Only admitted users may rate projects

Author: sezanzeb

backend/src/services/rating-service.ts

@@ -227,6 +227,12 @@ export class RatingService implements IRatingService {
    * Check if the user is permitted to create/modify/delete this rating.
    */
   private async checkPermission(rating: Rating, user: User): Promise<void> {
+    if (!user.admitted) {
+      throw new ForbiddenError(
+        "Only admitted users may rate projects",
+      );
+    }
+
     const settings = await this._settings.getSettings();
     if (!settings.application.allowRatingProjects) {
       throw new ForbiddenError(

backend/test/services/rating-service.spec.ts

@@ -58,6 +58,7 @@ describe("RatingService", () => {
     ratingUser.verifyToken = "";
     ratingUser.tokenSecret = "";
     ratingUser.forgotPasswordToken = "";
+    ratingUser.admitted = true;
 
     // A user who is a member of the project team
     teamMember = new User();
@@ -69,6 +70,7 @@ describe("RatingService", () => {
     teamMember.verifyToken = "";
     teamMember.tokenSecret = "";
     teamMember.forgotPasswordToken = "";
+    teamMember.admitted = true;
 
     [ratingUser, teamMember] = await userRepo.save([ratingUser, teamMember]);
 
@@ -98,6 +100,23 @@ describe("RatingService", () => {
 
   describe("checkPermission", () => {
     describe("via upsertRating", () => {
+      it("throws ForbiddenError if user is not admitted", async () => {
+        expect.assertions(1);
+
+        ratingUser.admitted = false
+
+        const rating = Object.assign(new Rating(), {
+          project: mockProject,
+          user: ratingUser,
+          criterion: mockCriterion,
+          rating: 3,
+        });
+
+        await expect(
+          ratingService.upsertRating(rating, ratingUser),
+        ).rejects.toThrow(ForbiddenError);
+      });
+
       it("throws ForbiddenError when rating is globally disabled", async () => {
         expect.assertions(1);