Skip to content

Commit 5452bfa

Browse files
sshugscsshugsc
authored
Merge pull request #475 from bcgsc/feature/DEVSU-2815-make-create-report-access-project-specific
Feature/devsu 2815 make create report access project specific
2 parents c16035a + be21607 commit 5452bfa

File tree

2 files changed

+34
-1
lines changed

2 files changed

+34
-1
lines changed

app/routes/report/report.js

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -362,6 +362,23 @@ router.route('/')
362362
const {
363363
query: {ignore_extra_fields, upload_contents},
364364
} = req;
365+
366+
let userProjects;
367+
try {
368+
userProjects = await getUserProjects(db.models.project, req.user);
369+
userProjects = userProjects.map((proj) => {
370+
return proj.name;
371+
});
372+
} catch (error) {
373+
const message = `Error while trying to get project access ${error}`;
374+
logger.error(message);
375+
return res.status(HTTP_STATUS.INTERNAL_SERVER_ERROR).json({error: {message}});
376+
}
377+
378+
if (req.body.project && !userProjects.includes(req.body.project)) {
379+
return res.status(HTTP_STATUS.FORBIDDEN).json({error: `User does not have access to project ${req.body.project}`});
380+
}
381+
365382
if (req.body.sampleInfo) {
366383
// Clean sampleInfo input
367384
const cleanSampleInfo = [];

app/routes/report/reportAsync.js

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,12 +4,13 @@ const {v4: uuidv4} = require('uuid');
44
const reportAsyncMiddleware = require('../../middleware/reportAsync');
55

66
const {addJobToReportQueue} = require('../../queue');
7-
7+
const db = require('../../models');
88
const logger = require('../../log');
99

1010
const router = express.Router({mergeParams: true});
1111

1212
const validateAgainstSchema = require('../../libs/validateAgainstSchema');
13+
const {getUserProjects} = require('../../libs/helperFunctions');
1314

1415
// Generate schema's
1516
const reportUploadSchema = require('../../schemas/report/reportUpload')(true);
@@ -24,6 +25,21 @@ router.route('/')
2425
query: {ignore_extra_fields},
2526
} = req;
2627

28+
let userProjects;
29+
try {
30+
userProjects = await getUserProjects(db.models.project, req.user);
31+
userProjects = userProjects.map((proj) => {
32+
return proj.name;
33+
});
34+
} catch (error) {
35+
const message = `Error while trying to get project access ${error}`;
36+
logger.error(message);
37+
return res.status(HTTP_STATUS.INTERNAL_SERVER_ERROR).json({error: {message}});
38+
}
39+
40+
if (req.body.project && !userProjects.includes(req.body.project)) {
41+
return res.status(HTTP_STATUS.FORBIDDEN).json({error: `User does not have access to project ${req.body.project}`});
42+
}
2743
if (req.body.sampleInfo) {
2844
// Clean sampleInfo input
2945
const cleanSampleInfo = [];

0 commit comments

Comments
 (0)