Fix issue where new users, that did not get the Topcoder User role, could not update their preferences

Author: callmekatootie

app-routes.js

@@ -32,6 +32,16 @@ function checkIfExists (source, term) {
     throw new Error('Term argument should be either a string or an array')
   }
 
+  if (source.length === 0) {
+    // Source is empty. No need to check term
+    return true
+  } else if (terms.length === 0) {
+    if (source.length === 0) {
+      // Source is empty. Term thus qualifies
+      return true
+    }
+  }
+
   for (let i = 0; i < terms.length; i++) {
     if (source.includes(terms[i])) {
       return true

config/default.js

@@ -7,7 +7,7 @@ module.exports = {
   PORT: process.env.PORT || 3000,
   API_VERSION: process.env.API_VERSION || '/v5',
   AUTH_SECRET: process.env.AUTH_SECRET || 'mysecret',
-  VALID_ISSUERS: process.env.VALID_ISSUERS ? process.env.VALID_ISSUERS.replace(/\\"/g, '') : '["https://api.topcoder-dev.com"]',
+  VALID_ISSUERS: process.env.VALID_ISSUERS ? process.env.VALID_ISSUERS.replace(/\\"/g, '') : '["https://api.topcoder-dev.com", "https://topcoder-dev.auth0.com"]',
 
   // used to get M2M token
   AUTH0_URL: process.env.AUTH0_URL,

src/routes.js

@@ -12,21 +12,21 @@ module.exports = {
       controller: 'PreferenceController',
       method: 'getUserPreferencesHead',
       auth: 'jwt',
-      access: [constants.UserRoles.Admin, constants.UserRoles.User],
+      access: [],
       scopes: [constants.Scopes.ReadPreference, constants.Scopes.AllPreference]
     },
     get: {
       controller: 'PreferenceController',
       method: 'getUserPreferences',
       auth: 'jwt',
-      access: [constants.UserRoles.Admin, constants.UserRoles.User],
+      access: [],
       scopes: [constants.Scopes.ReadPreference, constants.Scopes.AllPreference]
     },
     put: {
       controller: 'PreferenceController',
       method: 'updateUserPreferences',
       auth: 'jwt',
-      access: [constants.UserRoles.Admin, constants.UserRoles.User],
+      access: [],
       scopes: [constants.Scopes.UpdatePreference, constants.Scopes.AllPreference]
     }
   },

test/e2e/PreferenceService.test.js

@@ -134,14 +134,6 @@ describe('Topcoder - MemberPreferences API E2E Test', () => {
     expect(res.body.message).to.equal('You are not authorized to perform this action')
   })
 
-  it('Get user preferences user role is not allowed, return 403', async () => {
-    const res = await chai.request(app)
-      .get(`${config.API_VERSION}/users/${userId.user1}/preferences`)
-      .set('Authorization', `Bearer ${token.invalidRole}`)
-    expect(res.status).to.equal(403)
-    expect(res.body.message).to.equal('You are not allowed to perform this action!')
-  })
-
   it('Get user preferences using incorrect m2m token, return 403', async () => {
     const res = await chai.request(app)
       .get(`${config.API_VERSION}/users/${userId.user1}/preferences`)
@@ -348,13 +340,13 @@ describe('Topcoder - MemberPreferences API E2E Test', () => {
     expect(res.body.message).to.equal('You are not authorized to perform this action')
   })
 
-  it('Update user preferences user role is not allowed, return 403', async () => {
+  it('Update user preferences, non admin user cannot update another users preferences, return 400', async () => {
     const res = await chai.request(app)
       .put(`${config.API_VERSION}/users/${userId.user1}/preferences`)
       .set('Authorization', `Bearer ${token.invalidRole}`)
       .send(reqBody.data)
-    expect(res.status).to.equal(403)
-    expect(res.body.message).to.equal('You are not allowed to perform this action!')
+    expect(res.status).to.equal(400)
+    expect(res.body.message).to.equal('The userId 305384 does not match the objectId 12345.')
   })
 
   it('Update user preferences using incorrect m2m token, return 403', async () => {