[$150] 403 Forbidden error returned for some users of CREATE/PUT/PATCH/DELETE calls to jobs, jobCandidates and resourceBookings endpoints

[SathyaJayabal]

user: TCConManager
Roles: “Topcoder User”, “Connect Manager”

403 Forbidden error returned for the following :

endpoints

jobs: CREATE/DELETE
jobCandidates : CREATE/PUT/PATCH
resourceBookings: CREATE/PUT/PATCH

500 Internal server error for the following:

endpoints
jobs: PUT/PATCH

[SathyaJayabal]

TCConmanager is not part of v5/users.

This was fixed in #14, but not working now

cc @maxceem

[maxceem]

@nkumar-topcoder as I understand regular users should not be able to do any operations with jobs, jobCandidates, resourceBookings.
Only Bookingmanager users and M2M should be able to perform all these operations.

[nkumar-topcoder]

@maxceem Regular tc user can create the job and view the job (they create). Same applies for job candidates.
My understanding is that imcaizheng has implemented this.
And, you understanding on Bookingmanager is right

[SathyaJayabal]

@nkumar-topcoder @maxceem , at present, regular users are able to create jobs even on projects they dont have access to.
#35

[maxceem]

We have to fix permissions for Job, JobCandidates and ResourceBookings as per the next table #72 (comment).

Note, that technically Connect Manager users already have access to all the projects. So we don't have to write for them a separate logic, we can use for them the same logic as for Topcoder User when checking if such users can access the project or no.

We already have a method isConnectMember https://github.com/topcoder-platform/taas-apis/blob/dev/src/common/helper.js#L184-L196 which by fact is not checking if the user is a Manager it checks if user has access to the project or no. So this method might be renamed to something likecanAccessProject and used to check permissions for both Connect Manager and Topcoder User.

For the next cases when requested by Topcoder User:

• if filter param is not defined, return 403: Not allowed without filtering by "projectId". (or "jobId")

  

• If filter param is defined, but no access to the project, then return 403 as we do in Teams endpoints

We also have to allow Admins to perform all the actions same like BookingManagers. To do so we can update the logic here https://github.com/topcoder-platform/taas-apis/blob/dev/app-routes.js#L52-L54:

• also allow administrator role
• rename isBookingManager to hasManagePermission (or maybe you know a better name) to show that it can be not only manager but also admin - just someone who has all the permissions

[maxceem]

Contest https://www.topcoder.com/challenges/30159302 has been created for this ticket.

This is an automated message for maxceem via Topcoder X

[maxceem]

@imcaizheng this is open for pick up now. This has a higher priority for us in comparison with enhancement issues.

[maxceem]

Contest https://www.topcoder.com/challenges/30159302 has been updated - it has been assigned to aaron2017.

This is an automated message for maxceem via Topcoder X

[imcaizheng]

PR created #77

[maxceem]

@SathyaJayabal this is ready for testing on DEV.

We implemented this as per permissions defined in the table #72 (comment)

To test this functionality you might use a new folder in Postman collection named Test Permission Rules

[SathyaJayabal]

@maxceem , for GET taas-teams, for member user role , the following error is displayed
"Not allowed without filtering by \"projectId\""
User should be bale to view all projects they are a member of and need not filter by project id.

Same case for
GET taas-teams/:id even when the id is the project the user is a member of
GET taas-teams/:id/jobs/:jobId even when the id is the project the user is a member of and jobId is the job they created.

All other permissions work as expected.

[maxceem]

Great catch @SathyaJayabal.

This is fixed now. Could you please, try it once more.

[SathyaJayabal]

Great catch @SathyaJayabal.

This is fixed now. Could you please, try it once more.

@maxceem verified this is working as expected.

[maxceem]

@SathyaJayabal this is ready for QA on DEV.

[SathyaJayabal]

@maxceem , the GET taas-teams endpoint is displaying a "forbidden" error for all user roles

[maxceem]

@SathyaJayabal there was some issue with configuration in the DEV environment. It's fixed now, could you please try again.

[SathyaJayabal]

@maxceem , this issue is still not fixed.
#72 (comment)

[imcaizheng]

@SathyaJayabal Postman collection had been updated. Please reload the Postman collection and environment files. Note that we don't need to refresh tokens before making requests now.

Here is a screenshot of the updated Postman collection FYI:

[SathyaJayabal]

@imcaizheng , I have updated the postman collection, but we still have the issue
Can you please try with the below example (user/project)?
#72 (comment)

[imcaizheng]

@SathyaJayabal
I guess the issue you mean is "Forbidden" error, right? Just like:

It is because user TCConManager was not found in /v5/users and the app would try to create the user via POST /v5/users. It got Forbidden error due to this issue #81.

After created user TCConManager in /v5/users manually, I am able to create a job with the request named ✔ create job with connect manager.

[SathyaJayabal]

@imcaizheng , Oh I see, Thanks for creating the user in v5. We will test again.

[SathyaJayabal]

@maxceem @imcaizheng , permissions work as defined in #72 (comment)

[maxceem]

Thank you @SathyaJayabal and @imcaizheng! Closing this issue.

[maxceem]

Payment task has been updated: https://software.topcoder.com/review/actions/ViewProjectDetails?pid=30159302

This is an automated message for maxceem via Topcoder X