Skip to content

Commit 970e89f

Browse files
committed
Merge branch 'feature/DEVSU-2656-email-notification' of github.com:bcgsc/pori_ipr_api into feature/DEVSU-2656-email-notification
2 parents 9cf93f0 + b77b597 commit 970e89f

1 file changed

Lines changed: 87 additions & 82 deletions

File tree

app/middleware/acl.js

Lines changed: 87 additions & 82 deletions
Original file line numberDiff line numberDiff line change
@@ -110,109 +110,114 @@ const SPECIAL_CASES = [
110110
];
111111

112112
module.exports = async (req, res, next) => {
113-
// Update last time the user logged in, limit to once a day
114-
const currentDate = new Date().toDateString();
115-
let userMetadata = await db.models.userMetadata.findOrCreate({where: {userId: req.user.id}});
116-
userMetadata = userMetadata[0];
117-
const userLastLogin = userMetadata.lastLoginAt
118-
? new Date(userMetadata.lastLoginAt).toDateString()
119-
: '';
120-
if (userLastLogin !== currentDate) {
121-
await userMetadata.update({lastLoginAt: new Date()});
122-
}
123-
124113
try {
125-
if (req.query.clinician_view && hasManagerAccess(req.user)) {
126-
req.user.groups = [{name: 'Clinician'}];
114+
// Update last time the user logged in, limit to once a day
115+
const currentDate = new Date().toDateString();
116+
let userMetadata = await db.models.userMetadata.findOrCreate({where: {userId: req.user.id}});
117+
userMetadata = userMetadata[0];
118+
const userLastLogin = userMetadata.lastLoginAt
119+
? new Date(userMetadata.lastLoginAt).toDateString()
120+
: '';
121+
if (userLastLogin !== currentDate) {
122+
await userMetadata.update({lastLoginAt: new Date()});
127123
}
128-
} catch {
129-
logger.error('Clinician View error: Using users normal group');
130-
}
131124

132-
// Check if user is an admin
133-
if (isAdmin(req.user)) {
134-
return next();
135-
}
136-
137-
// Get route
138-
const [route] = req.originalUrl.split('?');
139-
140-
// See if route exists in special cases
141-
const spCase = SPECIAL_CASES.find((value) => {
142-
return route.match(value.path);
143-
});
125+
try {
126+
if (req.query.clinician_view && hasManagerAccess(req.user)) {
127+
req.user.groups = [{name: 'Clinician'}];
128+
}
129+
} catch {
130+
logger.error('Clinician View error: Using users normal group');
131+
}
144132

145-
// Check that route and method have special rules
146-
if (spCase && spCase[req.method]) {
147-
if (spCase[req.method].includes('*')
148-
|| isIntersectionBy(req.user.groups, spCase[req.method], 'name')
149-
) {
133+
// Check if user is an admin
134+
if (isAdmin(req.user)) {
150135
return next();
151136
}
152137

153-
logger.error(`User: ${req.user.username} is trying to make a ${req.method} request to ${req.originalUrl}`);
154-
return res.status(FORBIDDEN).json({
155-
error: {message: 'You do not have the correct permissions to access this'},
156-
});
157-
}
138+
// Get route
139+
const [route] = req.originalUrl.split('?');
158140

159-
if (!hasAccessToGermlineReports(req.user) && !isManager(req.user) && route.includes('/germline-small-mutation-reports')) {
160-
logger.error('User does not have germline access');
161-
return res.status(
162-
FORBIDDEN,
163-
).json({error: {message: 'User does not have access to Germline reports'}});
164-
}
141+
// See if route exists in special cases
142+
const spCase = SPECIAL_CASES.find((value) => {
143+
return route.match(value.path);
144+
});
165145

166-
if (req.report) {
167-
// check if user is bound to report depending on report type
168-
let boundUser;
169-
try {
170-
if (req.report.biofxAssigned) {
171-
boundUser = req.report.biofxAssigned.ident === req.user.ident;
172-
} else {
173-
boundUser = req.report.users.some((reportUser) => {
174-
return reportUser.user.ident === req.user.ident;
175-
}) || req.report.createdBy?.ident === req.user.ident;
146+
// Check that route and method have special rules
147+
if (spCase && spCase[req.method]) {
148+
if (spCase[req.method].includes('*')
149+
|| isIntersectionBy(req.user.groups, spCase[req.method], 'name')
150+
) {
151+
return next();
176152
}
177-
} catch {
178-
logger.error('Error while retrieving bound user');
179-
}
180153

181-
// If the user doesn't have access to the project this report
182-
// belongs to or the user is trying to make an update
183-
// and they don't have update permissions throw an error
184-
if (!projectAccess(req.user, req.report)
185-
|| (UPDATE_METHODS.includes(req.method)
186-
&& !(boundUser || hasAccess(req.user, MASTER_REPORT_ACCESS)))
187-
) {
188154
logger.error(`User: ${req.user.username} is trying to make a ${req.method} request to ${req.originalUrl}`);
189155
return res.status(FORBIDDEN).json({
190156
error: {message: 'You do not have the correct permissions to access this'},
191157
});
192158
}
193159

194-
// If user is trying to make an update and the report is completed
195-
// and they dont have update permissions, throw an error
196-
if (UPDATE_METHODS.includes(req.method)
197-
&& req.report.state === 'completed'
198-
&& !(boundUser || hasAccess(req.user, MASTER_REPORT_ACCESS))
199-
) {
200-
logger.error(`User: ${req.user.username} is trying to make a ${req.method} request to ${req.originalUrl} - Report is marked as complete`);
160+
if (!hasAccessToGermlineReports(req.user) && !isManager(req.user) && route.includes('/germline-small-mutation-reports')) {
161+
logger.error('User does not have germline access');
162+
return res.status(
163+
FORBIDDEN,
164+
).json({error: {message: 'User does not have access to Germline reports'}});
165+
}
166+
167+
if (req.report) {
168+
// check if user is bound to report depending on report type
169+
let boundUser;
170+
try {
171+
if (req.report.biofxAssigned) {
172+
boundUser = req.report.biofxAssigned.ident === req.user.ident;
173+
} else {
174+
boundUser = req.report.users.some((reportUser) => {
175+
return reportUser.user.ident === req.user.ident;
176+
}) || req.report.createdBy?.ident === req.user.ident;
177+
}
178+
} catch {
179+
logger.error('Error while retrieving bound user');
180+
}
181+
182+
// If the user doesn't have access to the project this report
183+
// belongs to or the user is trying to make an update
184+
// and they don't have update permissions throw an error
185+
if (!projectAccess(req.user, req.report)
186+
|| (UPDATE_METHODS.includes(req.method)
187+
&& !(boundUser || hasAccess(req.user, MASTER_REPORT_ACCESS)))
188+
) {
189+
logger.error(`User: ${req.user.username} is trying to make a ${req.method} request to ${req.originalUrl}`);
190+
return res.status(FORBIDDEN).json({
191+
error: {message: 'You do not have the correct permissions to access this'},
192+
});
193+
}
194+
195+
// If user is trying to make an update and the report is completed
196+
// and they dont have update permissions, throw an error
197+
if (UPDATE_METHODS.includes(req.method)
198+
&& req.report.state === 'completed'
199+
&& !(boundUser || hasAccess(req.user, MASTER_REPORT_ACCESS))
200+
) {
201+
logger.error(`User: ${req.user.username} is trying to make a ${req.method} request to ${req.originalUrl} - Report is marked as complete`);
202+
return res.status(FORBIDDEN).json({
203+
error: {message: 'Report is marked as completed and update has been restricted'},
204+
});
205+
}
206+
207+
return next();
208+
}
209+
210+
// Allow users to edit themselves for allowNotifications field
211+
if ((UPDATE_METHODS.includes(req.method) && !hasManagerAccess(req.user)) && !req.originalUrl.includes('/api/user')) {
212+
logger.error(`User: ${req.user.username} is trying to make a ${req.method} request to ${req.originalUrl}`);
201213
return res.status(FORBIDDEN).json({
202-
error: {message: 'Report is marked as completed and update has been restricted'},
214+
error: {message: 'You do not have the correct permissions to access this'},
203215
});
204216
}
205217

206218
return next();
219+
} catch (e) {
220+
logger.error(`Authentication error: ${e.message}`);
221+
return null;
207222
}
208-
209-
// Allow users to edit themselves for allowNotifications field
210-
if ((UPDATE_METHODS.includes(req.method) && !hasManagerAccess(req.user)) && !req.originalUrl.includes('/api/user')) {
211-
logger.error(`User: ${req.user.username} is trying to make a ${req.method} request to ${req.originalUrl}`);
212-
return res.status(FORBIDDEN).json({
213-
error: {message: 'You do not have the correct permissions to access this'},
214-
});
215-
}
216-
217-
return next();
218223
};

0 commit comments

Comments
 (0)