@@ -110,109 +110,114 @@ const SPECIAL_CASES = [
110110] ;
111111
112112module . exports = async ( req , res , next ) => {
113- // Update last time the user logged in, limit to once a day
114- const currentDate = new Date ( ) . toDateString ( ) ;
115- let userMetadata = await db . models . userMetadata . findOrCreate ( { where : { userId : req . user . id } } ) ;
116- userMetadata = userMetadata [ 0 ] ;
117- const userLastLogin = userMetadata . lastLoginAt
118- ? new Date ( userMetadata . lastLoginAt ) . toDateString ( )
119- : '' ;
120- if ( userLastLogin !== currentDate ) {
121- await userMetadata . update ( { lastLoginAt : new Date ( ) } ) ;
122- }
123-
124113 try {
125- if ( req . query . clinician_view && hasManagerAccess ( req . user ) ) {
126- req . user . groups = [ { name : 'Clinician' } ] ;
114+ // Update last time the user logged in, limit to once a day
115+ const currentDate = new Date ( ) . toDateString ( ) ;
116+ let userMetadata = await db . models . userMetadata . findOrCreate ( { where : { userId : req . user . id } } ) ;
117+ userMetadata = userMetadata [ 0 ] ;
118+ const userLastLogin = userMetadata . lastLoginAt
119+ ? new Date ( userMetadata . lastLoginAt ) . toDateString ( )
120+ : '' ;
121+ if ( userLastLogin !== currentDate ) {
122+ await userMetadata . update ( { lastLoginAt : new Date ( ) } ) ;
127123 }
128- } catch {
129- logger . error ( 'Clinician View error: Using users normal group' ) ;
130- }
131124
132- // Check if user is an admin
133- if ( isAdmin ( req . user ) ) {
134- return next ( ) ;
135- }
136-
137- // Get route
138- const [ route ] = req . originalUrl . split ( '?' ) ;
139-
140- // See if route exists in special cases
141- const spCase = SPECIAL_CASES . find ( ( value ) => {
142- return route . match ( value . path ) ;
143- } ) ;
125+ try {
126+ if ( req . query . clinician_view && hasManagerAccess ( req . user ) ) {
127+ req . user . groups = [ { name : 'Clinician' } ] ;
128+ }
129+ } catch {
130+ logger . error ( 'Clinician View error: Using users normal group' ) ;
131+ }
144132
145- // Check that route and method have special rules
146- if ( spCase && spCase [ req . method ] ) {
147- if ( spCase [ req . method ] . includes ( '*' )
148- || isIntersectionBy ( req . user . groups , spCase [ req . method ] , 'name' )
149- ) {
133+ // Check if user is an admin
134+ if ( isAdmin ( req . user ) ) {
150135 return next ( ) ;
151136 }
152137
153- logger . error ( `User: ${ req . user . username } is trying to make a ${ req . method } request to ${ req . originalUrl } ` ) ;
154- return res . status ( FORBIDDEN ) . json ( {
155- error : { message : 'You do not have the correct permissions to access this' } ,
156- } ) ;
157- }
138+ // Get route
139+ const [ route ] = req . originalUrl . split ( '?' ) ;
158140
159- if ( ! hasAccessToGermlineReports ( req . user ) && ! isManager ( req . user ) && route . includes ( '/germline-small-mutation-reports' ) ) {
160- logger . error ( 'User does not have germline access' ) ;
161- return res . status (
162- FORBIDDEN ,
163- ) . json ( { error : { message : 'User does not have access to Germline reports' } } ) ;
164- }
141+ // See if route exists in special cases
142+ const spCase = SPECIAL_CASES . find ( ( value ) => {
143+ return route . match ( value . path ) ;
144+ } ) ;
165145
166- if ( req . report ) {
167- // check if user is bound to report depending on report type
168- let boundUser ;
169- try {
170- if ( req . report . biofxAssigned ) {
171- boundUser = req . report . biofxAssigned . ident === req . user . ident ;
172- } else {
173- boundUser = req . report . users . some ( ( reportUser ) => {
174- return reportUser . user . ident === req . user . ident ;
175- } ) || req . report . createdBy ?. ident === req . user . ident ;
146+ // Check that route and method have special rules
147+ if ( spCase && spCase [ req . method ] ) {
148+ if ( spCase [ req . method ] . includes ( '*' )
149+ || isIntersectionBy ( req . user . groups , spCase [ req . method ] , 'name' )
150+ ) {
151+ return next ( ) ;
176152 }
177- } catch {
178- logger . error ( 'Error while retrieving bound user' ) ;
179- }
180153
181- // If the user doesn't have access to the project this report
182- // belongs to or the user is trying to make an update
183- // and they don't have update permissions throw an error
184- if ( ! projectAccess ( req . user , req . report )
185- || ( UPDATE_METHODS . includes ( req . method )
186- && ! ( boundUser || hasAccess ( req . user , MASTER_REPORT_ACCESS ) ) )
187- ) {
188154 logger . error ( `User: ${ req . user . username } is trying to make a ${ req . method } request to ${ req . originalUrl } ` ) ;
189155 return res . status ( FORBIDDEN ) . json ( {
190156 error : { message : 'You do not have the correct permissions to access this' } ,
191157 } ) ;
192158 }
193159
194- // If user is trying to make an update and the report is completed
195- // and they dont have update permissions, throw an error
196- if ( UPDATE_METHODS . includes ( req . method )
197- && req . report . state === 'completed'
198- && ! ( boundUser || hasAccess ( req . user , MASTER_REPORT_ACCESS ) )
199- ) {
200- logger . error ( `User: ${ req . user . username } is trying to make a ${ req . method } request to ${ req . originalUrl } - Report is marked as complete` ) ;
160+ if ( ! hasAccessToGermlineReports ( req . user ) && ! isManager ( req . user ) && route . includes ( '/germline-small-mutation-reports' ) ) {
161+ logger . error ( 'User does not have germline access' ) ;
162+ return res . status (
163+ FORBIDDEN ,
164+ ) . json ( { error : { message : 'User does not have access to Germline reports' } } ) ;
165+ }
166+
167+ if ( req . report ) {
168+ // check if user is bound to report depending on report type
169+ let boundUser ;
170+ try {
171+ if ( req . report . biofxAssigned ) {
172+ boundUser = req . report . biofxAssigned . ident === req . user . ident ;
173+ } else {
174+ boundUser = req . report . users . some ( ( reportUser ) => {
175+ return reportUser . user . ident === req . user . ident ;
176+ } ) || req . report . createdBy ?. ident === req . user . ident ;
177+ }
178+ } catch {
179+ logger . error ( 'Error while retrieving bound user' ) ;
180+ }
181+
182+ // If the user doesn't have access to the project this report
183+ // belongs to or the user is trying to make an update
184+ // and they don't have update permissions throw an error
185+ if ( ! projectAccess ( req . user , req . report )
186+ || ( UPDATE_METHODS . includes ( req . method )
187+ && ! ( boundUser || hasAccess ( req . user , MASTER_REPORT_ACCESS ) ) )
188+ ) {
189+ logger . error ( `User: ${ req . user . username } is trying to make a ${ req . method } request to ${ req . originalUrl } ` ) ;
190+ return res . status ( FORBIDDEN ) . json ( {
191+ error : { message : 'You do not have the correct permissions to access this' } ,
192+ } ) ;
193+ }
194+
195+ // If user is trying to make an update and the report is completed
196+ // and they dont have update permissions, throw an error
197+ if ( UPDATE_METHODS . includes ( req . method )
198+ && req . report . state === 'completed'
199+ && ! ( boundUser || hasAccess ( req . user , MASTER_REPORT_ACCESS ) )
200+ ) {
201+ logger . error ( `User: ${ req . user . username } is trying to make a ${ req . method } request to ${ req . originalUrl } - Report is marked as complete` ) ;
202+ return res . status ( FORBIDDEN ) . json ( {
203+ error : { message : 'Report is marked as completed and update has been restricted' } ,
204+ } ) ;
205+ }
206+
207+ return next ( ) ;
208+ }
209+
210+ // Allow users to edit themselves for allowNotifications field
211+ if ( ( UPDATE_METHODS . includes ( req . method ) && ! hasManagerAccess ( req . user ) ) && ! req . originalUrl . includes ( '/api/user' ) ) {
212+ logger . error ( `User: ${ req . user . username } is trying to make a ${ req . method } request to ${ req . originalUrl } ` ) ;
201213 return res . status ( FORBIDDEN ) . json ( {
202- error : { message : 'Report is marked as completed and update has been restricted ' } ,
214+ error : { message : 'You do not have the correct permissions to access this ' } ,
203215 } ) ;
204216 }
205217
206218 return next ( ) ;
219+ } catch ( e ) {
220+ logger . error ( `Authentication error: ${ e . message } ` ) ;
221+ return null ;
207222 }
208-
209- // Allow users to edit themselves for allowNotifications field
210- if ( ( UPDATE_METHODS . includes ( req . method ) && ! hasManagerAccess ( req . user ) ) && ! req . originalUrl . includes ( '/api/user' ) ) {
211- logger . error ( `User: ${ req . user . username } is trying to make a ${ req . method } request to ${ req . originalUrl } ` ) ;
212- return res . status ( FORBIDDEN ) . json ( {
213- error : { message : 'You do not have the correct permissions to access this' } ,
214- } ) ;
215- }
216-
217- return next ( ) ;
218223} ;
0 commit comments