From 65f675eb60fc6de9f35274f9c4a67477596456ad Mon Sep 17 00:00:00 2001 From: navneeeth Date: Fri, 22 Sep 2023 19:25:14 -0700 Subject: [PATCH] updated controllers to check permissions for project management tab --- src/controllers/projectController.js | 14 ++++++++++---- src/controllers/userProfileController.js | 5 ++++- src/controllers/wbsController.js | 9 ++++++--- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/src/controllers/projectController.js b/src/controllers/projectController.js index 6bac2124c..d3e849498 100644 --- a/src/controllers/projectController.js +++ b/src/controllers/projectController.js @@ -2,7 +2,7 @@ const mongoose = require('mongoose'); const timeentry = require('../models/timeentry'); const userProfile = require('../models/userProfile'); const userProject = require('../helpers/helperModels/userProjects'); -const { hasPermission } = require('../utilities/permissions'); +const { hasPermission, hasIndividualPermission } = require('../utilities/permissions'); const escapeRegex = require('../utilities/escapeRegex'); @@ -15,7 +15,8 @@ const projectController = function (Project) { }; const deleteProject = function (req, res) { - if (!hasPermission(req.body.requestor.role, 'deleteProject')) { + if (!hasPermission(req.body.requestor.role, 'deleteProject') + && !hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { res.status(403).send({ error: 'You are not authorized to delete projects.' }); return; } @@ -46,7 +47,8 @@ const projectController = function (Project) { }; const postProject = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'postProject')) { + if (!await hasPermission(req.body.requestor.role, 'postProject') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { res.status(403).send({ error: 'You are not authorized to create new projects.' }); return; } @@ -77,7 +79,8 @@ const projectController = function (Project) { const putProject = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'putProject')) { + if (!await hasPermission(req.body.requestor.role, 'putProject') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { res.status(403).send('You are not authorized to make changes in the projects.'); return; } @@ -125,8 +128,11 @@ const projectController = function (Project) { // verify requestor is administrator, projectId is passed in request params and is valid mongoose objectid, and request body contains an array of users if (!await hasPermission(req.body.requestor.role, 'assignProjectToUsers')) { + if (!await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagementTab')) { res.status(403).send({ error: 'You are not authorized to perform this operation' }); return; + } } if (!req.params.projectId || !mongoose.Types.ObjectId.isValid(req.params.projectId) || !req.body.users || (req.body.users.length === 0)) { diff --git a/src/controllers/userProfileController.js b/src/controllers/userProfileController.js index 5f36e91a2..35f3ff395 100644 --- a/src/controllers/userProfileController.js +++ b/src/controllers/userProfileController.js @@ -12,7 +12,7 @@ const Badge = require('../models/badge'); const userProfile = require('../models/userProfile'); const yearMonthDayDateValidator = require('../utilities/yearMonthDayDateValidator'); const cache = require('../utilities/nodeCache')(); -const { hasPermission, canRequestorUpdateUser } = require('../utilities/permissions'); +const { hasPermission, hasIndividualPermission, canRequestorUpdateUser } = require('../utilities/permissions'); const escapeRegex = require('../utilities/escapeRegex'); const config = require('../config'); @@ -53,8 +53,11 @@ async function ValidatePassword(req, res) { const userProfileController = function (UserProfile) { const getUserProfiles = async function (req, res) { if (!await hasPermission(req.body.requestor.role, 'getUserProfiles')) { + if (!await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagementTab')) { res.status(403).send('You are not authorized to view all users'); return; + } } if (cache.getCache('allusers')) { diff --git a/src/controllers/wbsController.js b/src/controllers/wbsController.js index 48b640061..815fc59d0 100644 --- a/src/controllers/wbsController.js +++ b/src/controllers/wbsController.js @@ -1,4 +1,4 @@ -const { hasPermission } = require('../utilities/permissions'); +const { hasPermission, hasIndividualPermission } = require('../utilities/permissions'); const wbsController = function (WBS) { const getAllWBS = function (req, res) { @@ -11,7 +11,9 @@ const wbsController = function (WBS) { }; const postWBS = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'postWbs')) { + if (!await hasPermission(req.body.requestor.role, 'postWbs') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagementTab')) { res.status(403).send({ error: 'You are not authorized to create new projects.' }); return; } @@ -34,7 +36,8 @@ const wbsController = function (WBS) { }; const deleteWBS = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'deleteWbs')) { + if (!await hasPermission(req.body.requestor.role, 'deleteWbs') + && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { res.status(403).send({ error: 'You are not authorized to delete projects.' }); return; }