Merge pull request #289 from topcoder-platform/develop

Allow submitters to delete their own submissions

Author: jmgasper

src/common/helper.js

@@ -713,6 +713,17 @@ function * downloadFile (fileURL) {
   return downloadedFile.Body
 }
 
+/**
+ * Function to create s3 readstream from given S3 URL
+ * @param{String} fileURL S3 URL of the file to be downloaded
+ * @returns {Object} ReadStream of downloaded file
+ */
+function createS3ReadStream (fileURL) {
+  const { bucket, key } = AmazonS3URI(fileURL)
+  logger.info(`create s3 readStream(): file is on S3 ${bucket} / ${key}`)
+  return s3.getObject({ Bucket: bucket, Key: key }).createReadStream()
+}
+
 /**
  * Wrapper function to post to bus api. Ensures that every event posted to bus api
  * is duplicated and posted to bus api again, but to a different "aggregate" topic
@@ -895,6 +906,7 @@ module.exports = {
   checkCreateAccess,
   checkGetAccess,
   checkReviewGetAccess,
+  createS3ReadStream,
   downloadFile,
   postToBusApi,
   cleanseReviews,

src/controllers/SubmissionController.js

@@ -28,7 +28,7 @@ function * downloadSubmission (req, res) {
     fileName = `submission-${result.submission.id}.zip`
   }
   res.attachment(fileName)
-  res.send(result.file)
+  helper.createS3ReadStream(result.submission.url).pipe(res)
 }
 
 /**
@@ -74,7 +74,7 @@ function * patchSubmission (req, res) {
  * @param res the http response
  */
 function * deleteSubmission (req, res) {
-  yield SubmissionService.deleteSubmission(req.params.submissionId)
+  yield SubmissionService.deleteSubmission(req.authUser, req.params.submissionId)
   res.status(204).send()
 }
 

src/routes/SubmissionRoutes.js

@@ -50,7 +50,7 @@ module.exports = {
       controller: 'SubmissionController',
       method: 'deleteSubmission',
       auth: 'jwt',
-      access: ['Administrator'],
+      access: ['Topcoder User', 'Administrator', 'Copilot'],
       scopes: ['delete:submission', 'all:submission'],
       blockByIp: true
     }

src/services/SubmissionService.js

@@ -164,15 +164,14 @@ getSubmission.schema = {
 }
 
 /**
- * Function to download submission from S3
+ * Function to get submission
  * @param {Object} authUser Authenticated User
  * @param {String} submissionId ID of the Submission which need to be retrieved
- * @return {Object} Submission retrieved from S3
+ * @return {Object} Submission retrieved
  */
 function * downloadSubmission (authUser, submissionId) {
   const record = yield getSubmission(authUser, submissionId)
-  const downloadedFile = yield helper.downloadFile(record.url)
-  return { submission: record, file: downloadedFile }
+  return { submission: record }
 }
 
 /**
@@ -569,15 +568,20 @@ patchSubmission.schema = {
 
 /**
  * Function to delete submission
+ * @param {Object} authUser Authenticated User
  * @param {String} submissionId submissionId which need to be deleted
  * @return {Promise}
  */
-function * deleteSubmission (submissionId) {
+function * deleteSubmission (authUser, submissionId) {
   const exist = yield _getSubmission(submissionId)
   if (!exist) {
     throw new errors.HttpStatusError(404, `Submission with ID = ${submissionId} is not found`)
   }
 
+  if (_.intersection(authUser.roles, ['Administrator', 'administrator']).length === 0 && exist.memberId !== authUser.userId) {
+    throw new errors.HttpStatusError(403, 'You do not have permissions to delete this submission.')
+  }
+
   // Filter used to delete the record
   const filter = {
     TableName: table,
@@ -598,6 +602,7 @@ function * deleteSubmission (submissionId) {
     payload: {
       resource: helper.camelize(table),
       id: submissionId
+
     }
   }
 
@@ -606,7 +611,8 @@ function * deleteSubmission (submissionId) {
 }
 
 deleteSubmission.schema = {
-  submissionId: joi.string().guid().required()
+  authUser: joi.object().required(),
+  submissionId: joi.string().guid().required(),
 }
 
 module.exports = {

test/unit/SubmissionService.test.js

@@ -470,16 +470,15 @@ describe('Submission Service tests', () => {
         })
     })
 
-    it('Deleting submission with user token should throw 403', (done) => {
+    it('Deleting submission with User token should get succeeded', (done) => {
       chai.request(app)
         .delete(`${config.API_VERSION}/submissions/${testSubmission.Item.id}`)
         .set('Authorization', `Bearer ${config.USER_TOKEN}`)
         .end((err, res) => {
-          res.should.have.status(403)
-          res.body.message.should.be.eql('You are not allowed to perform this action!')
+          res.should.have.status(204)
           done()
         })
-    })
+    }).timeout(10000)
 
     it('Deleting non-existent submission should throw 404', (done) => {
       chai.request(app)
@@ -492,6 +491,16 @@ describe('Submission Service tests', () => {
         })
     })
 
+    it('Deleting submission with Copilot token should get succeeded', (done) => {
+      chai.request(app)
+        .delete(`${config.API_VERSION}/submissions/${testSubmission.Item.id}`)
+        .set('Authorization', `Bearer ${config.COPILOT_TOKEN}`)
+        .end((err, res) => {
+          res.should.have.status(204)
+          done()
+        })
+    }).timeout(10000)
+
     it('Deleting submission with Admin token should get succeeded', (done) => {
       chai.request(app)
         .delete(`${config.API_VERSION}/submissions/${testSubmission.Item.id}`)