[$150] Fix copilotAndAbove permission to check that users is a member of the project

[maxceem]

From @vikasrohit

API for adding phases to a project endpoint does not validate if the caller is a member of the project or not. So, a copilot of one project can add phases to any other project in Connect. I am not sure if this is the case with other phase or other entities options as well.

I see that permission copilotAndAbove doesn't check if the user is a member of a project or no, only user role of Topcoder, see https://github.com/topcoder-platform/tc-project-service/blob/challenge%2F30095006/src/permissions/copilotAndAbove.js#L11

This rule is used for all the CRUD endpoints for phases and products, see https://github.com/topcoder-platform/tc-project-service/blob/challenge%2F30095006/src/permissions/index.js#L43-L48

@vikasrohit

1. Should managers only be able to update projects which are they member of or no?

[vikasrohit]

Connect Manager s should also be restricted to add phases to the projects they are part of. They can always join the project at their will, but this restriction would prevent any accidental modification of the plan.

[maxceem]

@vikasrohit last question, what about admins? Should they also be members of the project to add phases?

[vikasrohit]

No, Connect Admin and administrators can do any change to any project.

[maxceem]

To sum up:

1. We should fix the permission checking method copilotAndAbove so:
   1. User with Topcoder admins roles should be able to perform operations. See example of checking Topcoder roles.
   2. Project members with copilot and manager Project roles should be also able to perform the operations. See example of checking Project roles.
2. We should add unit tests for each endpoint which is used by copilotAndAbove permission method and test the next cases:
   1. Users with admin Topcoder roles can do actions even they are not project members
   2. Users with Project copilot roles can do actions
   3. Users with Topcoder Connect Copilot roles cannot do actions when they are NOT members
   4. Users with Project manager roles can do actions
   5. Users with Topcoder Connect Manager roles cannot do actions when they are NOT members
   6. Users with Project account_manager cannot do actions

[PrakashDurlabhji]

@maxceem will it be open soon?

[maxceem]

@vikasrohit to confirm, should account mangers be able to add phases and so on when they are members of the project?

[maxceem]

@PrakashDurlabhji yes, it will be opened as soon as all the details are clarified. Note, as per this Bug Bash rules we do not allow to reserve issues. As soon as this issue is open for pick up, the first who comments will take it.

[PrakashDurlabhji]

@maxceem sure i understand, whoever comments first when it is opened, issue goes to them

[vikasrohit]

should account mangers be able to add phases and so on when they are members of the project?

No, they are restricted to manage the projecgt plan.

[maxceem]

This issue is now open for pick up.

Issue summary is provided at the comment #332 (comment).

[romitgit]

Please assign to me

[PrakashDurlabhji]

give to me thanks

[maxceem]

Assigned to @romitgit as he was the first one to comment on this.

[romitgit]

@maxceem please unassign as I'm not able to finish this.

[maxceem]

Thanks for update @romitgit. This issue is now open for pick up.

[mfikria]

@maxceem is this issue open for public? If yes I want to work on this

[maxceem]

Yes, @mfikria, it's a part of Bug Bash https://www.topcoder.com/challenges/30095031. Assigned you.

[mfikria]

@maxceem I've made a PR in #336
Note that since the provided token for test in https://github.com/topcoder-platform/tc-project-service/blob/dev/src/tests/util.js limited. I simplify the test case for each endpoints into 3 cases:

• Users with admin roles can do actions even they are not project members
• Users with copilot roles cannot do actions when they are NOT members
• Users with Project manager roles can do actions if they are members

[maxceem]

Thanks, @mfikria.

I simplify the test case for each endpoints into 3 cases:

Can we also test 2 cases that a user with Connect Manager or Connect Copilot Topcoder roles cannot do actions to projects they are not members of?

I'm not sure what is the limitations in https://github.com/topcoder-platform/tc-project-service/blob/dev/src/tests/util.js to add such tests.

[mfikria]

@maxceem do we need a jwt token with "no expiration" for test?

[maxceem]

@maxceem do we need a jwt token with "no expiration" for test?

yes, we have them in the https://github.com/topcoder-platform/tc-project-service/blob/dev/src/tests/util.js:

• Connect Copilot https://github.com/topcoder-platform/tc-project-service/blob/dev/src/tests/util.js#L20
• Connect Manager https://github.com/topcoder-platform/tc-project-service/blob/dev/src/tests/util.js#L24

[mfikria]

@maxceem actually i used those tokens in the unit tests

[maxceem]

Yep so now we have cases:

• Users with copilot roles cannot do actions when they are NOT members
• Users with Project manager roles can do actions if they are members

And would like to also have opposite cases:

• Users with copilot roles CAN do actions when they are members
• Users with Project manager roles CANNOT do actions if they are NOT members

[mfikria]

@maxceem the case "Users with copilot roles CAN do actions when they are members" is not needed since the existing successful unit test using copilot token

[maxceem]

@maxceem the case "Users with copilot roles CAN do actions when they are members" is not needed since the existing successful unit test using copilot token

Ok, then only Users with Project manager roles CANNOT do actions if they are NOT members if we don't have such test yet.

[mfikria]

@maxceem the PR has been updated.

[maxceem]

@vikasrohit this issue has been fixed and deployed with the release 2.4.13.