fix permission rules as per issue #72

[imcaizheng]

Validation

In postman collection new folder named "Test Permission Rules" is added to provide basic requests for validating the permission rules with different roles.

Notes

• method helper.isConnectMember are removed in favor of method helper.getProjectById
• redundant code(due to [$50]JobCandidate and ResourceBooking job and user consistency validation #33) inside method JobCandidateService.updateJobCandidate that checks whether associated job exists is removed

[maxceem]

Thank you, @imcaizheng. As per my testing, Topcoder User can get JobCandidates and ResourceBooking created in the project where Topcoder User doesn't have access to.

If I create a job in project 111 using admin

After that, if I request JobCandidates by Topcoder User filtered by jobId with that job in project 111, I would get an empty list of jobCandidates:

While an expected result should be 403 as Topcoder User doesn't have access to the project 111 of that Job.

And if I create JobCandates in that job, then Topcoder User could access them:

Also, can get JobCandidate by id from project 111:

The same for ResouceBookings, can get it by id even don't have access to the project 111

Everything else, work good to me. Let me know if you can reproduce the issues above, or I missed something during testing.

[maxceem]

Thanks, @imcaizheng. Works perfectly now.