diff --git a/src/controllers/badgeController.js b/src/controllers/badgeController.js index 6238c381e..62bad6399 100644 --- a/src/controllers/badgeController.js +++ b/src/controllers/badgeController.js @@ -1,11 +1,11 @@ const mongoose = require('mongoose'); const UserProfile = require('../models/userProfile'); -const { hasPermission, hasIndividualPermission } = require('../utilities/permissions'); +const { hasPermission } = require('../utilities/permissions'); const escapeRegex = require('../utilities/escapeRegex'); const badgeController = function (Badge) { const getAllBadges = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'seeBadges') && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeBadges')) { + if (!await hasPermission(req.body.requestor, 'seeBadges')) { res.status(403).send('You are not authorized to view all badge data.'); return; } @@ -26,7 +26,7 @@ const badgeController = function (Badge) { }; const assignBadges = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'assignBadges')) { + if (!await hasPermission(req.body.requestor, 'assignBadges')) { res.status(403).send('You are not authorized to assign badges.'); return; } @@ -57,7 +57,7 @@ const badgeController = function (Badge) { }; const postBadge = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'createBadges')) { + if (!await hasPermission(req.body.requestor, 'createBadges')) { res.status(403).send({ error: 'You are not authorized to create new badges.' }); return; } @@ -91,7 +91,7 @@ const badgeController = function (Badge) { }; const deleteBadge = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'deleteBadges')) { + if (!await hasPermission(req.body.requestor, 'deleteBadges')) { res.status(403).send({ error: 'You are not authorized to delete badges.' }); return; } @@ -112,7 +112,7 @@ const badgeController = function (Badge) { }; const putBadge = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'updateBadges')) { + if (!await hasPermission(req.body.requestor, 'updateBadges')) { res.status(403).send({ error: 'You are not authorized to update badges.' }); return; } diff --git a/src/controllers/inventoryController.js b/src/controllers/inventoryController.js index bc0902aeb..f1e00402d 100644 --- a/src/controllers/inventoryController.js +++ b/src/controllers/inventoryController.js @@ -7,7 +7,7 @@ const escapeRegex = require('../utilities/escapeRegex'); const inventoryController = function (Item, ItemType) { const getAllInvInProjectWBS = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'getAllInvInProjectWBS')) { + if (!await hasPermission(req.body.requestor, 'getAllInvInProjectWBS')) { return res.status(403).send('You are not authorized to view inventory data.'); } // use req.params.projectId and wbsId @@ -40,7 +40,7 @@ const inventoryController = function (Item, ItemType) { }; const postInvInProjectWBS = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'postInvInProjectWBS')) { + if (!await hasPermission(req.body.requestor, 'postInvInProjectWBS')) { return res.status(403).send('You are not authorized to view inventory data.'); } // use req.body.projectId and req.body.wbsId req.body.quantity, @@ -108,7 +108,7 @@ const inventoryController = function (Item, ItemType) { const getAllInvInProject = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'getAllInvInProject')) { + if (!await hasPermission(req.body.requestor, 'getAllInvInProject')) { return res.status(403).send('You are not authorized to view inventory data.'); } // same as getAllInvInProjectWBS but just using only the project to find the items of inventory @@ -140,7 +140,7 @@ const inventoryController = function (Item, ItemType) { }; const postInvInProject = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'postInvInProject')) { + if (!await hasPermission(req.body.requestor, 'postInvInProject')) { return res.status(403).send('You are not authorized to post new inventory data.'); } // same as posting an item inProjectWBS but the WBS is uanassigned(i.e. null) @@ -194,7 +194,7 @@ const inventoryController = function (Item, ItemType) { }; const transferInvById = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'transferInvById')) { + if (!await hasPermission(req.body.requestor, 'transferInvById')) { return res.status(403).send('You are not authorized to transfer inventory data.'); } // This function transfer inventory by id @@ -283,7 +283,7 @@ const inventoryController = function (Item, ItemType) { const delInvById = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'delInvById')) { + if (!await hasPermission(req.body.requestor, 'delInvById')) { return res.status(403).send('You are not authorized to waste inventory.'); } // send result just sending something now to have it work and not break anything @@ -372,7 +372,7 @@ const inventoryController = function (Item, ItemType) { }; const unWasteInvById = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'unWasteInvById')) { + if (!await hasPermission(req.body.requestor, 'unWasteInvById')) { return res.status(403).send('You are not authorized to unwaste inventory.'); } const properUnWaste = await Item.findOne({ _id: req.params.invId, quantity: { $gte: req.body.quantity }, wasted: true }).select('_id').lean(); @@ -453,7 +453,7 @@ const inventoryController = function (Item, ItemType) { }; const getInvIdInfo = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'getInvIdInfo')) { + if (!await hasPermission(req.body.requestor, 'getInvIdInfo')) { return res.status(403).send('You are not authorized to get inventory by id.'); } // req.params.invId @@ -465,7 +465,7 @@ const inventoryController = function (Item, ItemType) { }; const putInvById = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'putInvById')) { + if (!await hasPermission(req.body.requestor, 'putInvById')) { return res.status(403).send('You are not authorized to edit inventory by id.'); } // update the inv by id. @@ -493,7 +493,7 @@ const inventoryController = function (Item, ItemType) { }; const getInvTypeById = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'getInvTypeById')) { + if (!await hasPermission(req.body.requestor, 'getInvTypeById')) { return res.status(403).send('You are not authorized to get inv type by id.'); } // send result just sending something now to have it work and not break anything @@ -504,7 +504,7 @@ const inventoryController = function (Item, ItemType) { }; const putInvType = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'putInvType')) { + if (!await hasPermission(req.body.requestor, 'putInvType')) { return res.status(403).send('You are not authorized to edit an inventory type.'); } const { typeId } = req.params; @@ -527,7 +527,7 @@ const inventoryController = function (Item, ItemType) { }; const getAllInvType = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'getAllInvType')) { + if (!await hasPermission(req.body.requestor, 'getAllInvType')) { return res.status(403).send('You are not authorized to get all inventory.'); } // send result just sending something now to have it work and not break anything @@ -537,7 +537,7 @@ const inventoryController = function (Item, ItemType) { }; const postInvType = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'postInvType')) { + if (!await hasPermission(req.body.requestor, 'postInvType')) { return res.status(403).send('You are not authorized to save an inventory type.'); } return ItemType.find({ name: { $regex: escapeRegex(req.body.name), $options: 'i' } }) diff --git a/src/controllers/popupEditorBackupController.js b/src/controllers/popupEditorBackupController.js index 7b2493909..21eccaf8f 100644 --- a/src/controllers/popupEditorBackupController.js +++ b/src/controllers/popupEditorBackupController.js @@ -20,7 +20,7 @@ const popupEditorBackupController = function (PopupEditorBackups) { const createPopupEditorBackup = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'createPopup')) { + if (!await hasPermission(req.body.requestor, 'createPopup')) { res .status(403) .send({ error: 'You are not authorized to create new popup' }); @@ -46,7 +46,7 @@ const popupEditorBackupController = function (PopupEditorBackups) { }; const updatePopupEditorBackup = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'updatePopup')) { + if (!await hasPermission(req.body.requestor, 'updatePopup')) { res .status(403) .send({ error: 'You are not authorized to create new popup' }); diff --git a/src/controllers/popupEditorController.js b/src/controllers/popupEditorController.js index 25eed80dd..71dcb7b69 100644 --- a/src/controllers/popupEditorController.js +++ b/src/controllers/popupEditorController.js @@ -15,7 +15,7 @@ const popupEditorController = function (PopupEditors) { const createPopupEditor = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'createPopup')) { + if (!await hasPermission(req.body.requestor, 'createPopup')) { res .status(403) .send({ error: 'You are not authorized to create new popup' }); @@ -38,7 +38,7 @@ const popupEditorController = function (PopupEditors) { }; const updatePopupEditor = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'updatePopup')) { + if (!await hasPermission(req.body.requestor, 'updatePopup')) { res .status(403) .send({ error: 'You are not authorized to create new popup' }); diff --git a/src/controllers/projectController.js b/src/controllers/projectController.js index d3e849498..a88378985 100644 --- a/src/controllers/projectController.js +++ b/src/controllers/projectController.js @@ -2,7 +2,7 @@ const mongoose = require('mongoose'); const timeentry = require('../models/timeentry'); const userProfile = require('../models/userProfile'); const userProject = require('../helpers/helperModels/userProjects'); -const { hasPermission, hasIndividualPermission } = require('../utilities/permissions'); +const { hasPermission } = require('../utilities/permissions'); const escapeRegex = require('../utilities/escapeRegex'); @@ -14,10 +14,9 @@ const projectController = function (Project) { .catch(error => res.status(404).send(error)); }; - const deleteProject = function (req, res) { - if (!hasPermission(req.body.requestor.role, 'deleteProject') - && !hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { - res.status(403).send({ error: 'You are not authorized to delete projects.' }); + const deleteProject = async function (req, res) { + if (!await hasPermission(req.body.requestor, 'deleteProject')) { + res.status(403).send({ error: 'You are not authorized to delete projects.' }); return; } const { projectId } = req.params; @@ -47,8 +46,7 @@ const projectController = function (Project) { }; const postProject = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'postProject') - && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { + if (!await hasPermission(req.body.requestor, 'postProject')) { res.status(403).send({ error: 'You are not authorized to create new projects.' }); return; } @@ -79,8 +77,7 @@ const projectController = function (Project) { const putProject = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'putProject') - && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { + if (!await hasPermission(req.body.requestor, 'putProject')) { res.status(403).send('You are not authorized to make changes in the projects.'); return; } @@ -127,12 +124,9 @@ const projectController = function (Project) { const assignProjectToUsers = async function (req, res) { // verify requestor is administrator, projectId is passed in request params and is valid mongoose objectid, and request body contains an array of users - if (!await hasPermission(req.body.requestor.role, 'assignProjectToUsers')) { - if (!await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement') - && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagementTab')) { + if (!await hasPermission(req.body.requestor, 'assignProjectToUsers')) { res.status(403).send({ error: 'You are not authorized to perform this operation' }); return; - } } if (!req.params.projectId || !mongoose.Types.ObjectId.isValid(req.params.projectId) || !req.body.users || (req.body.users.length === 0)) { diff --git a/src/controllers/reportsController.js b/src/controllers/reportsController.js index e139924fa..8f4aba87b 100644 --- a/src/controllers/reportsController.js +++ b/src/controllers/reportsController.js @@ -1,9 +1,9 @@ const reporthelper = require('../helpers/reporthelper')(); -const { hasPermission, hasIndividualPermission } = require('../utilities/permissions'); +const { hasPermission } = require('../utilities/permissions'); const reportsController = function () { const getWeeklySummaries = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'getWeeklySummaries') && !await hasIndividualPermission(req.body.requestor.requestorId, 'getWeeklySummaries')) { + if (!await hasPermission(req.body.requestor, 'getWeeklySummaries')) { res.status(403).send('You are not authorized to view all users'); return; } diff --git a/src/controllers/rolesController.js b/src/controllers/rolesController.js index a97e9408f..d3d9f8310 100644 --- a/src/controllers/rolesController.js +++ b/src/controllers/rolesController.js @@ -10,7 +10,7 @@ const rolesController = function (Role) { }; const createNewRole = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'postRole')) { + if (!await hasPermission(req.body.requestor, 'postRole')) { res.status(403).send('You are not authorized to create new roles.'); return; } @@ -39,7 +39,7 @@ const rolesController = function (Role) { const updateRoleById = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'putRole')) { + if (!await hasPermission(req.body.requestor, 'putRole')) { res.status(403).send('You are not authorized to make changes to roles.'); return; } @@ -67,7 +67,7 @@ const rolesController = function (Role) { }; const deleteRoleById = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'deleteRole')) { + if (!await hasPermission(req.body.requestor, 'deleteRole')) { res.status(403).send('You are not authorized to delete roles.'); return; } diff --git a/src/controllers/taskController.js b/src/controllers/taskController.js index 79222ed4b..d5e048537 100644 --- a/src/controllers/taskController.js +++ b/src/controllers/taskController.js @@ -390,7 +390,7 @@ const taskController = function (Task) { }; const importTask = async (req, res) => { - if (!await hasPermission(req.body.requestor.role, 'importTask')) { + if (!await hasPermission(req.body.requestor, 'importTask')) { res .status(403) .send({ error: 'You are not authorized to create new Task.' }); @@ -420,7 +420,7 @@ const taskController = function (Task) { }; const postTask = async (req, res) => { - if (!await hasPermission(req.body.requestor.role, 'postTask')) { + if (!await hasPermission(req.body.requestor, 'postTask')) { res .status(403) .send({ error: 'You are not authorized to create new Task.' }); @@ -456,7 +456,7 @@ const taskController = function (Task) { }; const updateNum = async (req, res) => { - if (!await hasPermission(req.body.requestor.role, 'updateNum')) { + if (!await hasPermission(req.body.requestor, 'updateNum')) { res .status(403) .send({ error: 'You are not authorized to create new projects.' }); @@ -593,7 +593,7 @@ const taskController = function (Task) { }; const deleteTask = async (req, res) => { - if (!await hasPermission(req.body.requestor.role, 'deleteTask')) { + if (!await hasPermission(req.body.requestor, 'deleteTask')) { res .status(403) .send({ error: 'You are not authorized to deleteTasks.' }); @@ -642,7 +642,7 @@ const taskController = function (Task) { }; const deleteTaskByWBS = async (req, res) => { - if (!await hasPermission(req.body.requestor.role, 'deleteTask')) { + if (!await hasPermission(req.body.requestor, 'deleteTask')) { res .status(403) .send({ error: 'You are not authorized to deleteTasks.' }); @@ -673,7 +673,7 @@ const taskController = function (Task) { }; const updateTask = async (req, res) => { - if (!await hasPermission(req.body.requestor.role, 'updateTask')) { + if (!await hasPermission(req.body.requestor, 'updateTask')) { res.status(403).send({ error: 'You are not authorized to update Task.' }); return; } @@ -689,7 +689,7 @@ const taskController = function (Task) { }; const swap = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'swapTask')) { + if (!await hasPermission(req.body.requestor, 'swapTask')) { res .status(403) .send({ error: 'You are not authorized to create new projects.' }); diff --git a/src/controllers/teamController.js b/src/controllers/teamController.js index 9fa20ab2b..c82b9e5ce 100644 --- a/src/controllers/teamController.js +++ b/src/controllers/teamController.js @@ -18,7 +18,7 @@ const teamcontroller = function (Team) { .catch(error => res.send(error).status(404)); }; const postTeam = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'postTeam')) { + if (!await hasPermission(req.body.requestor, 'postTeam')) { res.status(403).send({ error: 'You are not authorized to create teams.' }); return; } @@ -35,7 +35,7 @@ const teamcontroller = function (Team) { .catch(error => res.send(error).status(404)); }; const deleteTeam = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'deleteTeam')) { + if (!await hasPermission(req.body.requestor, 'deleteTeam')) { res.status(403).send({ error: 'You are not authorized to delete teams.' }); return; } @@ -58,7 +58,7 @@ const teamcontroller = function (Team) { }); }; const putTeam = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'putTeam')) { + if (!await hasPermission(req.body.requestor, 'putTeam')) { res.status(403).send('You are not authorized to make changes in the teams.'); return; } @@ -85,7 +85,7 @@ const teamcontroller = function (Team) { const assignTeamToUsers = async function (req, res) { // verify requestor is administrator, teamId is passed in request params and is valid mongoose objectid, and request body contains an array of users - if (!await hasPermission(req.body.requestor.role, 'assignTeamToUsers')) { + if (!await hasPermission(req.body.requestor, 'assignTeamToUsers')) { res.status(403).send({ error: 'You are not authorized to perform this operation' }); return; } diff --git a/src/controllers/timeEntryController.js b/src/controllers/timeEntryController.js index 0dfca9793..bea25d0a6 100644 --- a/src/controllers/timeEntryController.js +++ b/src/controllers/timeEntryController.js @@ -106,7 +106,7 @@ const timeEntrycontroller = function (TimeEntry) { return res.status(400).send({ error: `No valid records found for ${req.params.timeEntryId}` }); } - if (!(await hasPermission(req.body.requestor.role, 'editTimeEntry') || timeEntry.personId.toString() === req.body.requestor.requestorId.toString())) { + if (!(await hasPermission(req.body.requestor, 'editTimeEntry') || timeEntry.personId.toString() === req.body.requestor.requestorId.toString())) { return res.status(403).send({ error: 'Unauthorized request' }); } @@ -153,7 +153,7 @@ const timeEntrycontroller = function (TimeEntry) { if (initialSeconds !== totalSeconds && timeEntry.isTangible && req.body.requestor.requestorId === timeEntry.personId.toString() - && !await hasPermission(req.body.requestor.role, 'editTimeEntry') + && !await hasPermission(req.body.requestor, 'editTimeEntry') ) { const requestor = await userProfile.findById(req.body.requestor.requestorId); requestor.timeEntryEditHistory.push({ @@ -463,7 +463,7 @@ const timeEntrycontroller = function (TimeEntry) { if ( record.personId.toString() === req.body.requestor.requestorId.toString() - || await hasPermission(req.body.requestor.role, 'deleteTimeEntry') + || await hasPermission(req.body.requestor, 'deleteTimeEntry') ) { // Revert this tangible timeEntry of related task's hoursLogged if (record.isTangible === true) { diff --git a/src/controllers/timeZoneAPIController.js b/src/controllers/timeZoneAPIController.js index 2ed0792c9..3c4df0a22 100644 --- a/src/controllers/timeZoneAPIController.js +++ b/src/controllers/timeZoneAPIController.js @@ -2,14 +2,13 @@ const { hasPermission } = require('../utilities/permissions'); const timeZoneAPIController = function () { const getTimeZoneAPIKey = async (req, res) => { - const requestorRole = req.body.requestor.role; const premiumKey = process.env.TIMEZONE_PREMIUM_KEY; const commonKey = process.env.TIMEZONE_COMMON_KEY; if (!req.body.requestor.role) { res.status(403).send('Unauthorized Request'); return; } - if (await hasPermission(requestorRole, 'getTimeZoneAPIKey')) { + if (await hasPermission(req.body.requestor, 'getTimeZoneAPIKey')) { res.status(200).send({ userAPIKey: premiumKey }); return; } diff --git a/src/controllers/userProfileController.js b/src/controllers/userProfileController.js index 6036b9d0f..6dc571b39 100644 --- a/src/controllers/userProfileController.js +++ b/src/controllers/userProfileController.js @@ -12,7 +12,7 @@ const Badge = require('../models/badge'); const userProfile = require('../models/userProfile'); const yearMonthDayDateValidator = require('../utilities/yearMonthDayDateValidator'); const cache = require('../utilities/nodeCache')(); -const { hasPermission, hasIndividualPermission, canRequestorUpdateUser } = require('../utilities/permissions'); +const { hasPermission, canRequestorUpdateUser } = require('../utilities/permissions'); const escapeRegex = require('../utilities/escapeRegex'); const config = require('../config'); @@ -35,7 +35,7 @@ async function ValidatePassword(req, res) { return; } // Verify request is authorized by self or adminsitrator - if (!userId === requestor.requestorId && !await hasPermission(requestor.role, 'updatePassword')) { + if (!userId === requestor.requestorId && !await hasPermission(req.body.requestor, 'updatePassword')) { res.status(403).send({ error: "You are unauthorized to update this user's password", }); @@ -52,16 +52,9 @@ async function ValidatePassword(req, res) { const userProfileController = function (UserProfile) { const getUserProfiles = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'getUserProfiles') && - !req.body.requestor.permissions?.frontPermissions.includes( - "putUserProfilePermissions" - ) - ) { - if (!await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement') - && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagementTab')) { + if (!await hasPermission(req.body.requestor, 'getUserProfiles')) { res.status(403).send('You are not authorized to view all users'); return; - } } UserProfile.find( @@ -90,8 +83,8 @@ const userProfileController = function (UserProfile) { }; const getProjectMembers = async function (req, res) { - if (!(await hasPermission(req.body.requestor.role, "getProjectMembers"))) { - res.status(403).send("You are not authorized to view all users"); + if (!await hasPermission(req.body.requestor, 'getProjectMembers')) { + res.status(403).send('You are not authorized to view all users'); return; } UserProfile.find( @@ -112,16 +105,13 @@ const userProfileController = function (UserProfile) { }; const postUserProfile = async function (req, res) { - if (!(await hasPermission(req.body.requestor.role, "postUserProfile"))) { - res.status(403).send("You are not authorized to create new users"); + if (!await hasPermission(req.body.requestor, 'postUserProfile')) { + res.status(403).send('You are not authorized to create new users'); return; } - if ( - req.body.role === "Owner" && - !(await hasPermission(req.body.requestor.role, "addDeleteEditOwners")) - ) { - res.status(403).send("You are not authorized to create new owners"); + if (req.body.role === 'Owner' && !await hasPermission(req.body.requestor, 'addDeleteEditOwners')) { + res.status(403).send('You are not authorized to create new owners'); return; } @@ -238,12 +228,10 @@ const userProfileController = function (UserProfile) { const putUserProfile = async function (req, res) { const userid = req.params.userId; const isRequestorAuthorized = !!( - canRequestorUpdateUser(req.body.requestor.requestorId, userid) && - ((await hasPermission(req.body.requestor.role, "putUserProfile")) || - req.body.requestor.requestorId === userid || - req.body.requestor.permissions?.frontPermissions.includes( - "putUserProfilePermissions" - )) + canRequestorUpdateUser(req.body.requestor.requestorId, userid) && ( + await hasPermission(req.body.requestor, 'putUserProfile') + || req.body.requestor.requestorId === userid + ) ); const canEditTeamCode = req.body.requestor.role === "Owner" || @@ -254,11 +242,8 @@ const userProfileController = function (UserProfile) { return; } - if ( - req.body.role === "Owner" && - !(await hasPermission(req.body.requestor.role, "addDeleteEditOwners")) - ) { - res.status(403).send("You are not authorized to update this user"); + if (req.body.role === 'Owner' && !await hasPermission(req.body.requestor, 'addDeleteEditOwners')) { + res.status(403).send('You are not authorized to update this user'); return; } @@ -327,15 +312,7 @@ const userProfileController = function (UserProfile) { userIdx = allUserData.findIndex((users) => users._id === userid); userData = allUserData[userIdx]; } - if ( - (await hasPermission( - req.body.requestor.role, - "putUserProfileImportantInfo" - )) || - req.body.requestor.permissions?.frontPermissions.includes( - "putUserProfilePermissions" - ) - ) { + if (await hasPermission(req.body.requestor, 'putUserProfileImportantInfo')) { record.role = req.body.role; record.isRehireable = req.body.isRehireable; record.isActive = req.body.isActive; @@ -401,16 +378,9 @@ const userProfileController = function (UserProfile) { record.createdDate; } - record.bioPosted = req.body.bioPosted || "default"; - if ( - (await hasPermission( - req.body.requestor.role, - "putUserProfilePermissions" - )) || - req.body.requestor.permissions?.frontPermissions.includes( - "putUserProfilePermissions" - ) - ) { + record.bioPosted = req.body.bioPosted || 'default'; + + if (await hasPermission(req.body.requestor, 'putUserProfilePermissions')) { record.permissions = req.body.permissions; } @@ -430,9 +400,7 @@ const userProfileController = function (UserProfile) { userData.createdDate = record.createdDate.toISOString(); } } - if ( - await hasPermission(req.body.requestor.role, "infringementAuthorizer") - ) { + if (await hasPermission(req.body.requestor, 'infringementAuthorizer')) { record.infringements = req.body.infringements; } @@ -462,12 +430,12 @@ const userProfileController = function (UserProfile) { const deleteUserProfile = async function (req, res) { const { option, userId } = req.body; - if (!await hasPermission(req.body.requestor.role, 'deleteUserProfile')) { + if (!await hasPermission(req.body.requestor, 'deleteUserProfile')) { res.status(403).send('You are not authorized to delete users'); return; } - if (req.body.role === 'Owner' && !await hasPermission(req.body.requestor.role, 'addDeleteEditOwners')) { + if (req.body.role === 'Owner' && !await hasPermission(req.body.requestor, 'addDeleteEditOwners')) { res.status(403).send('You are not authorized to delete this user'); return; } @@ -649,7 +617,7 @@ const userProfileController = function (UserProfile) { }); } // Verify request is authorized by self or adminsitrator - if (!userId === requestor.requestorId && !await hasPermission(requestor.role, 'updatePassword')) { + if (!userId === requestor.requestorId && !await hasPermission(req.body.requestor, 'updatePassword')) { return res.status(403).send({ error: "You are unauthorized to update this user's password", }); @@ -710,11 +678,10 @@ const userProfileController = function (UserProfile) { } const userid = mongoose.Types.ObjectId(req.params.userId); - const { role } = req.body.requestor; let validroles = ['Volunteer', 'Manager', 'Administrator', 'Core Team', 'Owner', 'Mentor']; - if (await hasPermission(role, 'getReporteesLimitRoles')) { + if (await hasPermission(req.body.requestor, 'getReporteesLimitRoles')) { validroles = ['Volunteer', 'Manager']; } @@ -785,7 +752,7 @@ const userProfileController = function (UserProfile) { }); return; } - if (!await hasPermission(req.body.requestor.role, 'changeUserStatus')) { + if (!await hasPermission(req.body.requestor, 'changeUserStatus')) { res.status(403).send('You are not authorized to change user status'); return; } diff --git a/src/controllers/wbsController.js b/src/controllers/wbsController.js index 815fc59d0..fa7f4427f 100644 --- a/src/controllers/wbsController.js +++ b/src/controllers/wbsController.js @@ -1,4 +1,4 @@ -const { hasPermission, hasIndividualPermission } = require('../utilities/permissions'); +const { hasPermission } = require('../utilities/permissions'); const wbsController = function (WBS) { const getAllWBS = function (req, res) { @@ -11,9 +11,7 @@ const wbsController = function (WBS) { }; const postWBS = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'postWbs') - && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement') - && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagementTab')) { + if (!await hasPermission(req.body.requestor, 'postWbs')) { res.status(403).send({ error: 'You are not authorized to create new projects.' }); return; } @@ -36,8 +34,7 @@ const wbsController = function (WBS) { }; const deleteWBS = async function (req, res) { - if (!await hasPermission(req.body.requestor.role, 'deleteWbs') - && !await hasIndividualPermission(req.body.requestor.requestorId, 'seeProjectManagement')) { + if (!await hasPermission(req.body.requestor, 'deleteWbs')) { res.status(403).send({ error: 'You are not authorized to delete projects.' }); return; } diff --git a/src/utilities/permissions.js b/src/utilities/permissions.js index e00d864f2..7b5d4a245 100644 --- a/src/utilities/permissions.js +++ b/src/utilities/permissions.js @@ -1,15 +1,18 @@ const Role = require('../models/role'); -const UserProfile = require('../models/userProfile'); +const UserProfile = require('../models/userProfile'); -const hasPermission = async (role, action) => Role.findOne({ roleName: role }) - .exec() - .then(({ permissions }) => permissions.includes(action)); + +const hasRolePermission = async (role, action) => Role.findOne({ roleName: role }) + .exec() + .then(({ permissions }) => permissions.includes(action)); const hasIndividualPermission = async (userId, action) => UserProfile.findById(userId) .select('permissions') .exec() .then(({ permissions }) => permissions.frontPermissions.includes(action)); +const hasPermission = async (requestor, action) => await hasRolePermission(requestor.role, action) || hasIndividualPermission(requestor.requestorId, action); + const canRequestorUpdateUser = (requestorId, userId) => { const allowedIds = ['63feae337186de1898fa8f51', // dev jae@onecommunityglobal.org '5baac381e16814009017678c', // dev one.community@me.com @@ -29,4 +32,4 @@ const canRequestorUpdateUser = (requestorId, userId) => { return !(protectedIds.includes(userId) && !allowedIds.includes(requestorId)); }; -module.exports = { hasPermission, hasIndividualPermission, canRequestorUpdateUser }; +module.exports = { hasPermission, canRequestorUpdateUser };