fix(events): only returning special fields to those who have rights

AEGEE · Dec 30, 2019 · fa142b5 · fa142b5
1 parent 22c6a39
commit fa142b5
Show file tree

Hide file tree

Showing 5 changed files with 136 additions and 2 deletions.
diff --git a/lib/constants.js b/lib/constants.js
@@ -11,6 +11,24 @@ module.exports = {
         created_at: 'Created at',
         updated_at: 'Updated at'
     },
+    EVENT_PUBLIC_FIELDS: [
+        'id',
+        'name',
+        'url',
+        'image',
+        'description',
+        'application_starts',
+        'application_ends',
+        'starts',
+        'ends',
+        'fee',
+        'organizing_bodies',
+        'locations',
+        'type',
+        'questions',
+        'max_participants',
+        'application_status'
+    ],
     EVENT_TYPES: ['wu', 'es', 'nwm', 'ltc', 'rtc', 'european'],
     CURRENT_USER_PREFIX: 'me'
 };
diff --git a/lib/events.js b/lib/events.js
@@ -1,5 +1,6 @@
 const errors = require('./errors');
 const merge = require('./merge');
+const constants = require('./constants');
 const helpers = require('./helpers');
 const { Event, Application } = require('../models');
 const { Sequelize } = require('./sequelize');
@@ -152,7 +153,14 @@ exports.addEvent = async (req, res) => {
 };
 
 exports.eventDetails = async (req, res) => {
-    const event = req.event.toJSON();
+    let event = req.event.toJSON();
+
+    // Some fields shouldn't be public and only should be displayed to EQAC/CD/admins/organizers.
+    if (!helpers.isOrganizer(event, req.user)
+        && !req.permissions.manage_event[event.type]
+        && !req.permissions.approve_event[event.type]) {
+        event = helpers.whitelistObject(event, constants.EVENT_PUBLIC_FIELDS);
+    }
 
     return res.json({
         success: true,

diff --git a/lib/helpers.js b/lib/helpers.js
@@ -8,7 +8,8 @@ exports.getDefaultQuery = (req) => {
     // Default filter is empty.
     const queryObj = {
         where: {},
-        order: [['starts', 'ASC']]
+        order: [['starts', 'ASC']],
+        select: constants.EVENT_PUBLIC_FIELDS
     };
 
     // If search is set, searching for event by name or description case-insensitive.
@@ -115,6 +116,16 @@ exports.beautify = (value) => {
     return value;
 };
 
+// A helper to whilelist object's properties.
+exports.whitelistObject = (object, allowedFields) => {
+    const newObject = {};
+    for (const field of allowedFields) {
+        newObject[field] = object[field];
+    }
+
+    return newObject;
+};
+
 // A helper to get the names for application fields. Useful for exporting for getting columns headers.
 exports.getApplicationFields = (event) => {
     const fields = { ...constants.APPLICATION_FIELD_NAMES };

diff --git a/test/api/events-approval.test.js b/test/api/events-approval.test.js
@@ -93,4 +93,80 @@ describe('Events approval', () => {
         const eventFromDb = await Event.findByPk(event.id);
         expect(eventFromDb.status).not.toEqual('published');
     });
+
+    it('should not allow changing status from draft if budget is null', async () => {
+        const event = await generator.createEvent({
+            status: 'draft',
+            budget: null
+        });
+
+        const res = await request({
+            uri: '/single/' + event.id + '/status',
+            headers: { 'X-Auth-Token': 'foobar' },
+            method: 'PUT',
+            body: { status: 'published' }
+        });
+
+        expect(res.statusCode).toEqual(422);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).toHaveProperty('errors');
+        expect(res.body.errors).toHaveProperty('is_budget_set');
+    });
+
+    it('should not allow changing status from draft if budget is empty', async () => {
+        const event = await generator.createEvent({
+            status: 'draft',
+            budget: '\t\t\t   \t \t'
+        });
+
+        const res = await request({
+            uri: '/single/' + event.id + '/status',
+            headers: { 'X-Auth-Token': 'foobar' },
+            method: 'PUT',
+            body: { status: 'published' }
+        });
+
+        expect(res.statusCode).toEqual(422);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).toHaveProperty('errors');
+        expect(res.body.errors).toHaveProperty('is_budget_set');
+    });
+
+    it('should not allow changing status from draft if programme is null', async () => {
+        const event = await generator.createEvent({
+            status: 'draft',
+            programme: null
+        });
+
+        const res = await request({
+            uri: '/single/' + event.id + '/status',
+            headers: { 'X-Auth-Token': 'foobar' },
+            method: 'PUT',
+            body: { status: 'published' }
+        });
+
+        expect(res.statusCode).toEqual(422);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).toHaveProperty('errors');
+        expect(res.body.errors).toHaveProperty('is_programme_set');
+    });
+
+    it('should not allow changing status from draft if programme is empty', async () => {
+        const event = await generator.createEvent({
+            status: 'draft',
+            programme: '\t\t\t   \t \t'
+        });
+
+        const res = await request({
+            uri: '/single/' + event.id + '/status',
+            headers: { 'X-Auth-Token': 'foobar' },
+            method: 'PUT',
+            body: { status: 'published' }
+        });
+
+        expect(res.statusCode).toEqual(422);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).toHaveProperty('errors');
+        expect(res.body.errors).toHaveProperty('is_programme_set');
+    });
 });
diff --git a/test/api/events-details.test.js b/test/api/events-details.test.js
@@ -79,4 +79,25 @@ describe('Events details', () => {
 
         expect(res.statusCode).toEqual(404);
     });
+
+    it('should not return special fields if the user does not have rights', async () => {
+        mock.mockAll({ mainPermissions: { noPermissions: true } });
+
+        const event = await generator.createEvent({
+            organizers: [{ user_id: 1337, first_name: 'test', last_name: 'test' }]
+        });
+        const res = await request({
+            uri: '/single/' + event.id,
+            headers: { 'X-Auth-Token': 'foobar' },
+            method: 'GET'
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body).toHaveProperty('data');
+        expect(res.body.data).not.toHaveProperty('organizers');
+        expect(res.body.data).not.toHaveProperty('budget');
+        expect(res.body.data).not.toHaveProperty('programme');
+        expect(res.body.data).not.toHaveProperty('status');
+        expect(res.body.data).not.toHaveProperty('deleted');
+    });
 });