topcoder-platform · vikasrohit · Jul 16, 2019 · Jul 4, 2019 · Jul 6, 2019 · Jul 6, 2019
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-v6.9.4
+v8.2.1
diff --git a/README.md b/README.md
@@ -9,7 +9,7 @@ Microservice to manage CRUD operations for all things Projects.
 ### Requirements
 
 * [docker-compose](https://docs.docker.com/compose/install/) - We use docker-compose for running dependencies locally.
-* Nodejs 8.9.4 - consider using [nvm](https://github.com/creationix/nvm) or equivalent to manage your node version
+* Nodejs 8.2.1 - consider using [nvm](https://github.com/creationix/nvm) or equivalent to manage your node version
 * Install [libpg](https://www.npmjs.com/package/pg-native)
 
 ### Steps to run locally

diff --git a/src/permissions/copilotAndAbove.js b/src/permissions/copilotAndAbove.js
@@ -1,18 +1,45 @@
+import _ from 'lodash';
 import util from '../util';
-import { MANAGER_ROLES, USER_ROLE } from '../constants';
+import {
+  PROJECT_MEMBER_ROLE,
+  ADMIN_ROLES,
+} from '../constants';
+import models from '../models';
 
 
 /**
- * Permission to alloow copilot and above roles to perform certain operations
+ * Permission to allow copilot and above roles to perform certain operations
+ * - User with Topcoder admins roles should be able to perform the operations.
+ * - Project members with copilot and manager Project roles should be also able to perform the operations.
  * @param {Object}    req         the express request instance
  * @return {Promise}              returns a promise
  */
 module.exports = req => new Promise((resolve, reject) => {
-  const hasAccess = util.hasRoles(req, [...MANAGER_ROLES, USER_ROLE.COPILOT]);
+  const projectId = _.parseInt(req.params.projectId);
+  const isAdmin = util.hasRoles(req, ADMIN_ROLES);
 
-  if (!hasAccess) {
-    return reject(new Error('You do not have permissions to perform this action'));
+  if (isAdmin) {
+    return resolve(true);
   }
 
-  return resolve(true);
+  return models.ProjectMember.getActiveProjectMembers(projectId)
+    .then((members) => {
+      req.context = req.context || {};
+      req.context.currentProjectMembers = members;
+      const validMemberProjectRoles = [
+        PROJECT_MEMBER_ROLE.MANAGER,
+        PROJECT_MEMBER_ROLE.COPILOT,
+      ];
+      // check if the copilot or manager has access to this project
+      const isMember = _.some(
+        members,
+m => m.userId === req.authUser.userId && validMemberProjectRoles.includes(m.role),
+      );
+
+      if (!isMember) {
+        // the copilot or manager is not a registered project member
+        return reject(new Error('You do not have permissions to perform this action'));
+      }
+      return resolve(true);
+    });
 });
diff --git a/src/routes/milestoneTemplates/clone.js b/src/routes/milestoneTemplates/clone.js
@@ -30,7 +30,7 @@ module.exports = [
   (req, res, next) => {
     let result;
 
-    return models.sequelize.transaction(tx =>
+    return models.sequelize.transaction(() =>
       // Find the product template
       models.MilestoneTemplate.findAll({
         where: {
@@ -48,7 +48,7 @@ module.exports = [
             milestone.createdBy = req.authUser.userId; // eslint-disable-line no-param-reassign
             milestone.updatedBy = req.authUser.userId; // eslint-disable-line no-param-reassign
           });
-          return models.MilestoneTemplate.bulkCreate(newMilestoneTemplates, { transaction: tx });
+          return models.MilestoneTemplate.bulkCreate(newMilestoneTemplates);
         })
         .then(() => { // eslint-disable-line arrow-body-style
           return models.MilestoneTemplate.findAll({

diff --git a/src/routes/milestoneTemplates/create.js b/src/routes/milestoneTemplates/create.js
@@ -51,9 +51,9 @@ module.exports = [
     });
     let result;
 
-    return models.sequelize.transaction(tx =>
+    return models.sequelize.transaction(() =>
       // Create the milestone template
-      models.MilestoneTemplate.create(entity, { transaction: tx })
+      models.MilestoneTemplate.create(entity)
         .then((createdEntity) => {
           // Omit deletedAt and deletedBy
           result = _.omit(createdEntity.toJSON(), 'deletedAt', 'deletedBy');
@@ -67,7 +67,6 @@ module.exports = [
               id: { $ne: result.id },
               order: { $gte: result.order },
             },
-            transaction: tx,
           });
         }),
     )

diff --git a/src/routes/milestones/create.js b/src/routes/milestones/create.js
@@ -73,9 +73,9 @@ module.exports = [
       return next(apiErr);
     }
 
-    return models.sequelize.transaction(tx =>
+    return models.sequelize.transaction(() =>
       // Save to DB
-      models.Milestone.create(entity, { transaction: tx })
+      models.Milestone.create(entity)
         .then((createdEntity) => {
           // Omit deletedAt, deletedBy
           result = _.omit(createdEntity.toJSON(), 'deletedAt', 'deletedBy');
@@ -88,7 +88,6 @@ module.exports = [
               id: { $ne: result.id },
               order: { $gte: result.order },
             },
-            transaction: tx,
           });
         }),
     )

diff --git a/src/routes/milestones/delete.js b/src/routes/milestones/delete.js
@@ -29,11 +29,10 @@ module.exports = [
       id: req.params.milestoneId,
     };
 
-    return models.sequelize.transaction(tx =>
+    return models.sequelize.transaction(() =>
       // Find the milestone
       models.Milestone.findOne({
         where,
-        transaction: tx,
       })
         .then((milestone) => {
           // Not found
@@ -44,8 +43,8 @@ module.exports = [
           }
 
           // Update the deletedBy, and soft delete
-          return milestone.update({ deletedBy: req.authUser.userId }, { transaction: tx })
-            .then(() => milestone.destroy({ transaction: tx }));
+          return milestone.update({ deletedBy: req.authUser.userId })
+            .then(() => milestone.destroy());
         }),
     )
     .then((deleted) => {

diff --git a/src/routes/phaseProducts/create.spec.js b/src/routes/phaseProducts/create.spec.js
@@ -177,7 +177,7 @@ describe('Phase Products', () => {
       request(server)
         .post(`/v4/projects/99999/phases/${phaseId}/products`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .send({ param: body })
         .expect('Content-Type', /json/)
@@ -188,7 +188,7 @@ describe('Phase Products', () => {
       request(server)
         .post(`/v4/projects/${projectId}/phases/99999/products`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .send({ param: body })
         .expect('Content-Type', /json/)
@@ -220,6 +220,68 @@ describe('Phase Products', () => {
         });
     });
 
+    it('should return 201 if requested by admin', (done) => {
+      request(server)
+        .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
+        })
+        .send({ param: body })
+        .expect('Content-Type', /json/)
+        .expect(201)
+        .end(done);
+    });
+
+    it('should return 201 if requested by manager which is a member', (done) => {
+      models.ProjectMember.create({
+        id: 3,
+        userId: testUtil.userIds.manager,
+        projectId,
+        role: 'manager',
+        isPrimary: false,
+        createdBy: 1,
+        updatedBy: 1,
+      }).then(() => {
+        request(server)
+          .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.manager}`,
+          })
+          .send({ param: body })
+          .expect('Content-Type', /json/)
+          .expect(201)
+          .end(done);
+      });
+    });
+
+    it('should return 403 if requested by manager which is not a member', (done) => {
+      request(server)
+        .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.manager}`,
+        })
+        .send({ param: body })
+        .expect('Content-Type', /json/)
+        .expect(403)
+        .end(done);
+    });
+
+    it('should return 403 if requested by non-member copilot', (done) => {
+      models.ProjectMember.destroy({
+        where: { userId: testUtil.userIds.copilot, projectId },
+      }).then(() => {
+        request(server)
+          .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.copilot}`,
+          })
+          .send({ param: body })
+          .expect('Content-Type', /json/)
+          .expect(403)
+          .end(done);
+      });
+    });
+
     describe('Bus api', () => {
       let createEventSpy;
       const sandbox = sinon.sandbox.create();

diff --git a/src/routes/phaseProducts/delete.spec.js b/src/routes/phaseProducts/delete.spec.js
@@ -156,7 +156,7 @@ describe('Phase Products', () => {
       request(server)
         .delete(`/v4/projects/999/phases/${phaseId}/products/${productId}`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .expect('Content-Type', /json/)
         .expect(404, done);
@@ -166,7 +166,7 @@ describe('Phase Products', () => {
       request(server)
         .delete(`/v4/projects/${projectId}/phases/99999/products/${productId}`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .expect('Content-Type', /json/)
         .expect(404, done);
@@ -176,7 +176,7 @@ describe('Phase Products', () => {
       request(server)
         .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/99999`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.manager}`,
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
         })
         .expect('Content-Type', /json/)
         .expect(404, done);
@@ -192,6 +192,60 @@ describe('Phase Products', () => {
         .end(err => expectAfterDelete(projectId, phaseId, productId, err, done));
     });
 
+    it('should return 204 if requested by admin', (done) => {
+      request(server)
+        .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.connectAdmin}`,
+        })
+        .expect(204)
+        .end(done);
+    });
+
+    it('should return 204 if requested by manager which is a member', (done) => {
+      models.ProjectMember.create({
+        id: 3,
+        userId: testUtil.userIds.manager,
+        projectId,
+        role: 'manager',
+        isPrimary: false,
+        createdBy: 1,
+        updatedBy: 1,
+      }).then(() => {
+        request(server)
+          .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.manager}`,
+          })
+          .expect(204)
+          .end(done);
+      });
+    });
+
+    it('should return 403 if requested by manager which is not a member', (done) => {
+      request(server)
+        .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.manager}`,
+        })
+        .expect(403)
+        .end(done);
+    });
+
+    it('should return 403 if requested by non-member copilot', (done) => {
+      models.ProjectMember.destroy({
+        where: { userId: testUtil.userIds.copilot, projectId },
+      }).then(() => {
+        request(server)
+        .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.copilot}`,
+        })
+        .expect(403)
+        .end(done);
+      });
+    });
+
     describe('Bus api', () => {
       let createEventSpy;
       const sandbox = sinon.sandbox.create();