Merge pull request #476 from IABTechLab/ajy-UID2-3503-Allow-user-to-belong-to-multiple-participants

Allow user to belong to multiple participants (backend)

Author: alex-yau-ttd

src/api/controllers/userController.ts

@@ -59,13 +59,12 @@ export class UserController {
 
   @httpPut('/current/acceptTerms')
   public async acceptTerms(@request() req: UserRequest, @response() res: Response): Promise<void> {
-    if (!req.user?.participantId) {
-      res.status(403).json({
-        message: 'Unauthorized. You do not have the necessary permissions.',
-        errorHash: req.headers.traceId,
-      });
-    }
-    const participant = await Participant.query().findById(req.user!.participantId!);
+    // TODO: This just gets the user's first participant, but it will need to get the currently selected participant as part of UID2-2822
+    const currentParticipantId = req.user?.participants?.[0].id;
+    const participant = currentParticipantId
+      ? await Participant.query().findById(currentParticipantId)
+      : undefined;
+
     if (!participant || participant.status !== ParticipantStatus.Approved) {
       res.status(403).json({
         message: 'Unauthorized. You do not have the necessary permissions.',
@@ -147,10 +146,7 @@ export class UserController {
       participantId: null,
       deleted: true,
     };
-    await Promise.all([
-      deleteUserByEmail(kcAdminClient, user?.email!),
-      user!.$query().patch(data),
-    ]);
+    await Promise.all([deleteUserByEmail(kcAdminClient, user?.email!), user!.$query().patch(data)]);
 
     res.sendStatus(200);
   }

src/api/entities/BusinessContact.ts

@@ -12,12 +12,12 @@ export class BusinessContact extends BaseModel {
   static get tableName() {
     return 'businessContacts';
   }
-  static relationMappings = {
+  static readonly relationMappings = {
     participant: {
       relation: Model.BelongsToOneRelation,
       modelClass: 'Participant',
       join: {
-        from: 'users.participantId',
+        from: 'businessContacts.participantId',
         to: 'participants.id',
       },
     },

src/api/entities/Participant.ts

@@ -5,7 +5,7 @@ import { ApiRole, ApiRoleDTO, ApiRoleSchema } from './ApiRole';
 import { BaseModel } from './BaseModel';
 import { ModelObjectOpt } from './ModelObjectOpt';
 import { ParticipantType, ParticipantTypeDTO, ParticipantTypeSchema } from './ParticipantType';
-import { User, UserCreationPartial, UserDTO, UserSchema } from './User';
+import { type User, UserCreationPartial, UserDTO, UserSchema } from './User';
 
 export enum ParticipantStatus {
   AwaitingSigning = 'awaitingSigning',
@@ -43,11 +43,15 @@ export class Participant extends BaseModel {
       },
     },
     users: {
-      relation: Model.HasManyRelation,
+      relation: Model.ManyToManyRelation,
       modelClass: 'User',
       join: {
         from: 'participants.id',
-        to: 'users.participantId',
+        through: {
+          from: 'usersToParticipantRoles.participantId',
+          to: 'usersToParticipantRoles.userId',
+        },
+        to: 'users.id',
       },
     },
     businessContacts: {

src/api/entities/User.ts

@@ -1,8 +1,9 @@
-import { Model } from 'objection';
+import Objection, { Model } from 'objection';
 import { z } from 'zod';
 
 import { BaseModel } from './BaseModel';
 import { ModelObjectOpt } from './ModelObjectOpt';
+import type { Participant } from './Participant';
 
 export interface IUser {}
 export enum UserRole {
@@ -31,23 +32,38 @@ export class User extends BaseModel {
   }
 
   static readonly relationMappings = {
-    participant: {
-      relation: Model.BelongsToOneRelation,
+    participants: {
+      relation: Model.ManyToManyRelation,
       modelClass: 'Participant',
       join: {
-        from: 'users.participantId',
+        from: 'users.id',
+        through: {
+          from: 'usersToParticipantRoles.userId',
+          to: 'usersToParticipantRoles.participantId',
+        },
         to: 'participants.id',
       },
     },
   };
+
   declare id: number;
   declare email: string;
   declare firstName: string;
   declare lastName: string;
   declare phone?: string;
   declare role: UserRole;
-  declare participantId?: number | null;
+  declare participants?: Participant[];
   declare acceptedTerms: boolean;
+
+  static readonly modifiers = {
+    withParticipants<TResult>(query: Objection.QueryBuilder<User, TResult>) {
+      const myQuery = query.withGraphFetched('participants') as Objection.QueryBuilder<
+        User,
+        TResult & { participants: Participant[] }
+      >;
+      return myQuery;
+    },
+  };
 }
 
 export type UserDTO = ModelObjectOpt<User>;
@@ -58,7 +74,6 @@ export const UserSchema = z.object({
   firstName: z.string(),
   lastName: z.string(),
   phone: z.string().optional(),
-  participantId: z.number().optional().nullable(),
   role: z.nativeEnum(UserRole).optional(),
   acceptedTerms: z.boolean(),
 });

src/api/routers/participants/participantsRouter.ts

@@ -241,13 +241,15 @@ export function createParticipantsRouter() {
         }
         const kcAdminClient = await getKcAdminClient();
         const user = await createNewUser(kcAdminClient, firstName, lastName, email);
-        await createUserInPortal({
-          email,
-          role,
-          participantId: participant!.id,
-          firstName,
-          lastName,
-        });
+        await createUserInPortal(
+          {
+            email,
+            role,
+            firstName,
+            lastName,
+          },
+          participant!.id
+        );
         await sendInviteEmail(kcAdminClient, user);
         return res.sendStatus(201);
       } catch (err) {

src/api/services/participantsService.ts

@@ -292,6 +292,7 @@ const idParser = z.object({
   participantId: z.coerce.number(),
 });
 
+// TODO: move this middleware to a separate file
 const hasParticipantAccess = async (req: ParticipantRequest, res: Response, next: NextFunction) => {
   const { participantId } = idParser.parse(req.params);
   const traceId = getTraceId(req);
@@ -309,6 +310,7 @@ const hasParticipantAccess = async (req: ParticipantRequest, res: Response, next
   return next();
 };
 
+// TODO: move this middleware to a separate file
 const enrichCurrentParticipant = async (
   req: ParticipantRequest,
   res: Response,
@@ -319,19 +321,23 @@ const enrichCurrentParticipant = async (
   if (!user) {
     return res.status(404).send([{ message: 'The user cannot be found.' }]);
   }
-  const participant = await Participant.query().findById(user.participantId!);
+  // TODO: This just gets the user's first participant, but it will need to get the currently selected participant as part of UID2-2822
+  const participant = user.participants?.[0];
+
   if (!participant) {
     return res.status(404).send([{ message: 'The participant cannot be found.' }]);
   }
   req.participant = participant;
   return next();
 };
 
+// TODO: move this middleware to a separate file
 export const checkParticipantId = async (
   req: ParticipantRequest,
   res: Response,
   next: NextFunction
 ) => {
+  // TODO: Remove support for 'current' in UID2-2822
   if (req.params.participantId === 'current') {
     return enrichCurrentParticipant(req, res, next);
   }

src/api/services/userService.ts

@@ -1,7 +1,6 @@
 import { injectable } from 'inversify';
 import { z } from 'zod';
 
-import { Participant } from '../entities/Participant';
 import { ParticipantType } from '../entities/ParticipantType';
 import { UserRole } from '../entities/User';
 import { mapClientTypeToParticipantType } from '../helpers/siteConvertingHelpers';
@@ -33,9 +32,8 @@ export class UserService {
   }
 
   public async getCurrentParticipant(req: UserRequest) {
-    const currentParticipant = await Participant.query().findOne({
-      id: req.user!.participantId,
-    });
+    // TODO: This just gets the user's first participant, but it will need to get the currently selected participant as part of UID2-2822
+    const currentParticipant = req.user?.participants?.[0];
     const currentSite = !currentParticipant?.siteId
       ? undefined
       : await getSite(currentParticipant?.siteId);

src/api/services/usersService.ts

@@ -9,7 +9,7 @@ import { isUserAnApprover } from './approversService';
 export type UserWithIsApprover = User & { isApprover: boolean };
 
 export const findUserByEmail = async (email: string) => {
-  return User.query().findOne('email', email).where('deleted', 0);
+  return User.query().findOne('email', email).where('deleted', 0).modify('withParticipants');
 };
 
 export const enrichUserWithIsApprover = async (user: User) => {
@@ -20,28 +20,40 @@ export const enrichUserWithIsApprover = async (user: User) => {
   };
 };
 
-export const createUserInPortal = async (user: Omit<UserDTO, 'id' | 'acceptedTerms'>) => {
+// TODO: Update this method so that if an existing user is invited, it will still add the new participant + mapping.
+export const createUserInPortal = async (
+  user: Omit<UserDTO, 'id' | 'acceptedTerms'>,
+  participantId: number
+) => {
   const existingUser = await findUserByEmail(user.email);
   if (existingUser) return existingUser;
-  return User.query().insert(user);
+  const newUser = await User.query().insert(user);
+  // Update the user <-> participant mapping
+  await newUser.$relatedQuery('participants').relate(participantId);
 };
 
+// TODO: move this middleware to a separate file
 export const isUserBelongsToParticipant = async (
   email: string,
   participantId: number,
   traceId: string
 ) => {
-  const user = await User.query()
-    .where('email', email)
-    .andWhere('deleted', 0)
-    .andWhere('participantId', participantId)
-    .first();
+  const { errorLogger } = getLoggers();
+  const userWithParticipants = await User.query()
+    .findOne({ email, deleted: 0 })
+    .modify('withParticipants');
 
-  if (!user) {
-    const { errorLogger } = getLoggers();
-    errorLogger.error(`Denied access to participant ID ${participantId} by user ${email}`, traceId);
+  if (!userWithParticipants) {
+    errorLogger.error(`User with email ${email} not found`, traceId);
+    return false;
+  }
+  for (const participant of userWithParticipants.participants!) {
+    if (participant.id === participantId) {
+      return true;
+    }
   }
-  return !!user;
+  errorLogger.error(`Denied access to participant ID ${participantId} by user ${email}`, traceId);
+  return false;
 };
 
 export interface UserRequest extends Request {
@@ -60,6 +72,7 @@ const userIdParser = z.object({
   userId: z.coerce.number(),
 });
 
+// TODO: move this middleware to a separate file
 export const enrichCurrentUser = async (req: UserRequest, res: Response, next: NextFunction) => {
   const userEmail = req.auth?.payload?.email as string;
   const user = await findUserByEmail(userEmail);
@@ -70,21 +83,29 @@ export const enrichCurrentUser = async (req: UserRequest, res: Response, next: N
   return next();
 };
 
+// TODO: move this middleware to a separate file
 export const enrichWithUserFromParams = async (
   req: UserRequest,
   res: Response,
   next: NextFunction
 ) => {
   const { userId } = userIdParser.parse(req.params);
   const traceId = getTraceId(req);
-  const user = await User.query().findById(userId);
+  const user = await User.query().findById(userId).modify('withParticipants');
+
   if (!user) {
     return res.status(404).send([{ message: 'The user cannot be found.' }]);
   }
+  if (user.participants?.length === 0) {
+    return res.status(404).send([{ message: 'The participant for that user cannot be found.' }]);
+  }
+
+  // TODO: This just gets the user's first participant, but it will need to get the currently selected participant as part of UID2-2822
+  const firstParticipant = user.participants?.[0] as Participant;
   if (
     !(await isUserBelongsToParticipant(
       req.auth?.payload?.email as string,
-      user.participantId!,
+      firstParticipant.id,
       traceId
     ))
   ) {
@@ -96,5 +117,5 @@ export const enrichWithUserFromParams = async (
 };
 
 export const getAllUserFromParticipant = async (participant: Participant) => {
-  return participant!.$relatedQuery('users').castTo<User[]>();
+  return participant.$relatedQuery('users').where('deleted', 0).castTo<User[]>();
 };

src/api/tests/businessContactService.spec.ts

@@ -18,7 +18,7 @@ describe('Business Contact Service Tests', () => {
   });
 
   afterEach(() => {
-    jest.resetAllMocks();
+    jest.restoreAllMocks();
   });
 
   describe('hasBusinessContactAccess middleware', () => {