Merge branch 'develop'

Author: rootelement

app-constants.js

@@ -47,6 +47,10 @@ const EVENT_ORIGINATOR = 'topcoder-challenges-api'
 
 const EVENT_MIME_TYPE = 'application/json'
 
+const DiscussionTypes = {
+  Challenge: 'challenge'
+}
+
 // using a testing topc, should be changed to use real topics in comments when they are created
 const Topics = {
   ChallengeCreated: 'challenge.notification.create',
@@ -85,5 +89,6 @@ module.exports = {
   EVENT_MIME_TYPE,
   Topics,
   challengeTracks,
-  challengeTextSortField
+  challengeTextSortField,
+  DiscussionTypes
 }

config/default.js

@@ -47,6 +47,8 @@ module.exports = {
   FILE_UPLOAD_SIZE_LIMIT: process.env.FILE_UPLOAD_SIZE_LIMIT
     ? Number(process.env.FILE_UPLOAD_SIZE_LIMIT) : 50 * 1024 * 1024, // 50M
   RESOURCES_API_URL: process.env.RESOURCES_API_URL || 'http://localhost:4000/v5/resources',
+  // TODO: change this to localhost
+  RESOURCE_ROLES_API_URL: process.env.RESOURCE_ROLES_API_URL || 'http://api.topcoder-dev.com/v5/resource-roles',
   GROUPS_API_URL: process.env.GROUPS_API_URL || 'http://localhost:4000/v5/groups',
   PROJECTS_API_URL: process.env.PROJECTS_API_URL || 'http://localhost:4000/v5/projects',
   TERMS_API_URL: process.env.TERMS_API_URL || 'http://localhost:4000/v5/terms',

docs/swagger.yaml

@@ -2219,6 +2219,28 @@ definitions:
       - $ref: '#/definitions/EventData'
     required:
       - id
+  Discussion:
+    type: object
+    properties:
+      id:
+        type: string
+        format: UUID
+      name:
+        type: string
+      type:
+        type: string
+        enum:
+          - challenge
+      provider:
+        type: string
+      url:
+        type: string
+        description: Only M2M tokens can modify this
+      options:
+        type: array
+        description: Only M2M tokens can modify this
+        items:
+          type: object
   TimelineTemplate:
     type: object
     allOf:
@@ -2342,6 +2364,10 @@ definitions:
                     type: string
                   value:
                     type: number
+      discussions:
+        type: array
+        items:
+          $ref: '#/definitions/Discussion'
       tags:
         type: array
         items:
@@ -2655,6 +2681,10 @@ definitions:
               format: UUID
             duration:
               type: number
+      discussions:
+        type: array
+        items:
+          $ref: '#/definitions/Discussion'
       prizeSets:
         type: array
         items:

docs/topcoder-challenge-api.postman_collection.json

@@ -55,7 +55,7 @@
     "topcoder-bus-api-wrapper": "topcoder-platform/tc-bus-api-wrapper.git",
     "uuid": "^3.3.2",
     "winston": "^3.1.0",
-    "xss": "^1.0.6",
+    "xss": "^1.0.8",
     "yamljs": "^0.3.0"
   },
   "standard": {

package-lock.json

@@ -392,11 +392,46 @@ async function getM2MToken () {
  */
 async function getChallengeResources (challengeId) {
   const token = await getM2MToken()
-  const url = `${config.RESOURCES_API_URL}?challengeId=${challengeId}`
-  const res = await axios.get(url, { headers: { Authorization: `Bearer ${token}` } })
+  const perPage = 100
+  let page = 1
+  let result = []
+  while (true) {
+    const url = `${config.RESOURCES_API_URL}?challengeId=${challengeId}&perPage=${perPage}&page=${page}`
+    const res = await axios.get(url, { headers: { Authorization: `Bearer ${token}` } })
+    if (!res.data || res.data.length === 0) {
+      break
+    }
+    result = result.concat(res.data)
+    page += 1
+    if (res.headers['x-total-pages'] && page > Number(res.headers['x-total-pages'])) {
+      break
+    }
+  }
+  return result
+}
+
+/**
+ * Get resource roles
+ * @returns {Promise<Array>} the challenge resources
+ */
+async function getResourceRoles () {
+  const token = await getM2MToken()
+  const res = await axios.get(config.RESOURCE_ROLES_API_URL, { headers: { Authorization: `Bearer ${token}` } })
   return res.data || []
 }
 
+/**
+ * Check if a user has full access on a challenge
+ * @param {String} challengeId the challenge UUID
+ * @param {String} userId the user ID
+ */
+async function userHasFullAccess (challengeId, userId) {
+  const resourceRoles = await getResourceRoles()
+  const rolesWithFullAccess = _.map(_.filter(resourceRoles, r => r.fullAccess), 'id')
+  const challengeResources = await getChallengeResources(challengeId)
+  return _.filter(challengeResources, r => _.toString(r.memberId) === _.toString(userId) && _.includes(rolesWithFullAccess, r.roleId)).length > 0
+}
+
 /**
  * Get all user groups
  * @param {String} userId the user id
@@ -647,8 +682,17 @@ async function validateESRefreshMethod (method) {
 async function getProjectDefaultTerms (projectId) {
   const token = await getM2MToken()
   const projectUrl = `${config.PROJECTS_API_URL}/${projectId}`
-  const res = await axios.get(projectUrl, { headers: { Authorization: `Bearer ${token}` } })
-  return res.data.terms || []
+  try {
+    const res = await axios.get(projectUrl, { headers: { Authorization: `Bearer ${token}` } })
+    return res.data.terms || []
+  } catch (err) {
+    if (_.get(err, 'response.status') === HttpStatus.NOT_FOUND) {
+      throw new errors.BadRequestError(`Project with id: ${projectId} doesn't exist`)
+    } else {
+      // re-throw other error
+      throw err
+    }
+  }
 }
 
 /**
@@ -660,8 +704,17 @@ async function getProjectDefaultTerms (projectId) {
 async function getProjectBillingAccount (projectId) {
   const token = await getM2MToken()
   const projectUrl = `${config.V3_PROJECTS_API_URL}/${projectId}`
-  const res = await axios.get(projectUrl, { headers: { Authorization: `Bearer ${token}` } })
-  return _.get(res, 'data.result.content.billingAccountIds[0]', null)
+  try {
+    const res = await axios.get(projectUrl, { headers: { Authorization: `Bearer ${token}` } })
+    return _.get(res, 'data.result.content.billingAccountIds[0]', null)
+  } catch (err) {
+    if (_.get(err, 'response.status') === HttpStatus.NOT_FOUND) {
+      throw new errors.BadRequestError(`Project with id: ${projectId} doesn't exist`)
+    } else {
+      // re-throw other error
+      throw err
+    }
+  }
 }
 
 /**
@@ -723,5 +776,7 @@ module.exports = {
   getProjectBillingAccount,
   expandWithSubGroups,
   getCompleteUserGroupTreeIds,
-  expandWithParentGroups
+  expandWithParentGroups,
+  getResourceRoles,
+  userHasFullAccess
 }

package.json

@@ -108,6 +108,10 @@ const schema = new Schema({
     type: Array,
     required: false
   },
+  discussions: {
+    type: [Object],
+    required: false
+  },
   created: {
     type: Date,
     required: true

src/common/helper.js

@@ -6,6 +6,7 @@ const _ = require('lodash')
 const Joi = require('joi')
 const uuid = require('uuid/v4')
 const config = require('config')
+const xss = require('xss')
 const helper = require('../common/helper')
 const logger = require('../common/logger')
 const errors = require('../common/errors')
@@ -109,6 +110,15 @@ async function searchChallenges (currentUser, criteria) {
   const page = criteria.page || 1
   const perPage = criteria.perPage || 20
   const boolQuery = []
+  const matchPhraseKeys = [
+    'id',
+    'timelineTemplateId',
+    'projectId',
+    'legacyId',
+    'status',
+    'createdBy',
+    'updatedBy'
+  ]
 
   const includedTrackIds = _.isArray(criteria.trackIds) ? criteria.trackIds : []
 
@@ -151,18 +161,24 @@ async function searchChallenges (currentUser, criteria) {
     includedTrackIds.push(criteria.trackId)
   }
 
-  _.forIn(_.omit(criteria, ['types', 'tracks', 'typeIds', 'trackIds', 'type', 'name', 'trackId', 'typeId', 'description', 'page', 'perPage', 'tag',
-    'group', 'groups', 'memberId', 'ids', 'createdDateStart', 'createdDateEnd', 'updatedDateStart', 'updatedDateEnd', 'startDateStart', 'startDateEnd', 'endDateStart', 'endDateEnd',
-    'tags', 'registrationStartDateStart', 'registrationStartDateEnd', 'currentPhaseName', 'submissionStartDateStart', 'submissionStartDateEnd',
-    'registrationEndDateStart', 'registrationEndDateEnd', 'submissionEndDateStart', 'submissionEndDateEnd', 'includeAllEvents', 'events',
-    'forumId', 'track', 'reviewType', 'confidentialityType', 'directProjectId', 'sortBy', 'sortOrder', 'isLightweight', 'isTask', 'taskIsAssigned', 'taskMemberId']), (value, key) => {
+  _.forIn(_.pick(criteria, matchPhraseKeys), (value, key) => {
     if (!_.isUndefined(value)) {
       const filter = { match_phrase: {} }
       filter.match_phrase[key] = value
       boolQuery.push(filter)
     }
   })
 
+  _.forEach(_.keys(criteria), (key) => {
+    if (_.toString(key).indexOf('meta.') > -1) {
+      // Parse and use metadata key
+      if (!_.isUndefined(criteria[key])) {
+        const metaKey = key.split('meta.')[1]
+        boolQuery.push({ match_phrase: { [`metadata.${metaKey}`]: criteria[key] } })
+      }
+    }
+  })
+
   if (includedTypeIds.length > 0) {
     boolQuery.push({
       bool: {
@@ -180,10 +196,10 @@ async function searchChallenges (currentUser, criteria) {
   }
 
   if (criteria.name) {
-    boolQuery.push({ match: { name: `.*${criteria.name}.*` } })
+    boolQuery.push({ wildcard: { name: `*${_.toLower(criteria.name)}*` } })
   }
   if (criteria.description) {
-    boolQuery.push({ match: { description: `.*${criteria.name}.*` } })
+    boolQuery.push({ wildcard: { description: `*${_.toLower(criteria.description)}*` } })
   }
   if (criteria.forumId) {
     boolQuery.push({ match_phrase: { 'legacy.forumId': criteria.forumId } })
@@ -259,31 +275,23 @@ async function searchChallenges (currentUser, criteria) {
 
   const mustQuery = []
 
-  const shouldQuery = []
+  const groupsQuery = []
 
   // logger.debug(`Tags: ${criteria.tags}`)
   if (criteria.tags) {
-    if (criteria.includeAllTags) {
-      for (const tag of criteria.tags) {
-        boolQuery.push({ match_phrase: { tags: tag } })
-      }
-    } else {
-      for (const tag of criteria.tags) {
-        shouldQuery.push({ match: { tags: tag } })
+    boolQuery.push({
+      bool: {
+        [criteria.includeAllTags ? 'must' : 'should']: _.map(criteria.tags, t => ({ match_phrase: { tags: t } }))
       }
-    }
+    })
   }
 
   if (criteria.events) {
-    if (criteria.includeAllEvents) {
-      for (const e of criteria.events) {
-        boolQuery.push({ match_phrase: { 'events.key': e } })
-      }
-    } else {
-      for (const e of criteria.events) {
-        shouldQuery.push({ match: { 'events.key': e } })
+    boolQuery.push({
+      bool: {
+        [criteria.includeAllEvents ? 'must' : 'should']: _.map(criteria.events, e => ({ match_phrase: { 'events.key': e } }))
       }
-    }
+    })
   }
 
   const mustNotQuery = []
@@ -337,21 +345,23 @@ async function searchChallenges (currentUser, criteria) {
     } else if (!currentUser.isMachine && !helper.hasAdminRole(currentUser)) {
       // If the user is not M2M and is not an admin, return public + challenges from groups the user can access
       _.each(accessibleGroups, (g) => {
-        shouldQuery.push({ match_phrase: { groups: g } })
+        groupsQuery.push({ match_phrase: { groups: g } })
       })
       // include public challenges
-      shouldQuery.push({ bool: { must_not: { exists: { field: 'groups' } } } })
+      groupsQuery.push({ bool: { must_not: { exists: { field: 'groups' } } } })
     }
   } else {
     _.each(groupsToFilter, (g) => {
-      shouldQuery.push({ match_phrase: { groups: g } })
+      groupsQuery.push({ match_phrase: { groups: g } })
     })
   }
 
   if (criteria.ids) {
-    for (const id of criteria.ids) {
-      shouldQuery.push({ match_phrase: { _id: id } })
-    }
+    boolQuery.push({
+      bool: {
+        should: _.map(criteria.ids, id => ({ match_phrase: { _id: id } }))
+      }
+    })
   }
 
   const accessQuery = []
@@ -367,6 +377,8 @@ async function searchChallenges (currentUser, criteria) {
     memberChallengeIds = await helper.listChallengesByMember(criteria.memberId)
     // logger.error(`response ${JSON.stringify(ids)}`)
     accessQuery.push({ terms: { _id: memberChallengeIds } })
+  } else if (currentUser && !helper.hasAdminRole(currentUser) && !_.get(currentUser, 'isMachine', false)) {
+    memberChallengeIds = await helper.listChallengesByMember(currentUser.userId)
   }
 
   if (accessQuery.length > 0) {
@@ -407,7 +419,7 @@ async function searchChallenges (currentUser, criteria) {
     mustQuery.push({
       bool: {
         should: [
-          ...(_.get(memberChallengeIds, 'length', 0) > 0 ? [{ terms: { _id: memberChallengeIds } }] : []),
+          ...(_.get(memberChallengeIds, 'length', 0) > 0 ? [{ bool: { should: [ { terms: { _id: memberChallengeIds } } ] } }] : []),
           { bool: { must_not: { exists: { field: 'task.isTask' } } } },
           { match_phrase: { 'task.isTask': false } },
           {
@@ -428,10 +440,10 @@ async function searchChallenges (currentUser, criteria) {
     })
   }
 
-  if (shouldQuery.length > 0) {
+  if (groupsQuery.length > 0) {
     mustQuery.push({
       bool: {
-        should: shouldQuery
+        should: groupsQuery
       }
     })
   }
@@ -594,7 +606,7 @@ searchChallenges.schema = {
     taskMemberId: Joi.string(),
     events: Joi.array().items(Joi.number()),
     includeAllEvents: Joi.boolean().default(true)
-  })
+  }).unknown(true)
 }
 
 /**
@@ -731,6 +743,8 @@ async function populatePhases (phases, startDate, timelineTemplateId) {
  * @returns {Object} the created challenge
  */
 async function createChallenge (currentUser, challenge, userToken) {
+  challenge.name = xss(challenge.name)
+  challenge.description = xss(challenge.description)
   if (challenge.status === constants.challengeStatuses.Active) {
     throw new errors.BadRequestError('You cannot create an Active challenge. Please create a Draft challenge and then change the status to Active.')
   }
@@ -743,6 +757,13 @@ async function createChallenge (currentUser, challenge, userToken) {
     }
     if (_.isUndefined(_.get(challenge, 'task.memberId'))) {
       _.set(challenge, 'task.memberId', null)
+    } else {
+      throw new errors.BadRequestError(`Cannot assign a member before the challenge gets created.`)
+    }
+  }
+  if (challenge.discussions && challenge.discussions.length > 0) {
+    for (let i = 0; i < challenge.discussions.length; i += 1) {
+      challenge.discussions[i].id = uuid()
     }
   }
   if (challenge.phases && challenge.phases.length > 0) {
@@ -782,6 +803,11 @@ async function createChallenge (currentUser, challenge, userToken) {
   // this will need to be updated to associate project terms with a roleId
   challenge.terms = await helper.validateChallengeTerms(challenge.terms || [])
 
+  // default the descriptionFormat
+  if (!challenge.descriptionFormat) {
+    challenge.descriptionFormat = 'markdown'
+  }
+
   if (challenge.phases && challenge.phases.length > 0) {
     challenge.endDate = helper.calculateChallengeEndDate(challenge)
   }
@@ -866,6 +892,13 @@ createChallenge.schema = {
       name: Joi.string(),
       key: Joi.string()
     })),
+    discussions: Joi.array().items(Joi.object().keys({
+      name: Joi.string().required(),
+      type: Joi.string().required().valid(_.values(constants.DiscussionTypes)),
+      provider: Joi.string().required(),
+      url: Joi.string(),
+      options: Joi.array().items(Joi.object())
+    })),
     prizeSets: Joi.array().items(Joi.object().keys({
       type: Joi.string().valid(_.values(constants.prizeSetTypes)).required(),
       description: Joi.string(),
@@ -1122,6 +1155,11 @@ async function update (currentUser, challengeId, data, userToken, isFull) {
         throw new errors.BadRequestError('You cannot activate the challenge as it has not been created on legacy yet. Please try again later or contact support.')
       }
       billingAccountId = await helper.getProjectBillingAccount(_.get(challenge, 'legacy.directProjectId'))
+      // if activating a challenge, the challenge must have a billing account id
+      if ((!billingAccountId || billingAccountId === null) &&
+        challenge.status === constants.challengeStatuses.Draft) {
+        throw new errors.BadRequestError('Cannot Activate this project, it has no active billing accounts.')
+      }
     }
     if (data.status === constants.challengeStatuses.Completed) {
       if (challenge.status !== constants.challengeStatuses.Active) {
@@ -1159,8 +1197,30 @@ async function update (currentUser, challengeId, data, userToken, isFull) {
     newAttachments = await helper.getByIds('Attachment', data.attachmentIds || [])
   }
 
-  if (!currentUser.isMachine && !helper.hasAdminRole(currentUser) && challenge.createdBy.toLowerCase() !== currentUser.handle.toLowerCase()) {
-    throw new errors.ForbiddenError(`Only M2M, admin or challenge's copilot can perform modification.`)
+  const userHasFullAccess = await helper.userHasFullAccess(challengeId, currentUser.userId)
+  if (!currentUser.isMachine && !helper.hasAdminRole(currentUser) && challenge.createdBy.toLowerCase() !== currentUser.handle.toLowerCase() && !userHasFullAccess) {
+    throw new errors.ForbiddenError(`Only M2M, admin, challenge's copilot or users with full access can perform modification.`)
+  }
+
+  // Only M2M can update url and options of discussions
+  if (data.discussions && data.discussions.length > 0) {
+    for (let i = 0; i < data.discussions.length; i += 1) {
+      if (_.isUndefined(data.discussions[i].id)) {
+        data.discussions[i].id = uuid()
+        if (!currentUser.isMachine) {
+          _.unset(data.discussions, 'url')
+          _.unset(data.discussions, 'options')
+        }
+      } else if (!currentUser.isMachine) {
+        const existingDiscussion = _.find(_.get(challenge, 'discussions', []), d => d.id === data.discussions[i].id)
+        if (existingDiscussion) {
+          _.assign(data.discussions[i], _.pick(existingDiscussion, ['url', 'options']))
+        } else {
+          _.unset(data.discussions, 'url')
+          _.unset(data.discussions, 'options')
+        }
+      }
+    }
   }
 
   // Validate the challenge terms
@@ -1211,7 +1271,15 @@ async function update (currentUser, challengeId, data, userToken, isFull) {
   }
 
   if (data.phases || data.startDate) {
-    const newPhases = data.phases || challenge.phases
+    if (data.phases && data.phases.length > 0) {
+      for (let i = 0; i < challenge.phases.length; i += 1) {
+        const updatedPhaseInfo = _.find(data.phases, p => p.phaseId === challenge.phases[i].phaseId)
+        if (updatedPhaseInfo) {
+          _.extend(challenge.phases[i], updatedPhaseInfo)
+        }
+      }
+    }
+    const newPhases = challenge.phases
     const newStartDate = data.startDate || challenge.startDate
 
     await helper.validatePhases(newPhases)
@@ -1419,6 +1487,27 @@ async function update (currentUser, challengeId, data, userToken, isFull) {
     data.winners = null
   }
 
+  const { track, type } = await validateChallengeData(_.pick(challenge, ['trackId', 'typeId']))
+
+  // Only m2m tokens are allowed to modify the `task.*` information on a challenge
+  if (!_.isUndefined(_.get(data, 'task')) && !currentUser.isMachine) {
+    if (!_.isUndefined(_.get(challenge, 'task'))) {
+      data.task = challenge.task
+    } else {
+      delete data.task
+    }
+  }
+
+  if (_.get(type, 'isTask')) {
+    if (!_.isEmpty(_.get(data, 'task.memberId'))) {
+      const challengeResources = await helper.getChallengeResources(challengeId)
+      const registrants = _.filter(challengeResources, r => r.roleId === config.SUBMITTER_ROLE_ID)
+      if (!_.find(registrants, r => _.toString(r.memberId) === _.toString(_.get(data, 'task.memberId')))) {
+        throw new errors.BadRequestError(`Member ${_.get(data, 'task.memberId')} is not a submitter resource of challenge ${challengeId}`)
+      }
+    }
+  }
+
   logger.debug(`Challenge.update id: ${challengeId} Details:  ${JSON.stringify(updateDetails)}`)
   await models.Challenge.update({ id: challengeId }, updateDetails)
 
@@ -1459,7 +1548,6 @@ async function update (currentUser, challengeId, data, userToken, isFull) {
   }
 
   // Populate challenge.track and challenge.type based on the track/type IDs
-  const { track, type } = await validateChallengeData(_.pick(challenge, ['trackId', 'typeId']))
 
   if (track) {
     challenge.track = track.name
@@ -1515,6 +1603,12 @@ function sanitizeChallenge (challenge) {
     'attachmentIds',
     'groups'
   ])
+  if (!_.isUndefined(sanitized.name)) {
+    sanitized.name = xss(sanitized.name)
+  }
+  if (!_.isUndefined(sanitized.description)) {
+    sanitized.description = xss(sanitized.description)
+  }
   if (challenge.legacy) {
     sanitized.legacy = _.pick(challenge.legacy, [
       'track',
@@ -1546,6 +1640,9 @@ function sanitizeChallenge (challenge) {
   if (challenge.winners) {
     sanitized.winners = _.map(challenge.winners, winner => _.pick(winner, ['userId', 'handle', 'placement']))
   }
+  if (challenge.discussions) {
+    sanitized.discussions = _.map(challenge.discussions, discussion => _.pick(discussion, ['id', 'provider', 'name', 'type', 'url', 'options']))
+  }
   if (challenge.terms) {
     sanitized.terms = _.map(challenge.terms, term => _.pick(term, ['id', 'roleId']))
   }
@@ -1614,6 +1711,13 @@ fullyUpdateChallenge.schema = {
       name: Joi.string(),
       key: Joi.string()
     }).unknown(true)),
+    discussions: Joi.array().items(Joi.object().keys({
+      name: Joi.string().required(),
+      type: Joi.string().required().valid(_.values(constants.DiscussionTypes)),
+      provider: Joi.string().required(),
+      url: Joi.string(),
+      options: Joi.array().items(Joi.object())
+    })),
     tags: Joi.array().items(Joi.string().required()), // tag names
     projectId: Joi.number().integer().positive().required(),
     legacyId: Joi.number().integer().positive(),
@@ -1686,6 +1790,13 @@ partiallyUpdateChallenge.schema = {
       name: Joi.string(),
       key: Joi.string()
     }).unknown(true)),
+    discussions: Joi.array().items(Joi.object().keys({
+      name: Joi.string().required(),
+      type: Joi.string().required().valid(_.values(constants.DiscussionTypes)),
+      provider: Joi.string().required(),
+      url: Joi.string(),
+      options: Joi.array().items(Joi.object())
+    })),
     startDate: Joi.date(),
     prizeSets: Joi.array().items(Joi.object().keys({
       type: Joi.string().valid(_.values(constants.prizeSetTypes)).required(),