add input checks of jobId and userId

Author: imcaizheng

docs/swagger.yaml

@@ -499,6 +499,12 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/Error'
+        '404':
+          description: Not Found
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
         '500':
           description: Internal Server Error
           content:
@@ -898,6 +904,12 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/Error'
+        '404':
+          description: Not Found
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
         '500':
           description: Internal Server Error
           content:

src/common/helper.js

@@ -5,11 +5,13 @@
 const querystring = require('querystring')
 const AWS = require('aws-sdk')
 const config = require('config')
+const HttpStatus = require('http-status-codes')
 const _ = require('lodash')
 const request = require('superagent')
 const elasticsearch = require('@elastic/elasticsearch')
 const errors = require('../common/errors')
 const logger = require('./logger')
+const models = require('../models')
 const busApi = require('@topcoder-platform/topcoder-bus-api-wrapper')
 
 const localLogger = {
@@ -529,6 +531,40 @@ async function ensureUbhanUserId (currentUser) {
   }
 }
 
+/**
+ * Ensure job with specific id exists.
+ *
+ * @param {String} jobId the job id
+ * @returns {Object} the job data
+ */
+async function ensureJobById (jobId) {
+  return models.Job.findById(jobId)
+}
+
+/**
+ * Ensure user with specific id exists.
+ *
+ * @param {String} jobId the user id
+ * @returns {Object} the user data
+ */
+async function ensureUserById (userId) {
+  const token = await getM2Mtoken()
+  try {
+    const res = await request
+      .get(`${config.TC_API}/users/${userId}`)
+      .set('Authorization', `Bearer ${token}`)
+      .set('Content-Type', 'application/json')
+      .set('Accept', 'application/json')
+    localLogger.debug({ context: 'ensureUserById', message: `response body: ${JSON.stringify(res.body)}` })
+    return res.body
+  } catch (err) {
+    if (err.status === HttpStatus.NOT_FOUND) {
+      throw new errors.NotFoundError(`id: ${userId} "user" not found`)
+    }
+    throw err
+  }
+}
+
 module.exports = {
   checkIfExists,
   autoWrapExpress,
@@ -553,5 +589,7 @@ module.exports = {
   getMembers,
   getProjectById,
   getSkillById,
-  getUserSkill
+  getUserSkill,
+  ensureJobById,
+  ensureUserById
 }

src/services/JobCandidateService.js

@@ -54,6 +54,9 @@ getJobCandidate.schema = Joi.object().keys({
  * @returns {Object} the created jobCandidate
  */
 async function createJobCandidate (currentUser, jobCandidate) {
+  await helper.ensureJobById(jobCandidate.jobId) // ensure job exists
+  await helper.ensureUserById(jobCandidate.userId) // ensure user exists
+
   jobCandidate.id = uuid()
   jobCandidate.createdAt = new Date()
   jobCandidate.createdBy = await helper.getUserId(currentUser.userId)
@@ -127,6 +130,8 @@ partiallyUpdateJobCandidate.schema = Joi.object().keys({
  * @returns {Object} the updated jobCandidate
  */
 async function fullyUpdateJobCandidate (currentUser, id, data) {
+  await helper.ensureJobById(data.jobId) // ensure job exists
+  await helper.ensureUserById(data.userId) // ensure user exists
   return updateJobCandidate(currentUser, id, data)
 }
 

src/services/ResourceBookingService.js

@@ -73,6 +73,11 @@ getResourceBooking.schema = Joi.object().keys({
  * @returns {Object} the created resourceBooking
  */
 async function createResourceBooking (currentUser, resourceBooking) {
+  if (resourceBooking.jobId) {
+    await helper.ensureJobById(resourceBooking.jobId) // ensure job exists
+  }
+  await helper.ensureUserById(resourceBooking.userId) // ensure user exists
+
   if (!currentUser.isBookingManager && !currentUser.isMachine) {
     const connect = await helper.isConnectMember(resourceBooking.projectId, currentUser.jwtToken)
     if (!connect) {
@@ -186,6 +191,10 @@ partiallyUpdateResourceBooking.schema = Joi.object().keys({
  * @returns {Object} the updated resourceBooking
  */
 async function fullyUpdateResourceBooking (currentUser, id, data) {
+  if (data.jobId) {
+    await helper.ensureJobById(data.jobId) // ensure job exists
+  }
+  await helper.ensureUserById(data.userId) // ensure user exists
   return updateResourceBooking(currentUser, id, data)
 }