allow any resource with full access to modify a challenge

Author: ThomasKranitsas

config/default.js

@@ -47,6 +47,8 @@ module.exports = {
   FILE_UPLOAD_SIZE_LIMIT: process.env.FILE_UPLOAD_SIZE_LIMIT
     ? Number(process.env.FILE_UPLOAD_SIZE_LIMIT) : 50 * 1024 * 1024, // 50M
   RESOURCES_API_URL: process.env.RESOURCES_API_URL || 'http://localhost:4000/v5/resources',
+  // TODO: change this to localhost
+  RESOURCE_ROLES_API_URL: process.env.RESOURCE_ROLES_API_URL || 'http://api.topcoder-dev.com/v5/resource-roles',
   GROUPS_API_URL: process.env.GROUPS_API_URL || 'http://localhost:4000/v5/groups',
   PROJECTS_API_URL: process.env.PROJECTS_API_URL || 'http://localhost:4000/v5/projects',
   TERMS_API_URL: process.env.TERMS_API_URL || 'http://localhost:4000/v5/terms',

src/common/helper.js

@@ -392,11 +392,46 @@ async function getM2MToken () {
  */
 async function getChallengeResources (challengeId) {
   const token = await getM2MToken()
-  const url = `${config.RESOURCES_API_URL}?challengeId=${challengeId}`
-  const res = await axios.get(url, { headers: { Authorization: `Bearer ${token}` } })
+  const perPage = 100
+  let page = 1
+  let result = []
+  while (true) {
+    const url = `${config.RESOURCES_API_URL}?challengeId=${challengeId}&perPage=${perPage}&page=${page}`
+    const res = await axios.get(url, { headers: { Authorization: `Bearer ${token}` } })
+    if (!res.data || res.data.length === 0) {
+      break
+    }
+    result = result.concat(res.data)
+    page += 1
+    if (res.headers['x-total-pages'] && page > Number(res.headers['x-total-pages'])) {
+      break
+    }
+  }
+  return result
+}
+
+/**
+ * Get resource roles
+ * @returns {Promise<Array>} the challenge resources
+ */
+async function getResourceRoles () {
+  const token = await getM2MToken()
+  const res = await axios.get(config.RESOURCE_ROLES_API_URL, { headers: { Authorization: `Bearer ${token}` } })
   return res.data || []
 }
 
+/**
+ * Check if a user has full access on a challenge
+ * @param {String} challengeId the challenge UUID
+ * @param {String} userId the user ID
+ */
+async function userHasFullAccess (challengeId, userId) {
+  const resourceRoles = await getResourceRoles()
+  const rolesWithFullAccess = _.map(_.filter(resourceRoles, r => r.fullAccess), 'id')
+  const challengeResources = await getChallengeResources(challengeId)
+  return _.filter(challengeResources, r => _.toString(r.memberId) === _.toString(userId) && _.includes(rolesWithFullAccess, r.roleId)).length > 0
+}
+
 /**
  * Get all user groups
  * @param {String} userId the user id
@@ -723,5 +758,7 @@ module.exports = {
   getProjectBillingAccount,
   expandWithSubGroups,
   getCompleteUserGroupTreeIds,
-  expandWithParentGroups
+  expandWithParentGroups,
+  getResourceRoles,
+  userHasFullAccess
 }

src/services/ChallengeService.js

@@ -1159,8 +1159,9 @@ async function update (currentUser, challengeId, data, userToken, isFull) {
     newAttachments = await helper.getByIds('Attachment', data.attachmentIds || [])
   }
 
-  if (!currentUser.isMachine && !helper.hasAdminRole(currentUser) && challenge.createdBy.toLowerCase() !== currentUser.handle.toLowerCase()) {
-    throw new errors.ForbiddenError(`Only M2M, admin or challenge's copilot can perform modification.`)
+  const userHasFullAccess = await helper.userHasFullAccess(challengeId, currentUser.userId)
+  if (!currentUser.isMachine && !helper.hasAdminRole(currentUser) && challenge.createdBy.toLowerCase() !== currentUser.handle.toLowerCase() && !userHasFullAccess) {
+    throw new errors.ForbiddenError(`Only M2M, admin, challenge's copilot or users with full access can perform modification.`)
   }
 
   // Validate the challenge terms