Commit 391d22f5 authored by Tamlyn Rhodes's avatar Tamlyn Rhodes

fix: add authorisation to review endpoint

parent 5c861e9e
......@@ -5,6 +5,8 @@ const logger = require('@pubsweet/logger')
const User = require('pubsweet-server/src/models/User')
const Fragment = require('pubsweet-server/src/models/Fragment')
const Collection = require('pubsweet-server/src/models/Collection')
const authsome = require('pubsweet-server/src/helpers/authsome')
const AuthorizationError = require('pubsweet-server/src/errors/AuthorizationError')
const options = config.get('mailer.transport')
const transport = nodemailer.createTransport(options)
......@@ -16,24 +18,31 @@ module.exports = app => {
const project = await Collection.find(req.body.projectId)
const authors = await Promise.all(version.owners.map(id => User.find(id)))
version.decision = req.body.decision
await version.save()
const canViewVersion = await authsome.can(req.user, 'GET', version)
const canPatchVersion = await authsome.can(req.user, 'PATCH', version)
if (!canPatchVersion || !canViewVersion) throw new AuthorizationError()
let versionUpdateData = { rev: version.rev, decision: req.body.decision }
if (canPatchVersion.filter) {
versionUpdateData = canPatchVersion.filter(versionUpdateData)
}
await version.updateProperties(versionUpdateData)
let nextVersion
let nextVersionData
let projectUpdateData = { rev: project.rev }
let message
switch (version.decision.recommendation) {
case 'accept':
project.status = 'accepted'
projectUpdateData.status = 'accepted'
message = 'Your manuscript has been accepted'
break
case 'reject':
project.status = 'rejected'
projectUpdateData.status = 'rejected'
message = 'Your manuscript has been rejected'
break
case 'revise': {
project.status = 'revising'
projectUpdateData.status = 'revising'
message = 'Revisions to your manuscript have been requested'
const cloned = pick(version, [
......@@ -44,13 +53,12 @@ module.exports = app => {
'files',
'notes',
])
nextVersion = new Fragment({
nextVersionData = {
fragmentType: 'version',
created: new Date(),
...cloned,
version: version.version + 1,
})
await nextVersion.save()
}
break
}
......@@ -59,7 +67,35 @@ module.exports = app => {
throw new Error('Unknown decision type')
}
await project.save()
let nextVersion
let canViewNextVersion
if (nextVersionData) {
const canCreateVersion = await authsome.can(
req.user,
'POST',
nextVersionData,
)
if (!canCreateVersion) throw new AuthorizationError()
if (canCreateVersion.filter) {
nextVersionData = canCreateVersion.filter(nextVersionData)
}
nextVersion = new Fragment(nextVersionData)
canViewNextVersion = await authsome.can(req.user, 'GET', nextVersion)
}
const canViewProject = await authsome.can(req.user, 'GET', project)
const canPatchProject = await authsome.can(req.user, 'PATCH', project)
if (!canPatchProject || !canViewProject) throw new AuthorizationError()
if (canPatchProject.filter) {
projectUpdateData = canPatchProject.filter(projectUpdateData)
}
await project.updateProperties(projectUpdateData)
await Promise.all([
version.save(),
project.save(),
nextVersion && nextVersion.save(),
])
const authorEmails = authors.map(user => user.email)
logger.info(`Sending decision email to ${authorEmails}`)
......@@ -70,7 +106,18 @@ module.exports = app => {
text: message,
})
res.send({ version, project, nextVersion })
res.send({
version: canViewVersion.filter
? canViewVersion.filter(version)
: version,
project: canViewProject.filter
? canViewProject.filter(project)
: project,
nextVersion:
canViewNextVersion && canViewNextVersion.filter
? canViewNextVersion.filter(nextVersion)
: nextVersion,
})
} catch (err) {
next(err)
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment