diff --git a/server/src/main/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestServicesImpl.java b/server/src/main/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestServicesImpl.java index 7a57a82db..03c5796ab 100644 --- a/server/src/main/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestServicesImpl.java +++ b/server/src/main/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestServicesImpl.java @@ -198,6 +198,15 @@ public FeedbackRequest update(FeedbackRequestUpdateDTO feedbackRequestUpdateDTO) MemberProfile reviewerMemberProfile; FeedbackExternalRecipient reviewerExternalRecipient; String reviewerFirstName, reviewerEmail; + MemberProfile currentUser; + boolean currentUserEqualsRequestee = false; + + try { + currentUser = currentUserServices.getCurrentUser(); + } catch (NotFoundException notFoundException) { + currentUser = null; + } + final FeedbackRequest feedbackRequest = this.getFromDTO(feedbackRequestUpdateDTO); FeedbackRequest originalFeedback = null; @@ -210,6 +219,8 @@ public FeedbackRequest update(FeedbackRequestUpdateDTO feedbackRequestUpdateDTO) throw new BadArgException("Cannot update feedback request that does not exist"); } + if (currentUser != null) currentUserEqualsRequestee = currentUser.getId().equals(originalFeedback.getRequesteeId()); + validateMembers(originalFeedback); Set reviewAssignmentsSet = Set.of(); @@ -227,7 +238,7 @@ public FeedbackRequest update(FeedbackRequestUpdateDTO feedbackRequestUpdateDTO) // If a status update is made to anything other than submitted by the requestee, throw an error. if (!"submitted".equals(feedbackRequest.getStatus()) && !Objects.equals(originalFeedback.getStatus(), feedbackRequest.getStatus()) - && currentUserServices.getCurrentUser().getId().equals(originalFeedback.getRequesteeId())) { + && currentUserEqualsRequestee) { throw new PermissionException(NOT_AUTHORIZED_MSG); } @@ -292,8 +303,9 @@ public FeedbackRequest update(FeedbackRequestUpdateDTO feedbackRequestUpdateDTO) sendNewRequestEmail(storedRequest); } + boolean currentUserSameAsRequestee = currentUser != null && currentUser.getId().equals(requestee.getId()); // Send self-review completion email to supervisor and pdl if appropriate - if (currentUserServices.getCurrentUser().getId().equals(requestee.getId())) { + if (currentUserSameAsRequestee) { sendSelfReviewCompletionEmailToSupervisor(feedbackRequest); } diff --git a/server/src/test/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestControllerTest.java b/server/src/test/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestControllerTest.java index 10b4c6b2e..53841d8c3 100644 --- a/server/src/test/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestControllerTest.java +++ b/server/src/test/java/com/objectcomputing/checkins/services/feedback_request/FeedbackRequestControllerTest.java @@ -1690,6 +1690,25 @@ void testUpdateStatusAndSubmitDateAuthorizedByRecipient() { assertResponseEqualsEntity(feedbackReq, response.getBody().get()); } + @Test + void testUpdateStatusAndSubmitDateAuthorizedByExternalRecipient() { + MemberProfile pdlMemberProfile = createADefaultMemberProfile(); + assignPdlRole(pdlMemberProfile); + MemberProfile employeeMemberProfile = createADefaultMemberProfileForPdl(pdlMemberProfile); + final FeedbackExternalRecipient externalRecipient01 = createADefaultFeedbackExternalRecipient(); + + final FeedbackRequest feedbackReq = saveFeedbackRequest(pdlMemberProfile, employeeMemberProfile, externalRecipient01); + feedbackReq.setStatus("complete"); + final FeedbackRequestUpdateDTO dto = updateDTO(feedbackReq); + + final HttpRequest request = HttpRequest.PUT("", dto); + final HttpResponse response = clientExternalRecipient.toBlocking().exchange(request, FeedbackRequestResponseDTO.class); + + assertEquals(HttpStatus.OK, response.getStatus()); + assertTrue(response.getBody().isPresent()); + assertResponseEqualsEntity(feedbackReq, response.getBody().get()); + } + @Test void testUpdateStatusAuthorizedByCreator() { MemberProfile pdlMemberProfile = createADefaultMemberProfile();