Merge branch 'develop' of https://github.com/topcoder-platform/challenge-api into develop

Author: rootelement

config/default.js

@@ -47,6 +47,8 @@ module.exports = {
   FILE_UPLOAD_SIZE_LIMIT: process.env.FILE_UPLOAD_SIZE_LIMIT
     ? Number(process.env.FILE_UPLOAD_SIZE_LIMIT) : 50 * 1024 * 1024, // 50M
   RESOURCES_API_URL: process.env.RESOURCES_API_URL || 'http://localhost:4000/v5/resources',
+  // TODO: change this to localhost
+  RESOURCE_ROLES_API_URL: process.env.RESOURCE_ROLES_API_URL || 'http://api.topcoder-dev.com/v5/resource-roles',
   GROUPS_API_URL: process.env.GROUPS_API_URL || 'http://localhost:4000/v5/groups',
   PROJECTS_API_URL: process.env.PROJECTS_API_URL || 'http://localhost:4000/v5/projects',
   TERMS_API_URL: process.env.TERMS_API_URL || 'http://localhost:4000/v5/terms',

src/common/helper.js

@@ -392,11 +392,46 @@ async function getM2MToken () {
  */
 async function getChallengeResources (challengeId) {
   const token = await getM2MToken()
-  const url = `${config.RESOURCES_API_URL}?challengeId=${challengeId}`
-  const res = await axios.get(url, { headers: { Authorization: `Bearer ${token}` } })
+  const perPage = 100
+  let page = 1
+  let result = []
+  while (true) {
+    const url = `${config.RESOURCES_API_URL}?challengeId=${challengeId}&perPage=${perPage}&page=${page}`
+    const res = await axios.get(url, { headers: { Authorization: `Bearer ${token}` } })
+    if (!res.data || res.data.length === 0) {
+      break
+    }
+    result = result.concat(res.data)
+    page += 1
+    if (res.headers['x-total-pages'] && page > Number(res.headers['x-total-pages'])) {
+      break
+    }
+  }
+  return result
+}
+
+/**
+ * Get resource roles
+ * @returns {Promise<Array>} the challenge resources
+ */
+async function getResourceRoles () {
+  const token = await getM2MToken()
+  const res = await axios.get(config.RESOURCE_ROLES_API_URL, { headers: { Authorization: `Bearer ${token}` } })
   return res.data || []
 }
 
+/**
+ * Check if a user has full access on a challenge
+ * @param {String} challengeId the challenge UUID
+ * @param {String} userId the user ID
+ */
+async function userHasFullAccess (challengeId, userId) {
+  const resourceRoles = await getResourceRoles()
+  const rolesWithFullAccess = _.map(_.filter(resourceRoles, r => r.fullAccess), 'id')
+  const challengeResources = await getChallengeResources(challengeId)
+  return _.filter(challengeResources, r => _.toString(r.memberId) === _.toString(userId) && _.includes(rolesWithFullAccess, r.roleId)).length > 0
+}
+
 /**
  * Get all user groups
  * @param {String} userId the user id
@@ -647,8 +682,17 @@ async function validateESRefreshMethod (method) {
 async function getProjectDefaultTerms (projectId) {
   const token = await getM2MToken()
   const projectUrl = `${config.PROJECTS_API_URL}/${projectId}`
-  const res = await axios.get(projectUrl, { headers: { Authorization: `Bearer ${token}` } })
-  return res.data.terms || []
+  try {
+    const res = await axios.get(projectUrl, { headers: { Authorization: `Bearer ${token}` } })
+    return res.data.terms || []
+  } catch (err) {
+    if (_.get(err, 'response.status') === HttpStatus.NOT_FOUND) {
+      throw new errors.BadRequestError(`Project with id: ${projectId} doesn't exist`)
+    } else {
+      // re-throw other error
+      throw err
+    }
+  }
 }
 
 /**
@@ -660,8 +704,17 @@ async function getProjectDefaultTerms (projectId) {
 async function getProjectBillingAccount (projectId) {
   const token = await getM2MToken()
   const projectUrl = `${config.V3_PROJECTS_API_URL}/${projectId}`
-  const res = await axios.get(projectUrl, { headers: { Authorization: `Bearer ${token}` } })
-  return _.get(res, 'data.result.content.billingAccountIds[0]', null)
+  try {
+    const res = await axios.get(projectUrl, { headers: { Authorization: `Bearer ${token}` } })
+    return _.get(res, 'data.result.content.billingAccountIds[0]', null)
+  } catch (err) {
+    if (_.get(err, 'response.status') === HttpStatus.NOT_FOUND) {
+      throw new errors.BadRequestError(`Project with id: ${projectId} doesn't exist`)
+    } else {
+      // re-throw other error
+      throw err
+    }
+  }
 }
 
 /**
@@ -723,5 +776,7 @@ module.exports = {
   getProjectBillingAccount,
   expandWithSubGroups,
   getCompleteUserGroupTreeIds,
-  expandWithParentGroups
+  expandWithParentGroups,
+  getResourceRoles,
+  userHasFullAccess
 }

src/services/ChallengeService.js

@@ -109,6 +109,15 @@ async function searchChallenges (currentUser, criteria) {
   const page = criteria.page || 1
   const perPage = criteria.perPage || 20
   const boolQuery = []
+  const matchPhraseKeys = [
+    'id',
+    'timelineTemplateId',
+    'projectId',
+    'legacyId',
+    'status',
+    'createdBy',
+    'updatedBy'
+  ]
 
   const includedTrackIds = _.isArray(criteria.trackIds) ? criteria.trackIds : []
 
@@ -151,18 +160,24 @@ async function searchChallenges (currentUser, criteria) {
     includedTrackIds.push(criteria.trackId)
   }
 
-  _.forIn(_.omit(criteria, ['types', 'tracks', 'typeIds', 'trackIds', 'type', 'name', 'trackId', 'typeId', 'description', 'page', 'perPage', 'tag',
-    'group', 'groups', 'memberId', 'ids', 'createdDateStart', 'createdDateEnd', 'updatedDateStart', 'updatedDateEnd', 'startDateStart', 'startDateEnd', 'endDateStart', 'endDateEnd',
-    'tags', 'registrationStartDateStart', 'registrationStartDateEnd', 'currentPhaseName', 'submissionStartDateStart', 'submissionStartDateEnd',
-    'registrationEndDateStart', 'registrationEndDateEnd', 'submissionEndDateStart', 'submissionEndDateEnd', 'includeAllEvents', 'events',
-    'forumId', 'track', 'reviewType', 'confidentialityType', 'directProjectId', 'sortBy', 'sortOrder', 'isLightweight', 'isTask', 'taskIsAssigned', 'taskMemberId']), (value, key) => {
+  _.forIn(_.pick(criteria, matchPhraseKeys), (value, key) => {
     if (!_.isUndefined(value)) {
       const filter = { match_phrase: {} }
       filter.match_phrase[key] = value
       boolQuery.push(filter)
     }
   })
 
+  _.forEach(_.keys(criteria), (key) => {
+    if (_.toString(key).indexOf('meta.') > -1) {
+      // Parse and use metadata key
+      if (!_.isUndefined(criteria[key])) {
+        const metaKey = key.split('meta.')[1]
+        boolQuery.push({ match_phrase: { [`metadata.${metaKey}`]: criteria[key] } })
+      }
+    }
+  })
+
   if (includedTypeIds.length > 0) {
     boolQuery.push({
       bool: {
@@ -594,7 +609,7 @@ searchChallenges.schema = {
     taskMemberId: Joi.string(),
     events: Joi.array().items(Joi.number()),
     includeAllEvents: Joi.boolean().default(true)
-  })
+  }).unknown(true)
 }
 
 /**
@@ -743,6 +758,8 @@ async function createChallenge (currentUser, challenge, userToken) {
     }
     if (_.isUndefined(_.get(challenge, 'task.memberId'))) {
       _.set(challenge, 'task.memberId', null)
+    } else {
+      throw new errors.BadRequestError(`Cannot assign a member before the challenge gets created.`)
     }
   }
   if (challenge.phases && challenge.phases.length > 0) {
@@ -1164,8 +1181,9 @@ async function update (currentUser, challengeId, data, userToken, isFull) {
     newAttachments = await helper.getByIds('Attachment', data.attachmentIds || [])
   }
 
-  if (!currentUser.isMachine && !helper.hasAdminRole(currentUser) && challenge.createdBy.toLowerCase() !== currentUser.handle.toLowerCase()) {
-    throw new errors.ForbiddenError(`Only M2M, admin or challenge's copilot can perform modification.`)
+  const userHasFullAccess = await helper.userHasFullAccess(challengeId, currentUser.userId)
+  if (!currentUser.isMachine && !helper.hasAdminRole(currentUser) && challenge.createdBy.toLowerCase() !== currentUser.handle.toLowerCase() && !userHasFullAccess) {
+    throw new errors.ForbiddenError(`Only M2M, admin, challenge's copilot or users with full access can perform modification.`)
   }
 
   // Validate the challenge terms
@@ -1424,6 +1442,18 @@ async function update (currentUser, challengeId, data, userToken, isFull) {
     data.winners = null
   }
 
+  const { track, type } = await validateChallengeData(_.pick(challenge, ['trackId', 'typeId']))
+
+  if (_.get(type, 'isTask')) {
+    if (!_.isEmpty(_.get(data, 'task.memberId'))) {
+      const challengeResources = await helper.getChallengeResources(challengeId)
+      const registrants = _.filter(challengeResources, r => r.roleId === config.SUBMITTER_ROLE_ID)
+      if (!_.find(registrants, r => _.toString(r.memberId) === _.toString(_.get(data, 'task.memberId')))) {
+        throw new errors.BadRequestError(`Member ${_.get(data, 'task.memberId')} is not a submitter resource of challenge ${challengeId}`)
+      }
+    }
+  }
+
   logger.debug(`Challenge.update id: ${challengeId} Details:  ${JSON.stringify(updateDetails)}`)
   await models.Challenge.update({ id: challengeId }, updateDetails)
 
@@ -1464,7 +1494,6 @@ async function update (currentUser, challengeId, data, userToken, isFull) {
   }
 
   // Populate challenge.track and challenge.type based on the track/type IDs
-  const { track, type } = await validateChallengeData(_.pick(challenge, ['trackId', 'typeId']))
 
   if (track) {
     challenge.track = track.name