Merge pull request #547 from OneCommunityGlobal/nathan-individual-per…

…missions-fix Nathan individual permissions fix
OneCommunityGlobal · Oct 16, 2023 · aa329ed · aa329ed
2 parents b3e5d63 + 92059d5
commit aa329ed
Show file tree

Hide file tree

Showing 14 changed files with 86 additions and 126 deletions.
diff --git a/src/controllers/badgeController.js b/src/controllers/badgeController.js
@@ -1,11 +1,11 @@
 const mongoose = require('mongoose');
 const UserProfile = require('../models/userProfile');
-const { hasPermission, hasIndividualPermission } = require('../utilities/permissions');
+const { hasPermission } = require('../utilities/permissions');
 const escapeRegex = require('../utilities/escapeRegex');
 
 const badgeController = function (Badge) {
   const getAllBadges = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'seeBadges') && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeBadges')) {
+    if (!await hasPermission(req.body.requestor, 'seeBadges')) {
       res.status(403).send('You are not authorized to view all badge data.');
       return;
     }
@@ -26,7 +26,7 @@ const badgeController = function (Badge) {
   };
 
   const assignBadges = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'assignBadges')) {
+    if (!await hasPermission(req.body.requestor, 'assignBadges')) {
       res.status(403).send('You are not authorized to assign badges.');
       return;
     }
@@ -57,7 +57,7 @@ const badgeController = function (Badge) {
   };
 
   const postBadge = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'createBadges')) {
+    if (!await hasPermission(req.body.requestor, 'createBadges')) {
       res.status(403).send({ error: 'You are not authorized to create new badges.' });
       return;
     }
@@ -91,7 +91,7 @@ const badgeController = function (Badge) {
   };
 
   const deleteBadge = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'deleteBadges')) {
+    if (!await hasPermission(req.body.requestor, 'deleteBadges')) {
       res.status(403).send({ error: 'You are not authorized to delete badges.' });
       return;
     }
@@ -112,7 +112,7 @@ const badgeController = function (Badge) {
   };
 
   const putBadge = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'updateBadges')) {
+    if (!await hasPermission(req.body.requestor, 'updateBadges')) {
       res.status(403).send({ error: 'You are not authorized to update badges.' });
       return;
     }

diff --git a/src/controllers/inventoryController.js b/src/controllers/inventoryController.js
@@ -7,7 +7,7 @@ const escapeRegex = require('../utilities/escapeRegex');
 
 const inventoryController = function (Item, ItemType) {
   const getAllInvInProjectWBS = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'getAllInvInProjectWBS')) {
+    if (!await hasPermission(req.body.requestor, 'getAllInvInProjectWBS')) {
       return res.status(403).send('You are not authorized to view inventory data.');
     }
     // use req.params.projectId and wbsId
@@ -40,7 +40,7 @@ const inventoryController = function (Item, ItemType) {
   };
 
   const postInvInProjectWBS = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'postInvInProjectWBS')) {
+    if (!await hasPermission(req.body.requestor, 'postInvInProjectWBS')) {
       return res.status(403).send('You are not authorized to view inventory data.');
     }
     // use req.body.projectId and req.body.wbsId req.body.quantity,
@@ -108,7 +108,7 @@ const inventoryController = function (Item, ItemType) {
 
 
   const getAllInvInProject = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'getAllInvInProject')) {
+    if (!await hasPermission(req.body.requestor, 'getAllInvInProject')) {
       return res.status(403).send('You are not authorized to view inventory data.');
     }
     // same as getAllInvInProjectWBS but just using only the project to find the items of inventory
@@ -140,7 +140,7 @@ const inventoryController = function (Item, ItemType) {
   };
 
   const postInvInProject = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'postInvInProject')) {
+    if (!await hasPermission(req.body.requestor, 'postInvInProject')) {
       return res.status(403).send('You are not authorized to post new inventory data.');
     }
     // same as posting an item inProjectWBS but the WBS is uanassigned(i.e. null)
@@ -194,7 +194,7 @@ const inventoryController = function (Item, ItemType) {
   };
 
   const transferInvById = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'transferInvById')) {
+    if (!await hasPermission(req.body.requestor, 'transferInvById')) {
       return res.status(403).send('You are not authorized to transfer inventory data.');
     }
     // This function transfer inventory by id
@@ -283,7 +283,7 @@ const inventoryController = function (Item, ItemType) {
 
 
   const delInvById = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'delInvById')) {
+    if (!await hasPermission(req.body.requestor, 'delInvById')) {
       return res.status(403).send('You are not authorized to waste inventory.');
     }
     // send result just sending something now to have it work and not break anything
@@ -372,7 +372,7 @@ const inventoryController = function (Item, ItemType) {
   };
 
   const unWasteInvById = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'unWasteInvById')) {
+    if (!await hasPermission(req.body.requestor, 'unWasteInvById')) {
       return res.status(403).send('You are not authorized to unwaste inventory.');
     }
     const properUnWaste = await Item.findOne({ _id: req.params.invId, quantity: { $gte: req.body.quantity }, wasted: true }).select('_id').lean();
@@ -453,7 +453,7 @@ const inventoryController = function (Item, ItemType) {
   };
 
   const getInvIdInfo = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'getInvIdInfo')) {
+    if (!await hasPermission(req.body.requestor, 'getInvIdInfo')) {
       return res.status(403).send('You are not authorized to get inventory by id.');
     }
     // req.params.invId
@@ -465,7 +465,7 @@ const inventoryController = function (Item, ItemType) {
   };
 
   const putInvById = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'putInvById')) {
+    if (!await hasPermission(req.body.requestor, 'putInvById')) {
       return res.status(403).send('You are not authorized to edit inventory by id.');
     }
     // update the inv by id.
@@ -493,7 +493,7 @@ const inventoryController = function (Item, ItemType) {
   };
 
   const getInvTypeById = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'getInvTypeById')) {
+    if (!await hasPermission(req.body.requestor, 'getInvTypeById')) {
       return res.status(403).send('You are not authorized to get inv type by id.');
     }
     // send result just sending something now to have it work and not break anything
@@ -504,7 +504,7 @@ const inventoryController = function (Item, ItemType) {
   };
 
   const putInvType = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'putInvType')) {
+    if (!await hasPermission(req.body.requestor, 'putInvType')) {
       return res.status(403).send('You are not authorized to edit an inventory type.');
     }
     const { typeId } = req.params;
@@ -527,7 +527,7 @@ const inventoryController = function (Item, ItemType) {
   };
 
   const getAllInvType = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'getAllInvType')) {
+    if (!await hasPermission(req.body.requestor, 'getAllInvType')) {
       return res.status(403).send('You are not authorized to get all inventory.');
     }
     // send result just sending something now to have it work and not break anything
@@ -537,7 +537,7 @@ const inventoryController = function (Item, ItemType) {
   };
 
   const postInvType = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'postInvType')) {
+    if (!await hasPermission(req.body.requestor, 'postInvType')) {
       return res.status(403).send('You are not authorized to save an inventory type.');
     }
     return ItemType.find({ name: { $regex: escapeRegex(req.body.name), $options: 'i' } })

diff --git a/src/controllers/popupEditorBackupController.js b/src/controllers/popupEditorBackupController.js
@@ -20,7 +20,7 @@ const popupEditorBackupController = function (PopupEditorBackups) {
 
 
   const createPopupEditorBackup = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'createPopup')) {
+    if (!await hasPermission(req.body.requestor, 'createPopup')) {
       res
         .status(403)
         .send({ error: 'You are not authorized to create new popup' });
@@ -46,7 +46,7 @@ const popupEditorBackupController = function (PopupEditorBackups) {
   };
 
   const updatePopupEditorBackup = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'updatePopup')) {
+    if (!await hasPermission(req.body.requestor, 'updatePopup')) {
       res
         .status(403)
         .send({ error: 'You are not authorized to create new popup' });

diff --git a/src/controllers/popupEditorController.js b/src/controllers/popupEditorController.js
@@ -15,7 +15,7 @@ const popupEditorController = function (PopupEditors) {
 
 
   const createPopupEditor = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'createPopup')) {
+    if (!await hasPermission(req.body.requestor, 'createPopup')) {
       res
         .status(403)
         .send({ error: 'You are not authorized to create new popup' });
@@ -38,7 +38,7 @@ const popupEditorController = function (PopupEditors) {
   };
 
   const updatePopupEditor = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'updatePopup')) {
+    if (!await hasPermission(req.body.requestor, 'updatePopup')) {
       res
         .status(403)
         .send({ error: 'You are not authorized to create new popup' });

diff --git a/src/controllers/projectController.js b/src/controllers/projectController.js
@@ -2,7 +2,7 @@ const mongoose = require('mongoose');
 const timeentry = require('../models/timeentry');
 const userProfile = require('../models/userProfile');
 const userProject = require('../helpers/helperModels/userProjects');
-const { hasPermission, hasIndividualPermission } = require('../utilities/permissions');
+const { hasPermission } = require('../utilities/permissions');
 const escapeRegex = require('../utilities/escapeRegex');
 
 
@@ -14,10 +14,9 @@ const projectController = function (Project) {
       .catch(error => res.status(404).send(error));
   };
 
-  const deleteProject = function (req, res) {
-    if (!hasPermission(req.body.requestor.role, 'deleteProject')
-    && !hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { 
-      res.status(403).send({ error: 'You are not authorized to delete projects.' });
+  const deleteProject = async function (req, res) {
+    if (!await hasPermission(req.body.requestor, 'deleteProject')) {
+      res.status(403).send({ error: 'You are  not authorized to delete projects.' });
       return;
     }
     const { projectId } = req.params;
@@ -47,8 +46,7 @@ const projectController = function (Project) {
   };
 
   const postProject = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'postProject') 
-    && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { 
+    if (!await hasPermission(req.body.requestor, 'postProject')) {
       res.status(403).send({ error: 'You are not authorized to create new projects.' });
       return;
     }
@@ -79,8 +77,7 @@ const projectController = function (Project) {
 
 
   const putProject = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'putProject')
-    && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { 
+    if (!await hasPermission(req.body.requestor, 'putProject')) {
       res.status(403).send('You are not authorized to make changes in the projects.');
       return;
     }
@@ -127,12 +124,9 @@ const projectController = function (Project) {
   const assignProjectToUsers = async function (req, res) {
     // verify requestor is administrator, projectId is passed in request params and is valid mongoose objectid, and request body contains  an array of users
 
-    if (!await hasPermission(req.body.requestor.role, 'assignProjectToUsers')) {
-      if (!await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement') 
-        && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagementTab')) {
+    if (!await hasPermission(req.body.requestor, 'assignProjectToUsers')) {
       res.status(403).send({ error: 'You are not authorized to perform this operation' });
       return;
-        }
     }
 
     if (!req.params.projectId || !mongoose.Types.ObjectId.isValid(req.params.projectId) || !req.body.users || (req.body.users.length === 0)) {

diff --git a/src/controllers/reportsController.js b/src/controllers/reportsController.js
@@ -1,9 +1,9 @@
 const reporthelper = require('../helpers/reporthelper')();
-const { hasPermission, hasIndividualPermission } = require('../utilities/permissions');
+const { hasPermission } = require('../utilities/permissions');
 
 const reportsController = function () {
   const getWeeklySummaries = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'getWeeklySummaries') && !await hasIndividualPermission(req.body.requestor.requestorId, 'getWeeklySummaries')) {
+    if (!await hasPermission(req.body.requestor, 'getWeeklySummaries')) {
       res.status(403).send('You are not authorized to view all users');
       return;
     }

diff --git a/src/controllers/rolesController.js b/src/controllers/rolesController.js
@@ -10,7 +10,7 @@ const rolesController = function (Role) {
   };
 
   const createNewRole = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'postRole')) {
+    if (!await hasPermission(req.body.requestor, 'postRole')) {
       res.status(403).send('You are not authorized to create new roles.');
       return;
     }
@@ -39,7 +39,7 @@ const rolesController = function (Role) {
 
 
   const updateRoleById = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'putRole')) {
+    if (!await hasPermission(req.body.requestor, 'putRole')) {
       res.status(403).send('You are not authorized to make changes to roles.');
       return;
     }
@@ -67,7 +67,7 @@ const rolesController = function (Role) {
   };
 
   const deleteRoleById = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'deleteRole')) {
+    if (!await hasPermission(req.body.requestor, 'deleteRole')) {
       res.status(403).send('You are not authorized to delete roles.');
       return;
     }

diff --git a/src/controllers/taskController.js b/src/controllers/taskController.js
@@ -390,7 +390,7 @@ const taskController = function (Task) {
   };
 
   const importTask = async (req, res) => {
-    if (!await hasPermission(req.body.requestor.role, 'importTask')) {
+    if (!await hasPermission(req.body.requestor, 'importTask')) {
       res
         .status(403)
         .send({ error: 'You are not authorized to create new Task.' });
@@ -420,7 +420,7 @@ const taskController = function (Task) {
   };
 
   const postTask = async (req, res) => {
-    if (!await hasPermission(req.body.requestor.role, 'postTask')) {
+    if (!await hasPermission(req.body.requestor, 'postTask')) {
       res
         .status(403)
         .send({ error: 'You are not authorized to create new Task.' });
@@ -456,7 +456,7 @@ const taskController = function (Task) {
   };
 
   const updateNum = async (req, res) => {
-    if (!await hasPermission(req.body.requestor.role, 'updateNum')) {
+    if (!await hasPermission(req.body.requestor, 'updateNum')) {
       res
         .status(403)
         .send({ error: 'You are not authorized to create new projects.' });
@@ -593,7 +593,7 @@ const taskController = function (Task) {
   };
 
   const deleteTask = async (req, res) => {
-    if (!await hasPermission(req.body.requestor.role, 'deleteTask')) {
+    if (!await hasPermission(req.body.requestor, 'deleteTask')) {
       res
         .status(403)
         .send({ error: 'You are not authorized to deleteTasks.' });
@@ -642,7 +642,7 @@ const taskController = function (Task) {
   };
 
   const deleteTaskByWBS = async (req, res) => {
-    if (!await hasPermission(req.body.requestor.role, 'deleteTask')) {
+    if (!await hasPermission(req.body.requestor, 'deleteTask')) {
       res
         .status(403)
         .send({ error: 'You are not authorized to deleteTasks.' });
@@ -673,7 +673,7 @@ const taskController = function (Task) {
   };
 
   const updateTask = async (req, res) => {
-    if (!await hasPermission(req.body.requestor.role, 'updateTask')) {
+    if (!await hasPermission(req.body.requestor, 'updateTask')) {
       res.status(403).send({ error: 'You are not authorized to update Task.' });
       return;
     }
@@ -689,7 +689,7 @@ const taskController = function (Task) {
   };
 
   const swap = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'swapTask')) {
+    if (!await hasPermission(req.body.requestor, 'swapTask')) {
       res
         .status(403)
         .send({ error: 'You are not authorized to create new projects.' });

diff --git a/src/controllers/teamController.js b/src/controllers/teamController.js
@@ -18,7 +18,7 @@ const teamcontroller = function (Team) {
       .catch(error => res.send(error).status(404));
   };
   const postTeam = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'postTeam')) {
+    if (!await hasPermission(req.body.requestor, 'postTeam')) {
       res.status(403).send({ error: 'You are not authorized to create teams.' });
       return;
     }
@@ -35,7 +35,7 @@ const teamcontroller = function (Team) {
       .catch(error => res.send(error).status(404));
   };
   const deleteTeam = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'deleteTeam')) {
+    if (!await hasPermission(req.body.requestor, 'deleteTeam')) {
       res.status(403).send({ error: 'You are not authorized to delete teams.' });
       return;
     }
@@ -58,7 +58,7 @@ const teamcontroller = function (Team) {
     });
   };
   const putTeam = async function (req, res) {
-    if (!await hasPermission(req.body.requestor.role, 'putTeam')) {
+    if (!await hasPermission(req.body.requestor, 'putTeam')) {
       res.status(403).send('You are not authorized to make changes in the teams.');
       return;
     }
@@ -85,7 +85,7 @@ const teamcontroller = function (Team) {
   const assignTeamToUsers = async function (req, res) {
     // verify requestor is administrator, teamId is passed in request params and is valid mongoose objectid, and request body contains  an array of users
 
-    if (!await hasPermission(req.body.requestor.role, 'assignTeamToUsers')) {
+    if (!await hasPermission(req.body.requestor, 'assignTeamToUsers')) {
       res.status(403).send({ error: 'You are not authorized to perform this operation' });
       return;
     }