topcoder-archive · skyhit · Jun 20, 2017 · Jun 15, 2017 · Jun 15, 2017 · Jun 16, 2017
diff --git a/actions/challenges.js b/actions/challenges.js
@@ -80,8 +80,8 @@
  * Changes in 1.31:
  * - Remove screeningScorecardId and reviewScorecardId from search challenges api.
  * Changes in 1.32:
- * - validateChallenge function now checks if an user belongs to a group via
- *   user_group_xref for old challenges and by calling V3 API for new ones.
+ * - validateChallenge, getRegistrants, getChallenge, getSubmissions and getPhases functions now check 
+ *   if an user belongs to a group via user_group_xref for old challenges and by calling V3 API for new ones.
  */
 "use strict";
 /*jslint stupid: true, unparam: true, continue: true, nomen: true */
@@ -1081,19 +1081,20 @@ var getChallenge = function (api, connection, dbConnectionMap, isStudio, next) {
             };
 
             // Do the private check.
+            api.challengeHelper.checkUserChallengeEligibility(
+                connection, 
+                connection.params.challengeId, 
+                cb
+            );
+        }, function (cb) {
             api.dataAccess.executeQuery('check_is_related_with_challenge', sqlParams, dbConnectionMap, cb);
         }, function (result, cb) {
-            if (result[0].is_private && !result[0].has_access) {
-                cb(new UnauthorizedError('The user is not allowed to visit the challenge.'));
-                return;
-            }
-
             if (result[0].is_manager) {
                 isManager = true;
             }
 
             // If the user has the access to the challenge or is a resource for the challenge then he is related with this challenge.
-            if (result[0].has_access || result[0].is_related || isManager || helper.isAdmin(caller)) {
+            if (result[0].is_private || result[0].is_related || isManager || helper.isAdmin(caller)) {
                 isRelated = true;
             }
 
@@ -3342,33 +3343,32 @@ var getRegistrants = function (api, connection, dbConnectionMap, isStudio, next)
             };
 
             // Do the private check.
-            api.dataAccess.executeQuery('check_is_related_with_challenge', sqlParams, dbConnectionMap, cb);
-        }, function (result, cb) {
-            if (result[0].is_private && !result[0].has_access) {
-                cb(new UnauthorizedError('The user is not allowed to visit the challenge.'));
-                return;
-            }
-
+            api.challengeHelper.checkUserChallengeEligibility(
+                connection, 
+                connection.params.challengeId, 
+                cb
+            );
+        }, function (cb) {
             api.dataAccess.executeQuery('challenge_registrants', sqlParams, dbConnectionMap, cb);
         }, function (results, cb) {
             var mapRegistrants = function (results) {
-                    if (!_.isDefined(results)) {
-                        return [];
+                if (!_.isDefined(results)) {
+                    return [];
+                }
+                return _.map(results, function (item) {
+                    var registrant = {
+                        handle: item.handle,
+                        reliability: !_.isDefined(item.reliability) ? "n/a" : item.reliability + "%",
+                        registrationDate: formatDate(item.inquiry_date),
+                        submissionDate: formatDate(item.submission_date)
+                    };
+                    if (!isStudio) {
+                        registrant.rating = item.rating;
+                        registrant.colorStyle = helper.getColorStyle(item.rating);
                     }
-                    return _.map(results, function (item) {
-                        var registrant = {
-                            handle: item.handle,
-                            reliability: !_.isDefined(item.reliability) ? "n/a" : item.reliability + "%",
-                            registrationDate: formatDate(item.inquiry_date),
-                            submissionDate: formatDate(item.submission_date)
-                        };
-                        if (!isStudio) {
-                            registrant.rating = item.rating;
-                            registrant.colorStyle = helper.getColorStyle(item.rating);
-                        }
-                        return registrant;
-                    });
-                };
+                    return registrant;
+                });
+            };
             registrants = mapRegistrants(results);
             cb();
         }
@@ -3440,18 +3440,16 @@ var getSubmissions = function (api, connection, dbConnectionMap, isStudio, next)
                 submission_type: [helper.SUBMISSION_TYPE.challenge.id, helper.SUBMISSION_TYPE.checkpoint.id]
             };
 
-            async.parallel({
-                privateCheck: execQuery("check_is_related_with_challenge"),
-                challengeStatus: execQuery("get_challenge_status")
-            }, cb);
-        }, function (result, cb) {
-            if (result.privateCheck[0].is_private && !result.privateCheck[0].has_access) {
-                cb(new UnauthorizedError('The user is not allowed to visit the challenge.'));
-                return;
-            }
-
+            api.challengeHelper.checkUserChallengeEligibility(
+                connection, 
+                connection.params.challengeId, 
+                cb
+            );
+        }, 
+        execQuery("get_challenge_status"),
+        function (result, cb) {
             // If the caller is not admin and challenge status is still active.
-            if (!helper.isAdmin(caller) && result.challengeStatus[0].challenge_status_id === 1) {
+            if (!helper.isAdmin(caller) && result[0].challenge_status_id === 1) {
                 cb(new BadRequestError("The challenge is not finished."));
                 return;
             }
@@ -3567,13 +3565,12 @@ var getPhases = function (api, connection, dbConnectionMap, isStudio, next) {
             };
 
             // Do the private check.
-            api.dataAccess.executeQuery('check_is_related_with_challenge', sqlParams, dbConnectionMap, cb);
-        }, function (result, cb) {
-            if (result[0].is_private && !result[0].has_access) {
-                cb(new UnauthorizedError('The user is not allowed to visit the challenge.'));
-                return;
-            }
-
+            api.challengeHelper.checkUserChallengeEligibility(
+                connection, 
+                connection.params.challengeId, 
+                cb
+            );
+        }, function (cb) {
             var execQuery = function (name) {
                 return function (cbx) {
                     api.dataAccess.executeQuery(name, sqlParams, dbConnectionMap, cbx);

diff --git a/db_scripts/test_eligibility.insert.sql b/db_scripts/test_eligibility.insert.sql
@@ -150,6 +150,28 @@ INSERT INTO project_info (project_id, project_info_type_id, value, create_user,
 INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
 	VALUES (1110005, 2, "3330333", "132456", CURRENT, "132456", CURRENT);
 
+INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
+	VALUES (1110001, 6, "Not private", "132456", CURRENT, "132456", CURRENT);
+INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
+	VALUES (1110002, 6, "Old logic - access allowed", "132456", CURRENT, "132456", CURRENT);
+INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
+	VALUES (1110003, 6, "Old logic - access denied", "132456", CURRENT, "132456", CURRENT);
+INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
+	VALUES (1110004, 6, "New logic - access allowed", "132456", CURRENT, "132456", CURRENT);
+INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
+	VALUES (1110005, 6, "New logic - access denied", "132456", CURRENT, "132456", CURRENT);
+
+INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
+	VALUES (1110001, 26, "---", "132456", CURRENT, "132456", CURRENT);
+INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
+	VALUES (1110002, 26, "---", "132456", CURRENT, "132456", CURRENT);
+INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
+	VALUES (1110003, 26, "---", "132456", CURRENT, "132456", CURRENT);
+INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
+	VALUES (1110004, 26, "---", "132456", CURRENT, "132456", CURRENT);
+INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
+	VALUES (1110005, 26, "---", "132456", CURRENT, "132456", CURRENT);
+
 INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
 	VALUES (1110001, 6, 3330333, "Not private", CURRENT, "132456", CURRENT);
 INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
@@ -162,6 +184,7 @@ INSERT INTO project_info (project_id, project_info_type_id, value, create_user,
 	VALUES (1110005, 6, 3330333, "New logic - access denied", CURRENT, "132456", CURRENT);
 
 INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
+>>>>>>> upstream/dev
 	VALUES (1110001, 79, "---", "132456", CURRENT, "132456", CURRENT);
 INSERT INTO project_info (project_id, project_info_type_id, value, create_user, create_date, modify_user, modify_date)
 	VALUES (1110002, 79, "---", "132456", CURRENT, "132456", CURRENT);

diff --git a/docs/Verification_Guide-Improve Challenge Visibility Control.doc b/docs/Verification_Guide-Improve Challenge Visibility Control.doc
diff --git a/initializers/challengeHelper.js b/initializers/challengeHelper.js
@@ -374,7 +374,7 @@ exports.challengeHelper = function (api, next) {
                     } else if (connection.caller.accessLevel === "anon") {
                         next(new UnauthorizedError());
                     } else {
-                        next(new ForbiddenError());
+                        next(new ForbiddenError('The user is not allowed to visit the challenge.'));
                     }
                 });
             });

diff --git a/queries/check_is_related_with_challenge b/queries/check_is_related_with_challenge
@@ -2,21 +2,21 @@ SELECT
 (SELECT
     max(1)
   FROM contest_eligibility ce
-  INNER JOIN group_contest_eligibility gce ON gce.contest_eligibility_id = ce.contest_eligibility_id
-  LEFT JOIN user_group_xref ugx ON ugx.group_id = gce.group_id
   WHERE ce.contest_id = @challengeId@
-  AND ((ugx.login_id = @user_id@ AND gce.group_id < 2000000) OR gce.group_id >= 2000000)) AS has_access
-, (SELECT
-    1
-  FROM contest_eligibility ce
-  WHERE ce.contest_id = @challengeId@) AS is_private
-, (
-  SELECT 
+) AS is_private
+, (SELECT 
     decode(max(ri.value), null, null, 1)
   FROM resource r
-  INNER JOIN resource_info ri ON ri.resource_id = r.resource_id AND ri.resource_info_type_id = 1
+    INNER JOIN resource_info ri ON ri.resource_id = r.resource_id AND ri.resource_info_type_id = 1
   WHERE r.project_id = @challengeId@
-  AND ri.value = @user_id@) AS is_related
-, (SELECT max(project_metadata_id) FROM direct_project_metadata m, project p 
-         WHERE metadata_value = @user_id@ AND p.tc_direct_project_id = m.tc_direct_project_id and p.project_id = @challengeId@ AND project_metadata_key_id IN (1, 2, 14)) AS is_manager
+    AND ri.value = @user_id@
+) AS is_related
+, (SELECT 
+    max(project_metadata_id) 
+  FROM direct_project_metadata m, project p 
+  WHERE metadata_value = @user_id@ 
+    AND p.tc_direct_project_id = m.tc_direct_project_id 
+    AND p.project_id = @challengeId@ 
+    AND project_metadata_key_id IN (1, 2, 14)
+) AS is_manager
 FROM dual