Merge pull request #662 from liuliquan/PLAT-3453

PLAT-3453 Stop copilots from paying themselves

Author: rakibansary

src/common/challenge-helper.js

@@ -105,9 +105,9 @@ class ChallengeHelper {
     }
   }
 
-  async validateChallengeUpdateRequest(currentUser, challenge, data) {
+  async validateChallengeUpdateRequest(currentUser, challenge, data, challengeResources) {
     if (process.env.LOCAL != "true") {
-      await helper.ensureUserCanModifyChallenge(currentUser, challenge);
+      await helper.ensureUserCanModifyChallenge(currentUser, challenge, challengeResources);
     }
 
     helper.ensureNoDuplicateOrNullElements(data.tags, "tags");

src/common/helper.js

@@ -528,14 +528,17 @@ async function getResourceRoles() {
  * Check if a user has full access on a challenge
  * @param {String} challengeId the challenge UUID
  * @param {String} userId the user ID
+ * @param {Array} challengeResources the challenge resources
  */
-async function userHasFullAccess(challengeId, userId) {
+async function userHasFullAccess(challengeId, userId, challengeResources) {
   const resourceRoles = await getResourceRoles();
   const rolesWithFullAccess = _.map(
     _.filter(resourceRoles, (r) => r.fullWriteAccess),
     "id"
   );
-  const challengeResources = await getChallengeResources(challengeId);
+  if (!challengeResources) {
+    challengeResources = await getChallengeResources(challengeId);
+  }
   return (
     _.filter(
       challengeResources,
@@ -982,13 +985,14 @@ async function ensureUserCanViewChallenge(currentUser, challenge) {
  *
  * @param {Object} currentUser the user who perform operation
  * @param {Object} challenge the challenge to check
+ * @param {Array} challengeResources the challenge resources
  * @returns {Promise}
  */
-async function ensureUserCanModifyChallenge(currentUser, challenge) {
+async function ensureUserCanModifyChallenge(currentUser, challenge, challengeResources) {
   // check groups authorization
   await ensureAccessibleByGroupsAccess(currentUser, challenge);
   // check full access
-  const isUserHasFullAccess = await userHasFullAccess(challenge.id, currentUser.userId);
+  const isUserHasFullAccess = await userHasFullAccess(challenge.id, currentUser.userId, challengeResources);
   if (
     !currentUser.isMachine &&
     !hasAdminRole(currentUser) &&

src/services/ChallengeService.js

@@ -1364,10 +1364,9 @@ function isDifferentPrizeSets(prizeSets = [], otherPrizeSets = []) {
 /**
  * Validate the winners array.
  * @param {Array} winners the Winner Array
- * @param {String} winchallengeIdners the challenge ID
+ * @param {Array} challengeResources the challenge resources
  */
-async function validateWinners(winners, challengeId) {
-  const challengeResources = await helper.getChallengeResources(challengeId);
+async function validateWinners(winners, challengeResources) {
   const registrants = _.filter(challengeResources, (r) => r.roleId === config.SUBMITTER_ROLE_ID);
   for (const prizeType of _.values(constants.prizeSetTypes)) {
     const filteredWinners = _.filter(winners, (w) => w.type === prizeType);
@@ -1410,6 +1409,48 @@ async function validateWinners(winners, challengeId) {
   }
 }
 
+/**
+ * Task shouldn't be launched/completed when it is assigned to the current user self.
+ * E.g: stop copilots from paying themselves, thus copilots will need to contact manager to launch/complete the task.
+ * @param {Object} currentUser the user who perform operation
+ * @param {Object} challenge the existing challenge
+ * @param {Object} data the new input challenge data
+ * @param {Array} challengeResources the challenge resources
+ */
+function validateTaskSelfAssign(currentUser, challenge, data, challengeResources) {
+  if (currentUser.isMachine) {
+    return;
+  }
+
+  const finalStatus = data.status || challenge.status;
+
+  // Only validate when launch/complete a task
+  const isLaunchCompleteTask =
+    _.get(challenge, "legacy.pureV5Task") &&
+    (finalStatus === constants.challengeStatuses.Active ||
+      finalStatus === constants.challengeStatuses.Completed);
+  if (!isLaunchCompleteTask) {
+    return;
+  }
+
+  // Whether task is assigned to current user
+  const assignedToCurrentUser =
+    _.filter(
+      challengeResources,
+      (r) =>
+        r.roleId === config.SUBMITTER_ROLE_ID &&
+        _.toString(r.memberId) === _.toString(currentUser.userId)
+    ).length > 0;
+
+  if (assignedToCurrentUser) {
+    throw new errors.ForbiddenError(
+      `You are not allowed to ${
+        finalStatus === constants.challengeStatuses.Active ? "lanuch" : "complete"
+      } task assigned to yourself. Please contact manager to operate.`
+    );
+  }
+}
+
 /**
  * Update challenge.
  * @param {Object} currentUser the user who perform operation
@@ -1441,7 +1482,10 @@ async function updateChallenge(currentUser, challengeId, data) {
   data = sanitizeData(sanitizeChallenge(data), challenge);
   logger.debug(`Sanitized Data: ${JSON.stringify(data)}`);
 
-  await validateChallengeUpdateRequest(currentUser, challenge, data);
+  const challengeResources = await helper.getChallengeResources(challengeId);
+
+  await validateChallengeUpdateRequest(currentUser, challenge, data, challengeResources);
+  validateTaskSelfAssign(currentUser, challenge, data, challengeResources);
 
   let sendActivationEmail = false;
   let sendSubmittedEmail = false;
@@ -1716,7 +1760,7 @@ async function updateChallenge(currentUser, challengeId, data) {
   }
 
   if (data.winners && data.winners.length && data.winners.length > 0) {
-    await validateWinners(data.winners, challengeId);
+    await validateWinners(data.winners, challengeResources);
   }
 
   // Only m2m tokens are allowed to modify the `task.*` information on a challenge
@@ -1777,7 +1821,6 @@ async function updateChallenge(currentUser, challengeId, data) {
 
   if (_.get(type, "isTask")) {
     if (!_.isEmpty(_.get(data, "task.memberId"))) {
-      const challengeResources = await helper.getChallengeResources(challengeId);
       const registrants = _.filter(
         challengeResources,
         (r) => r.roleId === config.SUBMITTER_ROLE_ID