feat: update access requirements for exemplar identifications, WEB-939 (#591)

Author: pleary

lib/controllers/v2/exemplar_identifications_controller.js

@@ -9,7 +9,7 @@ const util = require( "../../util" );
 
 const ExemplarIdentificationsController = class ExemplarIdentificationsController {
   static async search( req ) {
-    if ( !req.userSession || ( req.userSession && !req.userSession.isAdmin ) ) {
+    if ( !req.userSession?.canViewExemplarIdentifications( ) ) {
       throw util.httpError( 401, "Unauthorized" );
     }
     let response = await ExemplarIdentificationsController.resultsForRequest( req );

lib/models/observation_preload.js

@@ -495,7 +495,7 @@ const ObservationPreload = class ObservationPreload {
     await ESModel.fetchBelongsTo( identifications, Identification, {
       foreignKey: "id", source: { excludes: ["observation", "taxon", "current_taxon"] }, forObs: true
     } );
-    if ( !req.userSession?.isAdmin ) {
+    if ( !req.userSession?.canViewExemplarIdentifications( ) ) {
       _.each( obs, o => {
         o.identifications = _.filter( _.map( o.identifications, "identification" ), _.identity );
       } );

lib/models/user.js

@@ -393,6 +393,7 @@ const User = class User extends Model {
       .field( "users.site_id" )
       .field( "users.confirmed_at" )
       .field( "users.created_at" )
+      .field( "users.test_groups" )
       .field( "places.name", "place_name" )
       .field( "places.ancestry", "place_ancestry" )
       .field( "preferences.value", "prefers_common_names" )
@@ -418,7 +419,8 @@ const User = class User extends Model {
       defaultsLoaded: true,
       prefersCommonNames: row.prefers_common_names !== "f",
       site_id: row.site_id,
-      created_at: moment( row.created_at )
+      created_at: moment( row.created_at ),
+      test_groups: []
     };
     if ( row.locale ) { defaults.locale = row.locale; }
     if ( row.is_admin ) { defaults.isAdmin = true; }
@@ -433,6 +435,7 @@ const User = class User extends Model {
           ? row.place_ancestry.split( "/" ).map( Number ) : []
       };
     }
+    if ( row.test_groups ) { defaults.test_groups = row.test_groups.split( "|" ); }
     defaults.taxonNamePriorities = await User.taxonNamePriorities( userID );
     return defaults;
   }

lib/user_session.js

@@ -43,6 +43,14 @@ const UserSession = class UserSession {
     this.siteID = await User.siteID( this.user_id );
     return this.siteID;
   }
+
+  canViewExemplarIdentifications( ) {
+    return this.isAdmin || (
+      !_.isEmpty( this.test_groups )
+        && _.includes( this.test_groups, "helpful-id-tips-reviewer" )
+        && _.includes( this.test_groups, "helpful-id-tips" )
+    );
+  }
 };
 
 module.exports = UserSession;

test/integration/v2/exemplar_identifications.js

@@ -1,18 +1,68 @@
 const { expect } = require( "chai" );
 const request = require( "supertest" );
 const jwt = require( "jsonwebtoken" );
+const sinon = require( "sinon" );
+const UserSession = require( "../../../lib/user_session" );
 const config = require( "../../../config" );
 
 describe( "ExemplarIdentifications", ( ) => {
   describe( "search", ( ) => {
-    const token = jwt.sign(
+    const adminToken = jwt.sign(
       { user_id: 1 },
       config.jwtSecret || "secret",
       { algorithm: "HS512" }
     );
+
+    const nonAdminToken = jwt.sign(
+      { user_id: 123 },
+      config.jwtSecret || "secret",
+      { algorithm: "HS512" }
+    );
+
+    it( "does not allow unauthenticated requests", function ( done ) {
+      request( this.app ).get( "/v2/exemplar_identifications" )
+        .set( "Content-Type", "application/json" )
+        .expect( 401, done );
+    } );
+
+    it( "does not allow non-admins that are not in relevant test groups", function ( done ) {
+      request( this.app ).get( "/v2/exemplar_identifications" )
+        .set( "Authorization", nonAdminToken )
+        .set( "Content-Type", "application/json" )
+        .expect( 401, done );
+    } );
+
+    it( "does not allow non-admins that not in all relevant test groups", function ( done ) {
+      sinon.stub( UserSession.prototype, "extend" )
+        .callsFake( function ( ) {
+          this.test_groups = ["helpful-id-tips"];
+        } );
+      request( this.app ).get( "/v2/exemplar_identifications" )
+        .set( "Authorization", nonAdminToken )
+        .set( "Content-Type", "application/json" )
+        .expect( 401, ( ) => {
+          UserSession.prototype.extend.restore( );
+          done( );
+        } );
+    } );
+
+    it( "allows non-admins that are in relevant test groups", function ( done ) {
+      sinon.stub( UserSession.prototype, "extend" )
+        .callsFake( function ( ) {
+          this.test_groups = ["helpful-id-tips-reviewer", "helpful-id-tips"];
+        } );
+      request( this.app ).get( "/v2/exemplar_identifications" )
+        .set( "Authorization", nonAdminToken )
+        .set( "Content-Type", "application/json" )
+        .expect( 200, ( ) => {
+          UserSession.prototype.extend.restore( );
+          done( );
+        } );
+    } );
+
     it( "returns JSON", function ( done ) {
       request( this.app ).get( "/v2/exemplar_identifications" )
-        .set( "Authorization", token )
+        .set( "Authorization", adminToken )
         .set( "Content-Type", "application/json" )
         .expect( "Content-Type", /json/ )
         .expect( res => {
@@ -25,7 +75,7 @@ describe( "ExemplarIdentifications", ( ) => {
 
     it( "can include include category_counts", function ( done ) {
       request( this.app ).get( "/v2/exemplar_identifications?direct_taxon_id=3&include_category_counts=true" )
-        .set( "Authorization", token )
+        .set( "Authorization", adminToken )
         .set( "Content-Type", "application/json" )
         .expect( "Content-Type", /json/ )
         .expect( res => {
@@ -36,7 +86,7 @@ describe( "ExemplarIdentifications", ( ) => {
 
     it( "can include include category_controlled_terms", function ( done ) {
       request( this.app ).get( "/v2/exemplar_identifications?include_category_controlled_terms=true" )
-        .set( "Authorization", token )
+        .set( "Authorization", adminToken )
         .set( "Content-Type", "application/json" )
         .expect( "Content-Type", /json/ )
         .expect( res => {
@@ -47,7 +97,7 @@ describe( "ExemplarIdentifications", ( ) => {
 
     it( "can filter by upvoted", function ( done ) {
       request( this.app ).get( "/v2/exemplar_identifications?direct_taxon_id=3&upvoted=true&fields=all" )
-        .set( "Authorization", token )
+        .set( "Authorization", adminToken )
         .set( "Content-Type", "application/json" )
         .expect( "Content-Type", /json/ )
         .expect( res => {
@@ -60,7 +110,7 @@ describe( "ExemplarIdentifications", ( ) => {
 
     it( "can filter by downvoted", function ( done ) {
       request( this.app ).get( "/v2/exemplar_identifications?direct_taxon_id=3&downvoted=true&fields=all" )
-        .set( "Authorization", token )
+        .set( "Authorization", adminToken )
         .set( "Content-Type", "application/json" )
         .expect( "Content-Type", /json/ )
         .expect( res => {
@@ -73,7 +123,7 @@ describe( "ExemplarIdentifications", ( ) => {
 
     it( "can filter by nominated", function ( done ) {
       request( this.app ).get( "/v2/exemplar_identifications?direct_taxon_id=7&nominated=true&fields=all" )
-        .set( "Authorization", token )
+        .set( "Authorization", adminToken )
         .set( "Content-Type", "application/json" )
         .expect( "Content-Type", /json/ )
         .expect( res => {
@@ -86,7 +136,7 @@ describe( "ExemplarIdentifications", ( ) => {
 
     it( "can filter by not nominated", function ( done ) {
       request( this.app ).get( "/v2/exemplar_identifications?direct_taxon_id=7&nominated=false&fields=all" )
-        .set( "Authorization", token )
+        .set( "Authorization", adminToken )
         .set( "Content-Type", "application/json" )
         .expect( "Content-Type", /json/ )
         .expect( res => {
@@ -99,7 +149,7 @@ describe( "ExemplarIdentifications", ( ) => {
 
     it( "can filter by query", function ( done ) {
       request( this.app ).get( "/v2/exemplar_identifications?direct_taxon_id=7&q=unnominated&fields=all" )
-        .set( "Authorization", token )
+        .set( "Authorization", adminToken )
         .set( "Content-Type", "application/json" )
         .expect( "Content-Type", /json/ )
         .expect( res => {
@@ -112,7 +162,7 @@ describe( "ExemplarIdentifications", ( ) => {
 
     it( "can filter by term_value_id", function ( done ) {
       request( this.app ).get( "/v2/exemplar_identifications?direct_taxon_id=3&term_value_id=2&fields=all" )
-        .set( "Authorization", token )
+        .set( "Authorization", adminToken )
         .set( "Content-Type", "application/json" )
         .expect( "Content-Type", /json/ )
         .expect( res => {

test/user_session.js

@@ -0,0 +1,32 @@
+const { expect } = require( "chai" );
+const UserSession = require( "../lib/user_session" );
+
+describe( "UserSession", ( ) => {
+  describe( "canViewExemplarIdentifications", ( ) => {
+    it( "returns true for sessions in relevant test groups", ( ) => {
+      const userSession = new UserSession( {
+        test_groups: ["helpful-id-tips-reviewer", "helpful-id-tips"]
+      } );
+      expect( userSession.canViewExemplarIdentifications( ) ).to.be.true;
+    } );
+
+    it( "returns true for admin sessions", ( ) => {
+      const userSession = new UserSession( {
+        isAdmin: true
+      } );
+      expect( userSession.canViewExemplarIdentifications( ) ).to.be.true;
+    } );
+
+    it( "returns false for sessions not in all relevant test groups", ( ) => {
+      const userSession = new UserSession( {
+        test_groups: ["helpful-id-tips"]
+      } );
+      expect( userSession.canViewExemplarIdentifications( ) ).to.be.false;
+    } );
+
+    it( "returns false for sessions not in test groups", ( ) => {
+      const userSession = new UserSession( );
+      expect( userSession.canViewExemplarIdentifications( ) ).to.be.false;
+    } );
+  } );
+} );