Merge pull request #526 from COSC-499-W2023/525-access-deny-when-tryi…

…ng-to-access-video-through-submission-box-as-submission-box-owner
COSC-499-W2023 · Apr 2, 2024 · 401e244 · 401e244
2 parents 355c67f + 7d6d6ae
commit 401e244
Show file tree

Hide file tree

Showing 3 changed files with 165 additions and 2 deletions.
diff --git a/cypress/e2e/app/submission-box/detail/requestedDetail.cy.ts b/cypress/e2e/app/submission-box/detail/requestedDetail.cy.ts
@@ -227,4 +227,74 @@ describe('Requested Dashboard Details Page Tests', () => {
 
         cy.get('[data-cy="videoHolder"]').should('contain.text', 'Sorry, this submission box closed')
     })
+
+    it('should allow submission box owner to view video after submission', () => {
+        const submissionBoxTitle = 'very exciting submission box'
+        const videoTitle = 'Such video'
+
+        cy.task('getUserId', email).then((userId) => {
+            cy.task('createOneVideoAndRetrieveVideoId', { ownerId: userId, title: videoTitle }).then((videoId) => {
+                cy.task('getUserId', placeEmail).then((submissionBoxOwnerId) => {
+                    cy.task('createRequestSubmissionForUser', { userId, submissionBoxTitle, ownerId: submissionBoxOwnerId }).then(() => {
+                        cy.visit('/dashboard')
+
+                        cy.get('[data-cy="My Invitations"]')
+                        cy.wait(1000)
+                        cy.get('[data-cy="My Invitations"]').click()
+
+                        runWithRetry(() => {
+                            cy.get(`[data-cy="${ submissionBoxTitle }"]`)
+                            cy.wait(1000)
+                            cy.get(`[data-cy="${ submissionBoxTitle }"]`).click()
+
+                            // Assert redirection to submission box page
+                            cy.url().should('contain', 'submission-box')
+
+                            // Click 'Choose existing video' button
+                            cy.get('[data-cy="submit-existing"]').should('be.visible')
+                            cy.wait(1000)
+                            cy.get('[data-cy="submit-existing"]').should('be.visible').click()
+
+                            // Submit video
+                            cy.get('[data-cy="video-list"]').children().first().should('be.visible')
+                            cy.wait(1000)
+                            cy.get('[data-cy="video-list"]').children().first().should('be.visible').click()
+
+                            // Confirm submission
+                            cy.get('button').last().should('have.text', 'Yes')
+                            cy.wait(1000)
+                            cy.get('button').last().should('have.text', 'Yes').click()
+
+                            // Check that it is submitted
+                            cy.get('[data-cy="select-video-for-submission"]').should('not.exist')
+                            cy.get('[data-cy="video-player"]').should('exist').and('be.visible')
+                        })
+                    })
+                })
+
+                // Log out
+                runWithRetry(() => {
+                    cy.get('[data-cy="header-profile"]').click({ force: true })
+                    cy.get('[data-cy="sign-out-button"]').click({ force: true })
+                    cy.wait(2000)
+                })
+
+                // Log in as owner
+                cy.visit('/login')
+                cy.get('[data-cy=email]').type(placeEmail)
+                cy.get('[data-cy=password]').type(password)
+                cy.get('[data-cy=submit]').click()
+                cy.url({ timeout: TIMEOUT.EXTRA_LONG }).should('not.contain', 'login')
+
+                // Go to submission box detail
+                cy.get('[data-cy="Manage Boxes"]').click()
+                cy.get('[data-cy="submission-box-list"]').children().first().click()
+
+                // View video
+                cy.get('[data-cy="video-list"]').children().first().click()
+
+                cy.url({ timeout: TIMEOUT.EXTRA_LONG }).should('contain', `video/${ videoId }`)
+            })
+        })
+    })
 })
diff --git a/cypress/tasks/createRequestSubmissionForUser.ts b/cypress/tasks/createRequestSubmissionForUser.ts
@@ -3,13 +3,14 @@ import { v4 as uuidv4 } from 'uuid'
 
 type CreateSubmissionBoxWithEmailData = {
     userId: string
+    ownerId?: string
     submissionBoxTitle?: string
     submissionBoxDescription?: string
     closeDate?: Date
 }
 
 export default async function createRequestSubmissionForUser(props: CreateSubmissionBoxWithEmailData): Promise<string> {
-    const { userId } = props
+    const { userId, ownerId } = props
 
     const user = await prisma.user.findUniqueOrThrow({
         where: {
@@ -34,7 +35,7 @@ export default async function createRequestSubmissionForUser(props: CreateSubmis
     await prisma.submissionBoxManager.create({
         data: {
             submissionBoxId: newSubBox.id,
-            userId: fakeUser.id,
+            userId: ownerId ?? fakeUser.id,
             viewPermission: 'owner',
         },
     })

diff --git a/src/app/api/video/submit/route.ts b/src/app/api/video/submit/route.ts
@@ -88,6 +88,37 @@ export async function POST(req: NextRequest) {
             return NextResponse.json({ error: 'Submission box must still be open to be valid to submit to' }, { status: 403 })
         }
 
+        // Create whitelisted user for submission box owners and managers
+        const { id: whitelistedVideoId } = await prisma.videoWhitelist.findUniqueOrThrow({
+            where: {
+                videoId: videoId,
+            },
+            select: {
+                id: true,
+            },
+        })
+
+        const submissionBoxOwnerIds = (await prisma.submissionBoxManager.findMany({
+            where: {
+                submissionBoxId: {
+                    in: submissionBoxIds,
+                },
+            },
+            select: {
+                userId: true,
+            },
+        })).map(({ userId }) => userId)
+
+        const whiteListedUserCreateData = submissionBoxOwnerIds.map((userId) => ({
+            whitelistedUserId: userId,
+            whitelistedVideoId: whitelistedVideoId,
+        }))
+
+        await prisma.videoWhitelistedUser.createMany({
+            data: whiteListedUserCreateData,
+            skipDuplicates: true,
+        })
+
         // Create new SubmittedVideo if one doesn't already exist
         await prisma.submittedVideo.createMany({
             data: requestedSubmissionIds.map((id) =>  ({
@@ -171,6 +202,67 @@ export async function DELETE(req: NextRequest) {
             return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
         }
 
+        // Get submission box managers and owners
+        const requestedSubmissionManagers = (await prisma.submissionBoxManager.findMany({
+            where: {
+                submissionBoxId: {
+                    in: submissionBoxIds,
+                },
+            },
+            include: {
+                user: {
+                    select: {
+                        id: true,
+                    },
+                },
+            },
+        })).map(({ user }) => user.id)
+
+        // Find the submission box managers that still have permission
+        const remainedRequestedSubmissionManagers = (await prisma.submissionBoxManager.findMany({
+            where: {
+                userId: {
+                    in: requestedSubmissionManagers,
+                },
+                submissionBoxId: {},
+            },
+            select: {
+                user: {
+                    select: {
+                        id: true,
+                    },
+                },
+            },
+        })).map(({ user }) => user.id)
+
+        const whitelistedUserIdsToKeep = (await prisma.videoWhitelistedUser.findMany({
+            where: {
+                whitelistedUserId: {
+                    in: remainedRequestedSubmissionManagers,
+                },
+                whitelistedVideo: {
+                    videoId: videoId,
+                },
+            },
+            select: {
+                whitelistedUserId: true,
+            },
+        })).map(({ whitelistedUserId }) => whitelistedUserId)
+
+        const userIdToRemove = remainedRequestedSubmissionManagers.filter((userId) => !whitelistedUserIdsToKeep.includes(userId))
+
+        // Remove whitelisted users
+        await prisma.videoWhitelistedUser.deleteMany({
+            where: {
+                whitelistedUserId: {
+                    in: userIdToRemove,
+                },
+                whitelistedVideo: {
+                    videoId: videoId,
+                },
+            },
+        })
+
         // Delete any SubmittedVideos if they exist
         await prisma.submittedVideo.deleteMany({
             where: {