfile);
@@ -1160,6 +1217,26 @@ void testGetByCreatorRecipientIdPermitted() {
         assertResponseEqualsEntity(feedbackRequest, response.getBody().get());
     }
 
+    @Test
+    void testGetByCreatorRecipientIdPermittedToExternalRecipients() {
+        MemberProfile pdlMemberProfile = createADefaultMemberProfile();
+        assignPdlRole(pdlMemberProfile);
+        MemberProfile requestee = createADefaultMemberProfileForPdl(pdlMemberProfile);
+        MemberProfile recipient = createADefaultRecipient();
+        final FeedbackExternalRecipient externalRecipient = createADefaultFeedbackExternalRecipient();
+        FeedbackRequest feedbackRequest = saveFeedbackRequest(pdlMemberProfile, requestee, externalRecipient);
+
+        //get feedback request
+        final HttpRequest<?> request = HttpRequest.GET(String.format("/?externalRecipientId=%s", feedbackRequest.getExternalRecipientId()))
+                .basicAuth(recipient.getWorkEmail(), RoleType.Constants.MEMBER_ROLE);
+        final HttpResponse<FeedbackRequestResponseDTO> response = client.toBlocking().exchange(request, FeedbackRequestResponseDTO.class);
+
+        // recipient must be able to get the feedback request
+        assertEquals(HttpStatus.OK, response.getStatus());
+        assertTrue(response.getBody().isPresent());
+        assertResponseEqualsEntity(feedbackRequest, response.getBody().get());
+    }
+
     @Test
     void testGetByCreatorRequesteeIdMultiplePermitted() {
         //create two employee-PDL relationships