Permit access middleware added

bcgov · Jan 30, 2025 · cfdd121 · cfdd121
1 parent 36e9fcd
commit cfdd121
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 6 deletions.
diff --git a/app/src/middleware/authorization.ts b/app/src/middleware/authorization.ts
@@ -13,7 +13,7 @@ import {
   yarsService
 } from '../services';
 import { Initiative, GroupName } from '../utils/enums/application';
-import { getCurrentSubject } from '../utils/utils';
+import { getCurrentSubject, getCurrentUsername } from '../utils/utils';
 
 import type { NextFunction, Request, Response } from 'express';
 import { CurrentAuthorization } from '../types';
@@ -150,3 +150,30 @@ export const hasAccess = (param: string) => {
     next();
   };
 };
+
+export const hasAccessPermit = (param: string) => {
+  return async (req: Request, res: Response, next: NextFunction) => {
+    try {
+      if (req.currentAuthorization?.attributes.includes('scope:self')) {
+        const id = req.params[param];
+        const userId = await userService.getCurrentUserId(getCurrentSubject(req.currentContext), NIL);
+
+        let data;
+        const func = paramMap.get(param);
+        if (func) data = await func(id);
+
+        if (!data || data?.createdBy !== userId) {
+          const submission = (await submissionService.searchSubmissions({ activityId: [data.activityId] }))[0];
+          if (!submission || submission?.submittedBy !== getCurrentUsername(req.currentContext))
+            throw new Error('No access');
+        }
+      }
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    } catch (err: any) {
+      return next(new Problem(403, { detail: err.message, instance: req.originalUrl }));
+    }
+
+    // Continue middleware
+    next();
+  };
+};
diff --git a/frontend/src/locales/en-CA.json b/frontend/src/locales/en-CA.json
@@ -96,7 +96,7 @@
     "logout": "Log out"
   },
   "permitStatusView": {
-    "additionalUpdates": "Additional updates.",
+    "additionalUpdates": "Additional updates",
     "applicationProgress": "Application progress",
     "askNav": "Ask my Navigator",
     "contactNav": "Contact your Navigator for this project for further updates on this application.",

diff --git a/frontend/src/views/housing/project/ProjectView.vue b/frontend/src/views/housing/project/ProjectView.vue
@@ -165,12 +165,11 @@ onMounted(async () => {
   typeStore.setPermitTypes(permitTypesValue);
 
   // Fetch contacts for createdBy and assignedUserId
-  const userIds = [];
   // Push only thruthy values into the array
-  userIds.push(...[submissionValue?.assignedUserId, submissionValue?.createdBy].filter(Boolean));
+  const userIds = [submissionValue?.assignedUserId, submissionValue?.createdBy].filter(Boolean);
   const contacts = (await contactService.searchContacts({ userId: userIds })).data;
-  assignee.value = contacts.find((contact: Contact) => contact.userId === submissionValue?.assignedUserId) || undefined;
-  createdBy.value = contacts.find((contact: Contact) => contact.userId === submissionValue?.createdBy) || undefined;
+  assignee.value = contacts.find((contact: Contact) => contact.userId === submissionValue?.assignedUserId);
+  createdBy.value = contacts.find((contact: Contact) => contact.userId === submissionValue?.createdBy);
 
   loading.value = false;
 });