Merge pull request #133 from meshde/metadata-hiding

HOTFIX: Hide review metadata for non-admin non-copilot users when getting submission details

Author: Dushyant Bhalgami

src/common/helper.js

@@ -554,6 +554,33 @@ function * postToBusApi (payload) {
   yield busApiClient.postEvent(payload)
 }
 
+/**
+ * Function to remove metadata details from reviews for members who shouldn't see them
+ * @param  {Array} reviews The reviews to remove metadata from
+ * @param  {Object} authUser The authenticated user details
+ */
+function cleanseReviews (reviews, authUser) {
+  // Not a machine user
+  if (!authUser.scopes) {
+    const admin = _.filter(authUser.roles, role => role.toLowerCase() === 'Administrator'.toLowerCase())
+    const copilot = _.filter(authUser.roles, role => role.toLowerCase() === 'Copilot'.toLowerCase())
+
+    // User is neither admin nor copilot
+    if (admin.length === 0 && copilot.length === 0) {
+      const cleansedReviews = []
+
+      _.forEach(reviews, (review) => {
+        _.unset(review, 'metadata')
+        cleansedReviews.push(review)
+      })
+
+      return cleansedReviews
+    }
+  }
+
+  return reviews
+}
+
 module.exports = {
   wrapExpress,
   autoWrapExpress,
@@ -566,5 +593,6 @@ module.exports = {
   checkGetAccess,
   checkReviewGetAccess,
   downloadFile,
-  postToBusApi
+  postToBusApi,
+  cleanseReviews
 }

src/controllers/SubmissionController.js

@@ -37,7 +37,7 @@ function * downloadSubmission (req, res) {
  * @param res the http response
  */
 function * listSubmissions (req, res) {
-  const data = yield SubmissionService.listSubmissions(req.query)
+  const data = yield SubmissionService.listSubmissions(req.authUser, req.query)
   helper.setPaginationHeaders(req, res, data)
 }
 

src/services/SubmissionService.js

@@ -150,6 +150,8 @@ function * getSubmission (authUser, submissionId) {
     yield helper.checkGetAccess(authUser, submissionRecord)
   }
 
+  submissionRecord.review = helper.cleanseReviews(submissionRecord.review, authUser)
+
   // Return the retrieved submission
   logger.info(`getSubmission: returning data for submissionId: ${submissionId}`)
   return submissionRecord
@@ -174,11 +176,19 @@ function * downloadSubmission (authUser, submissionId) {
 
 /**
  * Function to list submissions from Elastic Search
+ * @param {Object} authUser Authenticated User
  * @param {Object} query Query filters passed in HTTP request
  * @return {Object} Data fetched from ES
  */
-function * listSubmissions (query) {
-  return yield helper.fetchFromES(query, helper.camelize(table))
+function * listSubmissions (authUser, query) {
+  const data = yield helper.fetchFromES(query, helper.camelize(table))
+  data.rows = _.map(data.rows, (submission) => {
+    if (submission.review) {
+      submission.review = helper.cleanseReviews(submission.review, authUser)
+    }
+    return submission
+  })
+  return data
 }
 
 const listSubmissionsQuerySchema = {
@@ -209,6 +219,7 @@ listSubmissionsQuerySchema.sortBy = joi.string().valid(_.difference(
 ))
 
 listSubmissions.schema = {
+  authUser: joi.object().required(),
   query: joi.object().keys(listSubmissionsQuerySchema).with('orderBy', 'sortBy')
 }