Fix curator permissions for removing projects

699e30de · Paul Kaplan · c3d266f3 · 699e30de · 699e30de · 699e30de
Commit 699e30de authored May 03, 2021 by Paul Kaplan
5 changed files
--- a/src/redux/studio-permissions.js
+++ b/src/redux/studio-permissions.js
-const {selectUserId, selectIsAdmin, selectIsSocial, selectIsLoggedIn} = require('./session');
+const {selectUserId, selectIsAdmin, selectIsSocial, selectIsLoggedIn, selectUsername} = require('./session');

 // Fine-grain selector helpers - not exported, use the higher level selectors below
 const isCreator = state => selectUserId(state) === state.studio.owner;
@@ -36,8 +36,19 @@ const selectCanRemoveManager = (state, managerId) =>
    (selectIsAdmin(state) || isManager(state)) && managerId !== state.studio.owner;
 const selectCanPromoteCurators = state => isManager(state);

-// TODO this permission needs to account for who added the project
-const selectCanRemoveProjects = state => isCurator(state) || isManager(state) || selectIsAdmin(state);
+const selectCanRemoveProject = (state, creatorUsername, actorId) => {
+    // Admins/managers can remove any projects
+    if (isManager(state) || selectIsAdmin(state)) return true;
+    // Project owners can always remove their projects
+    if (selectUsername(state) === creatorUsername) {
+        return true;
+    }
+    // Curators can remove projects they added
+    if (isCurator(state)) {
+        return selectUserId(state) === actorId;
+    }
+    return false;
+};

 export {
    selectCanEditInfo,
@@ -55,5 +66,5 @@ export {
    selectCanRemoveCurators,
    selectCanRemoveManager,
    selectCanPromoteCurators,
-    selectCanRemoveProjects
+    selectCanRemoveProject
 };
--- a/src/views/studio/studio-project-tile.jsx
+++ b/src/views/studio/studio-project-tile.jsx
@@ -4,7 +4,7 @@ import PropTypes from 'prop-types';
 import {connect} from 'react-redux';
 import classNames from 'classnames';

-import {selectCanRemoveProjects} from '../../redux/studio-permissions';
+import {selectCanRemoveProject} from '../../redux/studio-permissions';
 import {removeProject} from './lib/studio-project-actions';

 const StudioProjectTile = ({
@@ -73,8 +73,8 @@ StudioProjectTile.propTypes = {
    avatar: PropTypes.string
 };

-const mapStateToProps = state => ({
-    canRemove: selectCanRemoveProjects(state)
+const mapStateToProps = (state, ownProps) => ({
+    canRemove: selectCanRemoveProject(state, ownProps.username, ownProps.addedBy)
 });

 const mapDispatchToProps = ({

--- a/src/views/studio/studio-projects.jsx
+++ b/src/views/studio/studio-projects.jsx
@@ -36,6 +36,7 @@ const StudioProjects = ({
                        image={item.image}
                        avatar={item.avatar['90x90']}
                        username={item.username}
+                        addedBy={item.actor_id}
                    />)
                )}
                <div className="studio-projects-load-more">

--- a/test/helpers/state-fixtures.json
+++ b/test/helpers/state-fixtures.json
@@ -30,7 +30,8 @@
        "user1Social": {
            "session": {
                "user": {
-                    "id": 1
+                    "id": 1,
+                    "username": "user1-username"
                },
                "permissions": {
                    "social": true

--- a/test/unit/redux/studio-permissions.test.js
+++ b/test/unit/redux/studio-permissions.test.js
@@ -14,11 +14,11 @@ import {
    selectCanRemoveCurators,
    selectCanRemoveManager,
    selectCanPromoteCurators,
-    selectCanRemoveProjects
+    selectCanRemoveProject
 } from '../../../src/redux/studio-permissions';

 import {getInitialState as getInitialStudioState} from '../../../src/redux/studio';
-import {getInitialState as getInitialSessionState} from '../../../src/redux/session';
+import {getInitialState as getInitialSessionState, selectUserId, selectUsername} from '../../../src/redux/session';
 import {sessions, studios} from '../../helpers/state-fixtures.json';

 let state;
@@ -111,19 +111,34 @@ describe('studio projects', () => {
    describe('can remove projects', () => {
        test.each([
            ['admin', true],
-            ['curator', true],
+            ['curator', false], // false for projects that were not added by them, see below
            ['manager', true],
            ['creator', true],
-            ['logged in', false],
+            ['logged in', false], // false for projects that are not theirs, see below
            ['unconfirmed', false],
            ['logged out', false]
        ])('%s: %s', (role, expected) => {
            setStateByRole(role);
-            expect(selectCanRemoveProjects(state)).toBe(expected);
+            expect(selectCanRemoveProject(state, 'not-me', 'not-me')).toBe(expected);
+        });
+
+        test('curators can remove projects they added', () => {
+            setStateByRole('curator');
+            const addedBy = selectUserId(state);
+            expect(selectCanRemoveProject(state, 'not-me', addedBy)).toBe(true);
+        });
+
+        test('curators can also remove projects they own that they did not add', () => {
+            setStateByRole('curator');
+            const creator = selectUsername(state);
+            expect(selectCanRemoveProject(state, creator, 'not-me')).toBe(true);
+        });
+
+        test('logged in users can only remove projects they own', () => {
+            setStateByRole('logged in');
+            const creator = selectUsername(state);
+            expect(selectCanRemoveProject(state, creator, 'not-me')).toBe(true);
        });
-        // TODO this permission is wrong, curators can only remove projects they added
-        test.skip('anyone can remove one of their projects', () => {});
-        test.skip('curators can remove only projects they', () => {});
    });
 });