Use "can write or review project content" authorization middleware (#23111)

GitOrigin-RevId: c5d1cb955e5833347f7e0c3610c5b8d768026478
2026-05-26 10:40:08 +02:00 · 2025-01-28 14:15:00 +01:00
parent ea918f3674
commit ff9ee2f5a9
5 changed files with 53 additions and 51 deletions
--- a/services/web/app/src/Features/Authorization/AuthorizationManager.js
+++ b/services/web/app/src/Features/Authorization/AuthorizationManager.js
@@ -202,6 +202,19 @@ async function canUserWriteProjectContent(userId, projectId, token) {
  )
 }

+async function canUserWriteOrReviewProjectContent(userId, projectId, token) {
+  const privilegeLevel = await getPrivilegeLevelForProject(
+    userId,
+    projectId,
+    token
+  )
+  return (
+    privilegeLevel === PrivilegeLevels.OWNER ||
+    privilegeLevel === PrivilegeLevels.READ_AND_WRITE ||
+    privilegeLevel === PrivilegeLevels.REVIEW
+  )
+}
+
 async function canUserWriteProjectSettings(userId, projectId, token) {
  const privilegeLevel = await getPrivilegeLevelForProject(
    userId,
@@ -273,23 +286,12 @@ async function canUserDeleteOrResolveThread(
  return comment.metadata.user_id === userId
 }

-async function canUserSendOrReopenComment(userId, projectId, token) {
-  const privilegeLevel = await getPrivilegeLevelForProject(
-    userId,
-    projectId,
-    token
-  )
-  return (
-    privilegeLevel === PrivilegeLevels.OWNER ||
-    privilegeLevel === PrivilegeLevels.READ_AND_WRITE ||
-    privilegeLevel === PrivilegeLevels.REVIEW
-  )
-}
-
 module.exports = {
  canUserReadProject: callbackify(canUserReadProject),
  canUserWriteProjectContent: callbackify(canUserWriteProjectContent),
-  canUserSendOrReopenComment: callbackify(canUserSendOrReopenComment),
+  canUserWriteOrReviewProjectContent: callbackify(
+    canUserWriteOrReviewProjectContent
+  ),
  canUserDeleteOrResolveThread: callbackify(canUserDeleteOrResolveThread),
  canUserWriteProjectSettings: callbackify(canUserWriteProjectSettings),
  canUserRenameProject: callbackify(canUserRenameProject),
@@ -301,7 +303,7 @@ module.exports = {
  promises: {
    canUserReadProject,
    canUserWriteProjectContent,
-    canUserSendOrReopenComment,
+    canUserWriteOrReviewProjectContent,
    canUserDeleteOrResolveThread,
    canUserWriteProjectSettings,
    canUserRenameProject,
--- a/services/web/app/src/Features/Authorization/AuthorizationMiddleware.js
+++ b/services/web/app/src/Features/Authorization/AuthorizationMiddleware.js
@@ -132,32 +132,6 @@ async function ensureUserCanDeleteOrResolveThread(req, res, next) {
  return HttpErrorHandler.forbidden(req, res)
 }

-async function ensureUserCanSendOrReopenComment(req, res, next) {
-  const projectId = _getProjectId(req)
-  const userId = _getUserId(req)
-  const token = TokenAccessHandler.getRequestToken(req, projectId)
-
-  const canSendOrReopenComment =
-    await AuthorizationManager.promises.canUserSendOrReopenComment(
-      userId,
-      projectId,
-      token
-    )
-  if (canSendOrReopenComment) {
-    logger.debug(
-      { userId, projectId },
-      'allowing user to send or reopen a comment'
-    )
-    return next()
-  }
-
-  logger.debug(
-    { userId, projectId },
-    'denying user to send or reopen a comment'
-  )
-  return HttpErrorHandler.forbidden(req, res)
-}
-
 async function ensureUserCanWriteProjectContent(req, res, next) {
  const projectId = _getProjectId(req)
  const userId = _getUserId(req)
@@ -182,6 +156,32 @@ async function ensureUserCanWriteProjectContent(req, res, next) {
  HttpErrorHandler.forbidden(req, res)
 }

+async function ensureUserCanWriteOrReviewProjectContent(req, res, next) {
+  const projectId = _getProjectId(req)
+  const userId = _getUserId(req)
+  const token = TokenAccessHandler.getRequestToken(req, projectId)
+
+  const canWriteOrReviewProjectContent =
+    await AuthorizationManager.promises.canUserWriteOrReviewProjectContent(
+      userId,
+      projectId,
+      token
+    )
+  if (canWriteOrReviewProjectContent) {
+    logger.debug(
+      { userId, projectId },
+      'allowing user write or review access to project content'
+    )
+    return next()
+  }
+
+  logger.debug(
+    { userId, projectId },
+    'denying user write or review access to project content'
+  )
+  return HttpErrorHandler.forbidden(req, res)
+}
+
 async function ensureUserCanAdminProject(req, res, next) {
  const projectId = _getProjectId(req)
  const userId = _getUserId(req)
@@ -277,15 +277,15 @@ module.exports = {
  ensureUserCanWriteProjectSettings: expressify(
    ensureUserCanWriteProjectSettings
  ),
-  ensureUserCanSendOrReopenComment: expressify(
-    ensureUserCanSendOrReopenComment
-  ),
  ensureUserCanDeleteOrResolveThread: expressify(
    ensureUserCanDeleteOrResolveThread
  ),
  ensureUserCanWriteProjectContent: expressify(
    ensureUserCanWriteProjectContent
  ),
+  ensureUserCanWriteOrReviewProjectContent: expressify(
+    ensureUserCanWriteOrReviewProjectContent
+  ),
  ensureUserCanAdminProject: expressify(ensureUserCanAdminProject),
  ensureUserIsSiteAdmin: expressify(ensureUserIsSiteAdmin),
  restricted,
--- a/services/web/app/src/Features/History/HistoryRouter.mjs
+++ b/services/web/app/src/Features/History/HistoryRouter.mjs
@@ -138,12 +138,12 @@ function apply(webRouter, privateApiRouter) {
  )
  webRouter.post(
    '/project/:Project_id/labels',
-    AuthorizationMiddleware.ensureUserCanWriteProjectContent,
+    AuthorizationMiddleware.ensureUserCanWriteOrReviewProjectContent,
    HistoryController.createLabel
  )
  webRouter.delete(
    '/project/:Project_id/labels/:label_id',
-    AuthorizationMiddleware.ensureUserCanWriteProjectContent,
+    AuthorizationMiddleware.ensureUserCanWriteOrReviewProjectContent,
    HistoryController.deleteLabel
  )

--- a/services/web/test/unit/src/Authorization/AuthorizationManagerTests.js
+++ b/services/web/test/unit/src/Authorization/AuthorizationManagerTests.js
@@ -453,7 +453,7 @@ describe('AuthorizationManager', function () {
    tokenReadOnly: true,
  })

-  testPermission('canUserSendOrReopenComment', {
+  testPermission('canUserWriteOrReviewProjectContent', {
    siteAdmin: true,
    owner: true,
    readAndWrite: true,
--- a/services/web/test/unit/src/Authorization/AuthorizationMiddlewareTests.js
+++ b/services/web/test/unit/src/Authorization/AuthorizationMiddlewareTests.js
@@ -25,7 +25,7 @@ describe('AuthorizationMiddleware', function () {
        canUserReadProject: sinon.stub(),
        canUserWriteProjectSettings: sinon.stub(),
        canUserWriteProjectContent: sinon.stub(),
-        canUserSendOrReopenComment: sinon.stub(),
+        canUserWriteOrReviewProjectContent: sinon.stub(),
        canUserDeleteOrResolveThread: sinon.stub(),
        canUserAdminProject: sinon.stub(),
        canUserRenameProject: sinon.stub(),
@@ -86,10 +86,10 @@ describe('AuthorizationMiddleware', function () {
    )
  })

-  describe('ensureUserCanSendOrReopenComment', function () {
+  describe('ensureUserCanWriteOrReviewProjectContent', function () {
    testMiddleware(
-      'ensureUserCanSendOrReopenComment',
-      'canUserSendOrReopenComment'
+      'ensureUserCanWriteOrReviewProjectContent',
+      'canUserWriteOrReviewProjectContent'
    )
  })