fix organization restrictions

Author: visualjerk

server/hooks/restrictReviewAndEnableChange.js

@@ -9,15 +9,23 @@ module.exports = function restrictReviewAndEnableChange () { // eslint-disable-l
 
     const role = getByDot(hook, 'params.user.role');
     const isModOrAdmin = role && ['admin', 'moderator'].includes(role);
-    const isReviewed = getByDot(hook, 'params.before.isReviewed');
+    const isReviewed = getByDot(hook, 'params.before.reviewedBy');
     const userId = getByDot(hook, 'params.user._id');
-    const isOwner = userId && getByDot(hook, 'params.before.userId');
+    const ownerId = getByDot(hook, 'params.before.userId');
+    const isOwner = userId && ownerId && ownerId.toString() === userId.toString();
 
     // only allow mods and admins to change the review status
     if (!isModOrAdmin) {
       deleteByDot(hook.data, 'isReviewed');
     }
 
+    // set reviewedBy to current user if the user has mod rights
+    // and wants to confirm the review status
+    deleteByDot(hook.data, 'reviewedBy');
+    if (hook.data.isReviewed) {
+      hook.data.reviewedBy = userId;
+    }
+
     // only allow changes to mods, admin and owners (if its already reviewed)
     if (!isModOrAdmin && (!isOwner || (isOwner && !isReviewed))) {
       deleteByDot(hook.data, 'isEnabled');

server/hooks/restrictToOwnerOrModerator.js

@@ -19,7 +19,8 @@ module.exports = function restrictToOwnerOrModerator (query = {}) { // eslint-di
     const isModOrAdmin = role && ['admin', 'moderator'].includes(role);
 
     const userId = getByDot(hook, 'params.user._id');
-    const isOwner = userId && getByDot(hook, 'params.before.userId');
+    const ownerId = getByDot(hook, 'params.before.userId');
+    const isOwner = userId && ownerId && ownerId.toString() === userId.toString();
 
     // allow for mods or admins
     if (isModOrAdmin) {
@@ -28,11 +29,14 @@ module.exports = function restrictToOwnerOrModerator (query = {}) { // eslint-di
 
     // change the query if the method is find or get
     if (isFindOrGet) {
-      // add given query on top of it
-      hook.data = Object.assign(hook.data, query);
-      // if not an mod or admin, restrict to owner
-      hook.data.userId = userId;
-
+      // restrict to owner or given query
+      const restrictedQuery = {
+        $or: [
+          { userId },
+          { ...query }
+        ]
+      };
+      hook.params.query = Object.assign(hook.params.query, restrictedQuery);
       return hook;
     }
 

server/models/organizations.model.js

@@ -30,10 +30,7 @@ module.exports = function (app) {
       type: Boolean,
       default: false
     },
-    isReviewed: {
-      type: Boolean,
-      default: false
-    },
+    reviewedBy: { type: String },
     deleted: {
       type: Boolean,
       default: false

server/seeder/development/organizations.js

@@ -18,10 +18,9 @@ module.exports = (seederstore) => {
         addresses: () => seedHelpers.randomAddresses(),
         type: () => seedHelpers.randomItem(['ngo', 'npo', 'goodpurpose', 'ev', 'eva']),
         description: '{{lorem.text}}',
-        isVerified: () => seedHelpers.randomItem([true, false]),
         deletedAt: null,
         isEnabled: true,
-        isReviewed: true,
+        reviewedBy: null,
         createdAt: '{{date.recent}}',
         updatedAt: '{{date.recent}}',
         wasSeeded: true

server/seeder/development/users-admin.js

@@ -35,6 +35,21 @@ module.exports = (seederstore) => {
         doiToken: null,
         confirmedAt: null,
         deletedAt: null
+      },
+      {
+        email: '[email protected]',
+        password: '1234',
+        name: 'Sepp',
+        slug: 'sepp',
+        isnothere: true,
+        timezone: 'Europe/Berlin',
+        avatar: '{{internet.avatar}}',
+        coverImg: 'https://source.unsplash.com/random/1250x280',
+        role: 'user',
+        badgeIds: () => [keys(seederstore.badges)[1]],
+        doiToken: null,
+        confirmedAt: null,
+        deletedAt: null
       }]
     }]
   };

server/services/organizations/organizations.hooks.js

@@ -34,10 +34,10 @@ module.exports = {
       xss({ fields: xssFields })
     ],
     find: [
-      restrictToOwnerOrModerator({ isEnabled: true, isReviewed: true })
+      restrictToOwnerOrModerator({ isEnabled: true, reviewedBy: { $ne: null } })
     ],
     get: [
-      restrictToOwnerOrModerator({ isEnabled: true, isReviewed: true })
+      restrictToOwnerOrModerator({ isEnabled: true, reviewedBy: { $ne: null } })
     ],
     create: [
       authenticate('jwt'),
@@ -47,7 +47,7 @@ module.exports = {
       ),
       when(isModerator(),
         hook => {
-          hook.data.isReviewed = true;
+          hook.data.reviewedBy = hook.params.user.userId;
           return hook;
         }
       ),

server/services/users/users.hooks.js

@@ -100,9 +100,9 @@ module.exports = {
         }
       ),
       when(isProvider('external'),
-        restrictUserRole()
+        restrictUserRole(),
+        createAdmin()
       ),
-      createAdmin(),
       saveRemoteImages(['avatar', 'coverImg'])
     ],
     update: [

yarn.lock

@@ -1271,14 +1271,14 @@ dom-serializer@~0.0.0:
     domelementtype "~1.1.1"
     entities "~1.1.1"
 
-domelementtype@1, domelementtype@~1.1.1:
-  version "1.1.3"
-  resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-1.1.3.tgz#bd28773e2642881aec51544924299c5cd822185b"
-
-domelementtype@^1.3.0:
+domelementtype@1, domelementtype@^1.3.0:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-1.3.0.tgz#b17aed82e8ab59e52dd9c19b1756e0fc187204c2"
 
+domelementtype@~1.1.1:
+  version "1.1.3"
+  resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-1.1.3.tgz#bd28773e2642881aec51544924299c5cd822185b"
+
 [email protected], domhandler@^2.3.0:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/domhandler/-/domhandler-2.3.0.tgz#2de59a0822d5027fabff6f032c2b25a2a8abe738"