From b18a9813d8cf2ef858af05a4cb55fbdb5acef11c Mon Sep 17 00:00:00 2001
From: James Chang <jc4095@nyu.edu>
Date: Tue, 28 Dec 2021 11:12:39 -0500
Subject: [PATCH] Fix issue with permissions to allow a PB creator to view his
 own non-public record

---
 backend/functions/schema.ts                      | 16 +++++++++++++---
 .../src/schema/models/personalBest/service.ts    | 10 +++++++---
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/backend/functions/schema.ts b/backend/functions/schema.ts
index 57d14d3..6ceced1 100644
--- a/backend/functions/schema.ts
+++ b/backend/functions/schema.ts
@@ -1,8 +1,18 @@
 // Query builder (Typescript version >= 4.1.3 required)
-/* const queryResult = executeGiraffeql({
+const queryResult = executeGiraffeql({
   // Start typing here to get hints
-  
-}); */
+  getUser: {
+    id: true,
+    name: true,
+    createdBy: {
+      id: true,
+      name: true,
+    },
+    __args: {
+      id: 9,
+    },
+  },
+});
 
 export function executeGiraffeql<Key extends keyof Root>(
   query: GetQuery<Key>
diff --git a/backend/functions/src/schema/models/personalBest/service.ts b/backend/functions/src/schema/models/personalBest/service.ts
index 8846a5c..ef8b8f2 100644
--- a/backend/functions/src/schema/models/personalBest/service.ts
+++ b/backend/functions/src/schema/models/personalBest/service.ts
@@ -46,14 +46,18 @@ export class PersonalBestService extends PaginatedService {
   groupByFieldsMap = {};
 
   accessControl: AccessControlMap = {
-    get: async ({ args, fieldPath }) => {
+    get: async ({ req, args, fieldPath }) => {
       // check the createdBy.isPublic to see if true
+      // OR if createdBy is current user
       const result = await this.lookupRecord(
-        ["createdBy.isPublic"],
+        ["createdBy.isPublic", "createdBy.id"],
         args,
         fieldPath
       );
-      return result["createdBy.isPublic"] === true;
+      return (
+        result["createdBy.isPublic"] === true ||
+        result["createdBy.id"] === req.user?.id
+      );
     },
 
     getMultiple: ({ req, args, query }) => {