From 21446b530a1c3bbe8b61be5b96b0e69e8403a871 Mon Sep 17 00:00:00 2001 From: Dan Nita Date: Tue, 21 Feb 2023 14:43:30 +0000 Subject: [PATCH] update darrequest util --- src/resources/datarequest/utils/datarequest.util.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/resources/datarequest/utils/datarequest.util.js b/src/resources/datarequest/utils/datarequest.util.js index 1faea00e..3fe9b068 100644 --- a/src/resources/datarequest/utils/datarequest.util.js +++ b/src/resources/datarequest/utils/datarequest.util.js @@ -35,31 +35,33 @@ const injectQuestionActions = (jsonSchema, userType, applicationStatus, role = ' const getUserPermissionsForApplication = (application, userId, _id) => { let authorised = false, - userType = ''; + userType = '', + isTeamMember = false; if (!application || !userId || !_id) { throw new HttpExceptions(`User not authorized to perform this action`,403); } if (has(application, 'datasets') && has(application.datasets[0], 'publisher.team')) { - teamV3Util.checkUserRolesByTeam( + isTeamMember = teamV3Util.checkUserRolesByTeam( [constants.roleMemberTeam.CUST_DAR_MANAGER], application.datasets[0].publisher.team, _id ); } else if (has(application, 'publisherObj.team')) { - teamV3Util.checkUserRolesByTeam( + isTeamMember = teamV3Util.checkUserRolesByTeam( [constants.roleMemberTeam.CUST_DAR_MANAGER], application.publisherObj.team, _id ); } - if ((application.applicationStatus !== constants.applicationStatuses.INPROGRESS || application.isShared)) { + if (isTeamMember && (application.applicationStatus !== constants.applicationStatuses.INPROGRESS || application.isShared)) { userType = constants.userTypes.CUSTODIAN; authorised = true; } + // If user is not authenticated as a custodian, check if they are an author or the main applicant if (application.applicationStatus === constants.applicationStatuses.INPROGRESS || isEmpty(userType)) { if (application.userId === userId || (application.authorIds && application.authorIds.includes(userId))) { userType = constants.userTypes.APPLICANT; @@ -70,7 +72,7 @@ const getUserPermissionsForApplication = (application, userId, _id) => { if (authorised) { return userType; } - + throw new HttpExceptions(`User not authorized to perform this action`, 403); };