apply permission check after record is pulled from ES

Author: imcaizheng

src/common/helper.js

@@ -464,7 +464,7 @@ async function getProjectById (currentUser, id) {
     return _.pick(res.body, ['id', 'name'])
   } catch (err) {
     if (err.status === HttpStatus.FORBIDDEN) {
-      throw new errors.UnauthorizedError(`You are not allowed to access the project with id ${id}`)
+      throw new errors.ForbiddenError(`You are not allowed to access the project with id ${id}`)
     }
     if (err.status === HttpStatus.NOT_FOUND) {
       throw new errors.NotFoundError(`id: ${id} project not found`)

src/services/JobCandidateService.js

@@ -5,6 +5,7 @@
 const _ = require('lodash')
 const Joi = require('joi')
 const config = require('config')
+const HttpStatus = require('http-status-codes')
 const { Op } = require('sequelize')
 const { v4: uuid } = require('uuid')
 const helper = require('../common/helper')
@@ -16,6 +17,19 @@ const JobService = require('./JobService')
 const JobCandidate = models.JobCandidate
 const esClient = helper.getESClient()
 
+/**
+ * Check whether user can access associated job of a candidate.
+ *
+ * @param {Object} currentUser the user who perform this operation.
+ * @param {String} jobId the job id
+ * @returns {undefined}
+ */
+async function _checkUserAccessAssociatedJob (currentUser, jobId) {
+  if (!currentUser.hasManagePermission && !currentUser.isMachine && !currentUser.isConnectManager) {
+    await JobService.getJob(currentUser, jobId)
+  }
+}
+
 /**
  * Get jobCandidate by id
  * @param {Object} currentUser the user who perform this operation.
@@ -30,22 +44,27 @@ async function getJobCandidate (currentUser, id, fromDb = false) {
         index: config.esConfig.ES_INDEX_JOB_CANDIDATE,
         id
       })
+
+      // check whether user can access the job associated with the jobCandidate
+      await _checkUserAccessAssociatedJob(currentUser, jobCandidate.body._source.jobId)
+
       const jobCandidateRecord = { id: jobCandidate.body._id, ...jobCandidate.body._source }
       return jobCandidateRecord
     } catch (err) {
       if (helper.isDocumentMissingException(err)) {
         throw new errors.NotFoundError(`id: ${id} "JobCandidate" not found`)
       }
+      if (err.httpStatus === HttpStatus.FORBIDDEN) {
+        throw err
+      }
       logger.logFullError(err, { component: 'JobCandidateService', context: 'getJobCandidate' })
     }
   }
   logger.info({ component: 'JobCandidateService', context: 'getJobCandidate', message: 'try to query db for data' })
   const jobCandidate = await JobCandidate.findById(id)
 
-  if (!currentUser.hasManagePermission && !currentUser.isMachine && !currentUser.isConnectManager) {
-    // check whether user can access the job associated with the jobCandidate
-    await JobService.getJob(currentUser, jobCandidate.jobId)
-  }
+  // check whether user can access the job associated with the jobCandidate
+  await _checkUserAccessAssociatedJob(currentUser, jobCandidate.jobId)
 
   return helper.clearObject(jobCandidate.dataValues)
 }

src/services/JobService.js

@@ -74,6 +74,19 @@ async function _validateSkills (skills) {
   }
 }
 
+/**
+ * Check whether user can access associated project of a job.
+ *
+ * @param {Object} currentUser the user who perform this operation.
+ * @param {String} projectId the project id
+ * @returns {undefined}
+ */
+async function _checkUserAccessAssociatedProject (currentUser, projectId) {
+  if (!currentUser.hasManagePermission && !currentUser.isMachine && !currentUser.isConnectManager) {
+    await helper.getProjectById(currentUser, projectId)
+  }
+}
+
 /**
  * Get job by id
  * @param {Object} currentUser the user who perform this operation.
@@ -88,6 +101,10 @@ async function getJob (currentUser, id, fromDb = false) {
         index: config.esConfig.ES_INDEX_JOB,
         id
       })
+
+      // check whether user can access the project associated with the job
+      await _checkUserAccessAssociatedProject(currentUser, job.body._source.projectId)
+
       const jobId = job.body._id
       const jobRecord = { id: jobId, ...job.body._source }
       const candidates = await _getJobCandidates(jobId)
@@ -99,16 +116,17 @@ async function getJob (currentUser, id, fromDb = false) {
       if (helper.isDocumentMissingException(err)) {
         throw new errors.NotFoundError(`id: ${id} "Job" not found`)
       }
+      if (err.httpStatus === HttpStatus.FORBIDDEN) {
+        throw err
+      }
       logger.logFullError(err, { component: 'JobService', context: 'getJob' })
     }
   }
   logger.info({ component: 'JobService', context: 'getJob', message: 'try to query db for data' })
   const job = await Job.findById(id, true)
 
-  // check if user can access the project
-  if (!currentUser.hasManagePermission && !currentUser.isMachine && !currentUser.isConnectManager) {
-    await helper.getProjectById(currentUser, job.projectId)
-  }
+  // check whether user can access the project associated with the job
+  await _checkUserAccessAssociatedProject(currentUser, job.projectId)
 
   job.dataValues.candidates = _.map(job.dataValues.candidates, (c) => helper.clearObject(c.dataValues))
   return helper.clearObject(job.dataValues)

src/services/ResourceBookingService.js

@@ -5,6 +5,7 @@
 const _ = require('lodash')
 const Joi = require('joi')
 const config = require('config')
+const HttpStatus = require('http-status-codes')
 const { Op } = require('sequelize')
 const { v4: uuid } = require('uuid')
 const helper = require('../common/helper')
@@ -29,6 +30,19 @@ async function _getResourceBookingFilteringFields (currentUser, resourceBooking)
   return _.omit(helper.clearObject(resourceBooking), 'memberRate')
 }
 
+/**
+ * Check whether user can access associated project of a job.
+ *
+ * @param {Object} currentUser the user who perform this operation.
+ * @param {String} projectId the project id
+ * @returns {undefined}
+ */
+async function _checkUserAccessAssociatedProject (currentUser, projectId) {
+  if (!currentUser.hasManagePermission && !currentUser.isMachine && !currentUser.isConnectManager) {
+    await helper.getProjectById(currentUser, projectId)
+  }
+}
+
 /**
  * Get resourceBooking by id
  * @param {Object} currentUser the user who perform this operation.
@@ -43,22 +57,27 @@ async function getResourceBooking (currentUser, id, fromDb = false) {
         index: config.esConfig.ES_INDEX_RESOURCE_BOOKING,
         id
       })
+
+      // check if user can access the project associated with the resourceBooking
+      await _checkUserAccessAssociatedProject(currentUser, resourceBooking.body._source.projectId)
+
       const resourceBookingRecord = { id: resourceBooking.body._id, ...resourceBooking.body._source }
       return _getResourceBookingFilteringFields(currentUser, resourceBookingRecord)
     } catch (err) {
       if (helper.isDocumentMissingException(err)) {
         throw new errors.NotFoundError(`id: ${id} "ResourceBooking" not found`)
       }
+      if (err.httpStatus === HttpStatus.FORBIDDEN) {
+        throw err
+      }
       logger.logFullError(err, { component: 'ResourceBookingService', context: 'getResourceBooking' })
     }
   }
   logger.info({ component: 'ResourceBookingService', context: 'getResourceBooking', message: 'try to query db for data' })
   const resourceBooking = await ResourceBooking.findById(id)
 
   // check if user can access the project associated with the resourceBooking
-  if (!currentUser.hasManagePermission && !currentUser.isMachine && !currentUser.isConnectManager) {
-    await helper.getProjectById(currentUser, resourceBooking.projectId)
-  }
+  await _checkUserAccessAssociatedProject(currentUser, resourceBooking.projectId)
 
   return _getResourceBookingFilteringFields(currentUser, resourceBooking.dataValues)
 }