diff --git a/src/controllers/projectController.js b/src/controllers/projectController.js index 6bac2124c..d3e849498 100644 --- a/src/controllers/projectController.js +++ b/src/controllers/projectController.js @@ -2,7 +2,7 @@ const mongoose = require('mongoose'); const timeentry = require('../models/timeentry'); const userProfile = require('../models/userProfile'); const userProject = require('../helpers/helperModels/userProjects'); -const { hasPermission } = require('../utilities/permissions'); +const { hasPermission, hasIndividualPermission } = require('../utilities/permissions'); const escapeRegex = require('../utilities/escapeRegex'); @@ -15,7 +15,8 @@ const projectController = function (Project) { }; const deleteProject = function (req, res) { - if (!hasPermission(req.body.requestor.role, 'deleteProject')) { + if (!hasPermission(req.body.requestor.role, 'deleteProject') + && !hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { res.status(403).send({ error: 'You are not authorized to delete projects.' }); return; } @@ -46,7 +47,8 @@ const projectController = function (Project) { }; const postProject = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'postProject')) { + if (!await hasPermission(req.body.requestor.role, 'postProject') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { res.status(403).send({ error: 'You are not authorized to create new projects.' }); return; } @@ -77,7 +79,8 @@ const projectController = function (Project) { const putProject = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'putProject')) { + if (!await hasPermission(req.body.requestor.role, 'putProject') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { res.status(403).send('You are not authorized to make changes in the projects.'); return; } @@ -125,8 +128,11 @@ const projectController = function (Project) { // verify requestor is administrator, projectId is passed in request params and is valid mongoose objectid, and request body contains an array of users if (!await hasPermission(req.body.requestor.role, 'assignProjectToUsers')) { + if (!await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagementTab')) { res.status(403).send({ error: 'You are not authorized to perform this operation' }); return; + } } if (!req.params.projectId || !mongoose.Types.ObjectId.isValid(req.params.projectId) || !req.body.users || (req.body.users.length === 0)) { diff --git a/src/controllers/userProfileController.js b/src/controllers/userProfileController.js index ae5edd232..40d6eac39 100644 --- a/src/controllers/userProfileController.js +++ b/src/controllers/userProfileController.js @@ -12,7 +12,7 @@ const Badge = require('../models/badge'); const userProfile = require('../models/userProfile'); const yearMonthDayDateValidator = require('../utilities/yearMonthDayDateValidator'); const cache = require('../utilities/nodeCache')(); -const { hasPermission, canRequestorUpdateUser } = require('../utilities/permissions'); +const { hasPermission, hasIndividualPermission, canRequestorUpdateUser } = require('../utilities/permissions'); const escapeRegex = require('../utilities/escapeRegex'); const config = require('../config'); @@ -52,14 +52,16 @@ async function ValidatePassword(req, res) { const userProfileController = function (UserProfile) { const getUserProfiles = async function (req, res) { - if ( - !(await hasPermission(req.body.requestor.role, "getUserProfiles")) && + if (!await hasPermission(req.body.requestor.role, 'getUserProfiles') && !req.body.requestor.permissions?.frontPermissions.includes( "putUserProfilePermissions" ) ) { - res.status(403).send("You are not authorized to view all users"); + if (!await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagementTab')) { + res.status(403).send('You are not authorized to view all users'); return; + } } if (cache.getCache("allusers")) { diff --git a/src/controllers/wbsController.js b/src/controllers/wbsController.js index 48b640061..815fc59d0 100644 --- a/src/controllers/wbsController.js +++ b/src/controllers/wbsController.js @@ -1,4 +1,4 @@ -const { hasPermission } = require('../utilities/permissions'); +const { hasPermission, hasIndividualPermission } = require('../utilities/permissions'); const wbsController = function (WBS) { const getAllWBS = function (req, res) { @@ -11,7 +11,9 @@ const wbsController = function (WBS) { }; const postWBS = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'postWbs')) { + if (!await hasPermission(req.body.requestor.role, 'postWbs') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagementTab')) { res.status(403).send({ error: 'You are not authorized to create new projects.' }); return; } @@ -34,7 +36,8 @@ const wbsController = function (WBS) { }; const deleteWBS = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'deleteWbs')) { + if (!await hasPermission(req.body.requestor.role, 'deleteWbs') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { res.status(403).send({ error: 'You are not authorized to delete projects.' }); return; }