#175 - Allow users to delete their own submission

callmekatootie · callmekatootie · commit b23e56b8c74e · 2020-05-01T18:39:17.000+05:30
diff --git a/src/controllers/SubmissionController.js b/src/controllers/SubmissionController.js
@@ -94,7 +94,7 @@ function * patchSubmission (req, res) {
  * @param res the http response
  */
 function * deleteSubmission (req, res) {
-  yield SubmissionService.deleteSubmission(req.params.submissionId, req.span)
+  yield SubmissionService.deleteSubmission(req.authUser, req.params.submissionId, req.span)
 
   logResultOnSpan(req.span, httpStatus.NO_CONTENT)
 
diff --git a/src/routes/SubmissionRoutes.js b/src/routes/SubmissionRoutes.js
@@ -45,7 +45,7 @@ module.exports = {
       controller: 'SubmissionController',
       method: 'deleteSubmission',
       auth: 'jwt',
-      access: ['Administrator'],
+      access: ['Administrator', 'Topcoder User', 'Copilot'],
       scopes: ['delete:submission', 'all:submission']
     }
   },
diff --git a/src/services/SubmissionService.js b/src/services/SubmissionService.js
@@ -589,17 +589,60 @@ patchSubmission.schema = {
  * @param {Object} span the Span object
  * @return {Promise}
  */
-function * deleteSubmission (submissionId, span) {
+function * deleteSubmission (authUser, submissionId, span) {
   const deleteSubmissionSpan = tracer.startChildSpans('SubmissionService.deleteSubmission', span)
   deleteSubmissionSpan.setTag('submissionId', submissionId)
 
   try {
-    const exist = yield _getSubmission(submissionId, deleteSubmissionSpan)
-    if (!exist) {
+    const submissionRecord = yield _getSubmission(submissionId, deleteSubmissionSpan)
+    if (!submissionRecord) {
       throw new errors.HttpStatusError(404, `Submission with ID = ${submissionId} is not found`)
     }
 
-    // Filter used to delete the record
+    if (_.intersection(authUser.roles, ['Administrator', 'administrator']).length === 0 && !authUser.scopes) {
+      // If not administrator, verify that the submission is owned by the user
+      if (submissionRecord.memberId !== authUser.userId) {
+        throw new errors.HttpStatusError(403, 'You cannot access other member\'s submission')
+      }
+
+      // Now verify that the Submission phase for the challenge is still active
+      // If not, non admin user cannot delete the submission
+      const activeSubmissionPhaseId = yield helper.getSubmissionPhaseId(submissionRecord.challengeId, deleteSubmissionSpan)
+
+      if (!activeSubmissionPhaseId) {
+        throw new errors.HttpStatusError(403, 'You cannot delete the submission because submission phase is not active')
+      }
+    }
+
+    // All checks passed - proceed to delete
+    // First, delete reviews and review summations for the submission
+    if (submissionRecord.review) {
+      const reviewService = require('./ReviewService')
+      for (let i = 0; i < submissionRecord.review.length; i++) {
+        const review = submissionRecord.review[i]
+        yield reviewService.deleteReview(review.id, deleteSubmissionSpan)
+      }
+    }
+
+    if (submissionRecord.reviewSummation) {
+      const reviewSummationService = require('./ReviewSummationService')
+      for (let i = 0; i < submissionRecord.reviewSummation.length; i++) {
+        const reviewSummation = submissionRecord.reviewSummation[i]
+        yield reviewSummationService.deleteReviewSummation(reviewSummation.id, deleteSubmissionSpan)
+      }
+    }
+
+    // Importing at the beginning of this service causes a circular dependency. Hence, dynamically invoking it
+    const artifactService = require('./ArtifactService')
+
+    // Next delete the artifacts for the submission
+    const submissionArtifacts = yield artifactService.listArtifacts(submissionRecord.id, deleteSubmissionSpan)
+
+    for (let i = 0; i < submissionArtifacts.artifacts.length; i++) {
+      yield artifactService.deleteArtifact(submissionRecord.id, submissionArtifacts.artifacts[i], deleteSubmissionSpan)
+    }
+
+    // Finally delete the submission itself
     const filter = {
       TableName: table,
       Key: {
@@ -630,6 +673,7 @@ function * deleteSubmission (submissionId, span) {
 }
 
 deleteSubmission.schema = {
+  authUser: joi.object().required(),
   submissionId: joi.string().guid().required()
 }
 
diff --git a/test/unit/SubmissionService.test.js b/test/unit/SubmissionService.test.js
@@ -519,10 +519,10 @@ describe('Submission Service tests', () => {
         })
     })
 
-    it('Deleting submission with user token should throw 403', (done) => {
+    it('Deleting submission with copilot token should throw 403', (done) => {
       chai.request(app)
         .delete(`${config.API_VERSION}/submissions/${testSubmission.Item.id}`)
-        .set('Authorization', `Bearer ${config.USER_TOKEN}`)
+        .set('Authorization', `Bearer ${config.COPILOT_TOKEN}`)
         .end((err, res) => {
           res.should.have.status(403)
           res.body.message.should.be.eql('You are not allowed to perform this action!')

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ module.exports = {`
`45`	`45`	`controller: 'SubmissionController',`
`46`	`46`	`method: 'deleteSubmission',`
`47`	`47`	`auth: 'jwt',`
`48`		`- access: ['Administrator'],`
	`48`	`+ access: ['Administrator', 'Topcoder User', 'Copilot'],`
`49`	`49`	`scopes: ['delete:submission', 'all:submission']`
`50`	`50`	`}`
`51`	`51`	`},`